WordPress.org
Get WordPress

Make WordPress Core

Opened 6 years ago

Closed 4 months ago

#48879 closed enhancement (fixed)

Changing Site Admin Email Assumes Username and Who Took the Action (which may be incorrect)

Reported by: madtownlems's profile MadtownLems Owned by: johnbillion's profile johnbillion
Milestone: 6.8 Priority: normal
Severity: minor Version: 5.3
Component: Administration Keywords: has-patch
Focuses: Cc:

Description

(Note that this is on MultiSite and I don't know exactly how it functions on a single site install.)

I think the email message that is sent when someone updates a Site Admin Email Address should be modified as to NOT be addressed: Dear CURRENT_USER_NAME, and shouldn't say that "YOU" have recently requested to update the email.

If I want to change the site admin email for a site, the confirmation email goes to the new email address (say, a client), but the email says "Dear MadtownLems,". We have had a few cases now where these emails alarmed users and thought they were phishing attempts or had been hacked.

This is very confusing for our users, as they have received an email addressed to someone else, and it tells them that they tried to do something that they may not have tried to do. Rather, I believe the text would be much cleaner if it said something like:

"Someone ('MadtownLems') has requested to update the email address for the site..."

Attachments (3)

48879.diff (696 bytes) - added by ilovecats7 4 years ago.
#48879.patch (646 bytes) - added by rehanali 3 years ago.
Added patch
48879.patch (1.3 KB) - added by iflairwebtechnologies 11 months ago.

Download all attachments as: .zip

Change History (24)

#1 @sabernhardt
5 years ago

  • Component changed from General to Users
  • Focuses multisite added

#2 @johnbillion
5 years ago

  • Keywords good-first-bug added; 2nd-opinion removed
  • Milestone changed from Awaiting Review to Future Release

Agreed this needs improving. There are other email notifications that work like this too, eg. the "Delete My Site" one is worded the same.

#3 @ilovecats7
4 years ago

I took a look at this ticket and wasn't able to reproduce this issue. The message I'm getting when changing a site admin email is:

'Hi ###USERNAME###,

This notice confirms that your email address on ###SITENAME### was changed to ###NEW_EMAIL###.

If you did not change your email, please contact the Site Administrator at
###ADMIN_EMAIL###

This email has been sent to ###EMAIL###

Regards,
All at ###SITENAME###
###SITEURL###'

It appears that this was fixed in a recent update in WordPress. If not, can you please explain how to reproduce this bug?

Is there anything else needed to be done on this ticket?

#4 @MadtownLems
4 years ago

The email message you have quoted is changing the email address of your user account. This ticket is about changing the Site Administration email address.

I confirmed this issue still exists on 5.8-RC-2

To reproduce:

1) Have a multisite environment.
2) Go to a subsite, Settings->General, and attempt to change the site administration email address.

The newly entered site administration email address will get a message that states:

"Howdy (USERNAME OF SOMEONE THAT MIGHT NOT BE THE ONE GETTING THIS EMAIL),

You recently requested to have..."

But again, this makes a huge assumption that the recipient of this email took the action. When they didn't, this is a very concerning email, as it makes people think that security has been compromised.

To summarize, the two issues with the email:

1) It is addressed to the username of the currently logged in user, even when that user is changing the site administration email address to someone else.
2) It says "YOU recently..." when there's no reason to believe that the owner of the new site administration email address actually took the action to trigger this email.

@ilovecats7
4 years ago

#5 @ilovecats7
4 years ago

  • Keywords has-patch dev-feedback added; needs-patch removed

@MadtownLems thanks for the clarification. I submitted a patch with proposed changes.

#6 @MadtownLems
4 years ago

I like those changes, thanks!

I was hesitant to do a patch for this because I'm not sure what's all involved in changing text (if you have to factor in translations, etc)

#7 @ilovecats7
4 years ago

You're welcome. Now that you mention it, I'm not sure about that either. Maybe someone with more experience will chime in on this :)

@rehanali
3 years ago

Added patch

This ticket was mentioned in Slack in #forums by jan_dembowski. View the logs.
16 months ago

This ticket was mentioned in PR #6789 on WordPress/wordpress-develop by @thehercules.
13 months ago #9

Trac Ticket : Ticket #48879

This PR addresses and resolves the confusion caused by the current email notification sent when the site admin email address is updated.
Issues Fixed:

  1. Incorrect Addressing: The email was previously addressed to the current user's username, causing confusion for the recipient.
  2. Misleading Language: The email stated “Howdy, ###USERNAME### ” which was misleading for recipients who did not perform the action.

Changes Made:

  • The email is now addressed generically without using the current user's username. i.e “Howdy,”
  • The language has been updated to indicate that someone (specified by the username of the requester) has requested the email change, rather than implying the recipient performed the action.

These changes aim to reduce confusion and prevent users from thinking the email is a phishing attempt.

#10 @thehercules
13 months ago

@MadtownLems I have created a Patch for this in PR https://github.com/WordPress/wordpress-develop/pull/6789. Can you review it and suggest changes if any.

@MadtownLems commented on PR #6789:
13 months ago #11

Thanks for doing this!

This language feels a bit clunky to me:
"User ###USERNAME### with administrator capabilities recently requested"

Perhaps something more like:
"A site Administrator (###USERNAME###) recently requested"

@iflairwebtechnologies
11 months ago

#12 @iflairwebtechnologies
11 months ago

@MadtownLems
You can review the updated 48879.patch

This ticket was mentioned in PR #7109 on WordPress/wordpress-develop by iflair.
11 months ago #13

#48879 Changing Site Admin Email Assumes Username and Who Took the Action

#14 @MadtownLems
11 months ago

48879 looks good to me - thanks!

#15 @johnbillion
5 months ago

  • Milestone changed from Future Release to 6.8
  • Owner set to johnbillion
  • Status changed from new to reviewing

#16 @johnbillion
4 months ago

  • Component changed from Users to Administration
  • Focuses multisite removed

#17 follow-up: @johnbillion
4 months ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 59799:

Administration: Remove a potentially incorrect addressee and improve the phrasing used in the confirmation email when a user attempts to change the administration email address.

Props MadtownLems, ilovecats7, rehanali, iflairwebtechnologies, thehercules

Fixes #48879

#18 in reply to: ↑ 17 @ocean90
4 months ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

Replying to johnbillion:

There seems to be a typo in "site Administrator". This should either read "Site Administrator" or to be consistent with existing strings "site administrator".

#19 @johnbillion
4 months ago

  • Keywords good-first-bug has-patch dev-feedback removed

Thanks Dominik, yeah let's go with the lowercase.

This ticket was mentioned in PR #8288 on WordPress/wordpress-develop by @sukhendu2002.
4 months ago #20

  • Keywords has-patch added

Trac ticket: https://core.trac.wordpress.org/ticket/48879

#21 @johnbillion
4 months ago

  • Resolution set to fixed
  • Status changed from reopened to closed

Fixed in [59800] which missed this ticket.

Note: See TracTickets for help on using tickets.