Make WordPress Core

Opened 2 years ago

Closed 2 years ago

#56911 closed defect (bug) (worksforme)

Login email alert includes administrator username?!

Reported by: jrpmedia's profile jrpmedia Owned by:
Milestone: Priority: normal
Severity: normal Version: 6.1
Component: Mail Keywords: needs-testing
Focuses: accessibility, administration Cc:

Description

I have my site set to email me when an Administrator logs in.

This email includes the Administrators username :-O

Surely that username in an 'open' email could be intercepted and used to assist in a hack?

I have tried changing/adding the username as a shortname but this does not affect the email.

Hers is an example of the email:


A user with username "O8xxx0ozqxxxxxxx" who has administrator access signed in to your WordPress site.
User IP: 81.xxx.7.51
User hostname: host81-148-7-51.range81-148.btcentralplus.com
User location: Blackpool, United Kingdom


Change History (4)

#1 @audrasjb
2 years ago

  • Severity changed from major to normal

Hello, welcome to WordPress Core Trac and thank you for opening this ticket,

Could you please explain what is the exact issue about mentioning the username in this notification?

If it an issue for security reasons, please note that WordPress Core Security Policy doesn't consider usernames disclosing as a security issue :)

Related: #3708, #5301, #5388, #14644, #20235.

#2 @swissspidy
2 years ago

I don't think WordPress itself sends such emails, at least I can't find such wording in the source code. This might be coming from a plugin or your hosting provider.

#3 @jrpmedia
2 years ago

Apologises,
I may be in error and it may be WORDFENCE that is doing this.
I thought it important enough to report, even if I looked a fool.
Thank you for your direction and consideration.

#4 @audrasjb
2 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to worksforme
  • Status changed from new to closed

Hello @jrpmedia,

No, no, don't apologize! Thank you for opening this ticket :)
I'm closing it as worksforme. Feel free to reopen it if you find anything else worth to be considered on WordPress Core's side.

Note: See TracTickets for help on using tickets.