[wp-trac] [WordPress Trac] #40081: Remove wp-admin links from all Core emails
WordPress Trac
noreply at wordpress.org
Thu Mar 9 14:56:42 UTC 2017
#40081: Remove wp-admin links from all Core emails
----------------------------+-----------------------------
Reporter: iandunn | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Mail | Version:
Severity: normal | Keywords:
Focuses: administration |
----------------------------+-----------------------------
SpamAssassin has an undocumented rule called `URI_WPADMIN`, which is
triggered when it sees a wp-admin URL in a message. If the rule is
triggered, the message's spam score is bumped by `2.6` points (by
default), which gets the message `50%` of the way to being flagged as
spam. This can be reproduced easily with
[http://spamcheck.postmarkapp.com/ Postmark's spam-checker API].
SpamAssassin also has a `PHP_ORIG_SCRIPT` rule that is assigned to all
messages that are sent with the default PHP `mail()` agent. It has a score
of `1.5`, which brings the vast majority of Core emails sent by WordPress
installations up to a score of `4.1`, which is `80%` of the way to being
flagged. That's not counting any other rules that may be triggered based
on message content, server configuration, etc.
From a UX perspective, it's very helpful to include links in messages that
take the user directly to any actions that we can reasonably assume
they'll want to perform on a message. However, from a security
perspective, I think the best practice is to not include those links,
because doing so trains users to expect and trust them, which makes them
vulnerable to phishing attacks.
So, I think we should consider removing all links to wp-admin, and replace
them with a message asking users to log in to their site instead. We can
give them navigation breadcrumbs like, `To disable these notifications,
log in to WordPress at example.org and navigate to: My Sites > Network
Admin > Settings.`
Related #39709
--
Ticket URL: <https://core.trac.wordpress.org/ticket/40081>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list