[wp-trac] [WordPress Trac] #43856: Include submitter IP details in password reset emails?

WordPress Trac noreply at wordpress.org
Wed Apr 25 08:48:16 UTC 2018


#43856: Include submitter IP details in password reset emails?
------------------------------------+-----------------------------
 Reporter:  cefiar                  |      Owner:  (none)
     Type:  enhancement             |     Status:  new
 Priority:  normal                  |  Milestone:  Awaiting Review
Component:  Login and Registration  |    Version:
 Severity:  minor                   |   Keywords:  needs-patch
  Focuses:                          |
------------------------------------+-----------------------------
 Could WP password reset emails include the IP of requester when someone
 asks for a password to be reset?

 I've been seeing a lot of bots that seem to spam the password reset link
 (they find a username from a post, then hit the password reset link using
 that username), and this would make it easier to pick up and block that
 IP/range if it was in the reset email already, rather than having to dig
 through the webserver logs looking for which IP submitted the password
 reset request.

 Note: From looking over wp-login.php this seems like it'd be fairly
 trivial to implement, but I wasn't sure what the best method for
 determining the clients IP address to use in the email template (no use
 creating a security hole or providing useless info), otherwise I might
 have included a patch.

 FWIW: Google and various other sites usually report which IP either asked
 for the reset, or after a reset happened report that someone from that IP
 changed/reset the password, so basically I'm asking for similar sorts of
 detail from WP.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/43856>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list