Opened 2 years ago
Closed 2 years ago
#56911 closed defect (bug) (worksforme)
Login email alert includes administrator username?!
Reported by: | jrpmedia | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 6.1 |
Component: | Keywords: | needs-testing | |
Focuses: | accessibility, administration | Cc: |
Description
I have my site set to email me when an Administrator logs in.
This email includes the Administrators username :-O
Surely that username in an 'open' email could be intercepted and used to assist in a hack?
I have tried changing/adding the username as a shortname but this does not affect the email.
Hers is an example of the email:
A user with username "O8xxx0ozqxxxxxxx" who has administrator access signed in to your WordPress site.
User IP: 81.xxx.7.51
User hostname: host81-148-7-51.range81-148.btcentralplus.com
User location: Blackpool, United Kingdom
Change History (4)
#2
@
2 years ago
I don't think WordPress itself sends such emails, at least I can't find such wording in the source code. This might be coming from a plugin or your hosting provider.
#3
@
2 years ago
Apologises,
I may be in error and it may be WORDFENCE that is doing this.
I thought it important enough to report, even if I looked a fool.
Thank you for your direction and consideration.
#4
@
2 years ago
- Milestone Awaiting Review deleted
- Resolution set to worksforme
- Status changed from new to closed
Hello @jrpmedia,
No, no, don't apologize! Thank you for opening this ticket :)
I'm closing it as worksforme
. Feel free to reopen it if you find anything else worth to be considered on WordPress Core's side.
Hello, welcome to WordPress Core Trac and thank you for opening this ticket,
Could you please explain what is the exact issue about mentioning the username in this notification?
If it an issue for security reasons, please note that WordPress Core Security Policy doesn't consider usernames disclosing as a security issue :)
Related: #3708, #5301, #5388, #14644, #20235.