[wp-meta] [Making WordPress.org] #4691: Break Password Hash when user is blocked

Making WordPress.org noreply at wordpress.org
Mon Aug 19 20:32:34 UTC 2019

#4691: Break Password Hash when user is blocked
 Reporter:  Ipstenu         |      Owner:  (none)
     Type:  enhancement     |     Status:  new
 Priority:  normal          |  Milestone:
Component:  Support Forums  |   Keywords:
 On reviewing the uptick in malicious trac attacks, it was pointed out that
 by blocking a user, we prevent them from being able to leave tickets. That
 is, since cookies are shared across all .org sites (including Trac and the
 forums), blocking a user in the forums PROPERLY stops them from being able
 to login on Trac.

 But due to a change from BBpress 1 to 2, it _no longer_ invalidates

 Per Nacin:

 > At least in bbPress 1.x, cookies got invalidated when a user is blocked
 (by mucking with their password hash).

 While this can be achieved by manually by editing the user password, that
 comes with two concerns:

 1. You have to remember to edit the password
 2. The user would be emailed that the password is changed

 If a user is a spammer/hacker and blocked, they generally use a throwaway
 email, so a message is sent for no benefit. However when a bad-actor is
 banned, they WOULD receive the email, which alerts them to the unrequested

 Since we do inform users why they got banned before doing so, the extra
 notification is unnecessary.

 However. As Otto said:

 > Any normal action in WordPress which changes the password causes it to
 send the email, so invalidating the hash without causing that isn't the
 simplest thing to do

 Therefore I suggest we start small.

 * When an account its blocked, the email is changed.

 By automating this, we reduce the burden on forum support volunteers and
 anyone who doesn't happen to know this is necessary.

 Further work would be to make this do so without emailing the user.

Ticket URL: <https://meta.trac.wordpress.org/ticket/4691>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list