[wp-trac] [WordPress Trac] #42967: New admin email change featuer should be rolled back
WordPress Trac
noreply at wordpress.org
Fri Dec 22 18:06:57 UTC 2017
#42967: New admin email change featuer should be rolled back
-----------------------------+-----------------------------
Reporter: johndeebdd | Owner:
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 4.9
Severity: normal | Keywords:
Focuses: |
-----------------------------+-----------------------------
Suggest rollback of core ticket #39118.
A new feature was added to single site core. It involves the method by
witch an admin can change the admin email for the site. Previously, a user
could log in as an admin and change the email, just like every other
setting. The new feature has the system send a confirmation email to the
new email before the change takes place. There are two major problems with
this new approach:
In many cases, a person might install WordPress without having previously
setup an admin email. This could be for development purposes, or because
their admin email is somehow inaccessible. With the new change, the system
must have access to the OLD email, from which the confirmation email is
being SENT. What is the reason an admin might want to change their email?
One of the mail reasons seems to be that the old email is not accessible
to them. Presumably if the email is unaccessible to the user, it would be
also unaccessible to the WordPress install trying to send the confirmation
email! With the new system, you cannot change the admin email if the
system cannot SEND emails. This is a terrible idea, because in my
experience setting up the ability to send emails is one of the touchiest
things in WordPress, often the last thing done. Many admins use Gmail
because setting up a domain specific email server is a daunting task.
Normally, the canonical method that the server uses to identify the
penultimate credential, is the password the admin enters when they install
WordPress. Note that you can install WordPress with an email that is NOT
accessible, as in "dummyemail at local.dev". This new technique makes the
penultimate password external to WordPress [but weirdly just for this ONE
setting]. For instance, if Gmail were to simply go out of business, it
would become impossible - within WordPress - for that admin to change his
own password or register a new admin. Also, this setting now becomes
hostage to network activity. It is possible sent emails are being blocked
or held up downstream, in which case this setting would become
unchangeable via WordPress directly.
I understand that the perception is that this provides an extra layer of
security, but it really just provides an extra layer of complexity. If a
user is logged in as an admin, he should be able to change all the
settings on the site without having to provide MORE credentials to some
other third party.
Note this would be the only setting in the entire system that works this
way. You can change every other setting with only admin credentials, not
admin + email server credentials. Also, I CAN change the admin password, I
just have to understand PHP [since an admin can run arbitrary code]. A
security feature that only protects against people with extremely limited
skills isn't a feature. So this doesn't actually add security, it just ads
the PERCEPTION of security, which is bad.
ISSUE #2: This is the only instance where a single site addresses the
admin with the pronoun "we". When I saw this, my jaw dropped. Who is the
"we" that is going to email me? Is someone else gathering emails from my
privately hosted site? The pronoun "we" should not be used here.
Suggestion: This entire feature should just be rolled back. It's not an
improvement.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/42967>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list