Include submitter IP details in password reset emails?

[cefiar]

Could WP password reset emails include the IP of requester when someone asks for a password to be reset?

I've been seeing a lot of bots that seem to spam the password reset link (they find a username from a post, then hit the password reset link using that username), and this would make it easier to pick up and block that IP/range if it was in the reset email already, rather than having to dig through the webserver logs looking for which IP submitted the password reset request.

Note: From looking over wp-login.php this seems like it'd be fairly trivial to implement, but I wasn't sure what the best method for determining the clients IP address to use in the email template (no use creating a security hole or providing useless info), otherwise I might have included a patch.

FWIW: Google and various other sites usually report which IP either asked for the reset, or after a reset happened report that someone from that IP changed/reset the password, so basically I'm asking for similar sorts of detail from WP.

[iandunn]

Replying to cefiar:

wasn't sure what the best method for determining the clients IP address to use in the email template (no use creating a security hole or providing useless info)

WP_Community_events::get_unsafe_client_ip() might be useful there.

Adding the gdpr keyword since this could be considered sharing "personal data" with an external system.

[desrosj]

Moving to the new Privacy component.

[allendav]

I like it. If we do this, the patch should also add something like this to wordpress' wp_add_privacy_policy_content call:

“If you request a reset of your password, your IP address will be included in an email to the site administrator."

[desrosj]

Removing the GDPR keyword. This has been replaced by the new Privacy component and privacy focuses in Trac.

[isharis]

Hello,

This is my first patch and I'd like to be involved in coming up with a solution to make it through the core. I think that the simple solution of adding IP of the form submitted in the email is one solution but what I think should happen is this:

Like twitter, password reset emails should include the device and location. This is enough information for a user.

For the admin, do admins need to get a password reset email for each user? In the case where a site admin is not getting attacked by bots, this can be annoying.

[desrosj]

At first glance, 43856.diff​ needs the since annotation updated for wp_get_unsafe_client_ip() and the IP address: %s string is missing a `/* translators: */ comment.

@isharis, are you able to address that and refresh the patch?

[garrett-eclipse]

Applying needs-refresh due to @desrosj feedback.

[garrett-eclipse]

Moving this off the milestone until I've had a chance to test and refresh