[wp-trac] [WordPress Trac] #43856: Include submitter IP details in password reset emails?
WordPress Trac
noreply at wordpress.org
Wed Apr 25 08:48:16 UTC 2018
#43856: Include submitter IP details in password reset emails?
------------------------------------+-----------------------------
Reporter: cefiar | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version:
Severity: minor | Keywords: needs-patch
Focuses: |
------------------------------------+-----------------------------
Could WP password reset emails include the IP of requester when someone
asks for a password to be reset?
I've been seeing a lot of bots that seem to spam the password reset link
(they find a username from a post, then hit the password reset link using
that username), and this would make it easier to pick up and block that
IP/range if it was in the reset email already, rather than having to dig
through the webserver logs looking for which IP submitted the password
reset request.
Note: From looking over wp-login.php this seems like it'd be fairly
trivial to implement, but I wasn't sure what the best method for
determining the clients IP address to use in the email template (no use
creating a security hole or providing useless info), otherwise I might
have included a patch.
FWIW: Google and various other sites usually report which IP either asked
for the reset, or after a reset happened report that someone from that IP
changed/reset the password, so basically I'm asking for similar sorts of
detail from WP.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43856>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list