Opened 7 months ago
Closed 6 months ago
#64316 closed defect (bug) (fixed)
Unnecessary and confusing addition of (unusable) login URL on end of new user notification
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 7.0 | Priority: | normal |
| Severity: | normal | Version: | 6.8.3 |
| Component: | Login and Registration | Keywords: | |
| Focuses: | Cc: |
Description (last modified by )
In wp-includes/pluggable.php, in the wp_new_user_notification function, on line 2285, the login URL is added to a message just after another URL which allows them to set their password.
LINE 2283 $message .= network_site_url( 'wp-login.php?login=' . rawurlencode( $user->user_login ) . "&key=$key&action=rp", 'login' ) . "\r\n\r\n";
LINE 2285 $message .= wp_login_url() . "\r\n";
This is confusing (since they can't log in yet anyway, not having set a password) and on some email clients (such as the popular ProtonMail), the carriage returns and new lines seem to be ignored altogether, meaning that this login URL is just tacked right on the end of the previous URL, like this...
Username: test To set your password, visit the following address: https://[domain]/wp-login.php?login=test&key=[KEY]&action=rp https://[domain]/wp-login.php
Since for some reason the URL is not in a link the user can click, they will be copy-pasting the URL into their browser URL field. Most users will not notice that there are two separate URLs, so instead of being able to set a password, they will simply end up on an unusable login page.
Please get rid of the login URL at line 2285, and, if possible, turn the other URL into a clickable link.
Attachments (1)
Change History (8)
#2
@
7 months ago
I agree that removing the login URL at the bottom of this email makes sense. A new user cannot do anything actionable on the regular login screen if they are yet to set a password.
Regarding formatting and clickable links, it sounds like either your site is configured to send emails as HTML, or your email client is incorrectly treating it as an HTML email, which causes the line breaks to collapse. All emails sent by WordPress are plain text emails with plain links.
This ticket was mentioned in PR #10566 on WordPress/wordpress-develop by @manhphucofficial.
7 months ago
#3
- Keywords has-patch added
This PR updates the wp_new_user_notification() function to remove the unnecessary login URL that appears at the end of the new user notification email.
This URL is confusing and unusable because the user cannot log in before setting a password.
On some email clients, line breaks are collapsed, causing the login URL to appear merged with the reset-password link.
Removing the login URL prevents users from being directed to an unusable login screen.
#4
@
7 months ago
- Keywords has-patch removed
Attached a GitHub pull request for this change:
https://github.com/WordPress/wordpress-develop/pull/10566
Sorry, forget about adding a clickable link. Didn't realise this was a security no-no.
And thanks for your help!
C