Opened 2 years ago
Last modified 14 months ago
#43856 assigned enhancement
Include submitter IP details in password reset emails?
| Reported by: |  | Owned by: |  | 
|---|---|---|---|
| Milestone: | Future Release | Priority: | normal | 
| Severity: | minor | Version: | 4.9.6 | 
| Component: | Privacy | Keywords: | has-patch 2nd-opinion ux-feedback needs-refresh | 
| Focuses: | Cc: | 
Description
Could WP password reset emails include the IP of requester when someone asks for a password to be reset?
I've been seeing a lot of bots that seem to spam the password reset link (they find a username from a post, then hit the password reset link using that username), and this would make it easier to pick up and block that IP/range if it was in the reset email already, rather than having to dig through the webserver logs looking for which IP submitted the password reset request.
Note: From looking over wp-login.php this seems like it'd be fairly trivial to implement, but I wasn't sure what the best method for determining the clients IP address to use in the email template (no use creating a security hole or providing useless info), otherwise I might have included a patch.
FWIW: Google and various other sites usually report which IP either asked for the reset, or after a reset happened report that someone from that IP changed/reset the password, so basically I'm asking for similar sorts of detail from WP.
Attachments (1)
Change History (14)
    
      
    #1
  
        in reply to:
    ↑ description
    
        
          
             @
 @
            
2 years ago
        
    
  
  
  - Keywords gdpr added
    
      
    #2
  
    
        
          
             @
 @
            
23 months ago
        
    
  
  
  - Component changed from Login and Registration to Privacy
Moving to the new Privacy component.
    
      
         
        
This ticket was mentioned in Slack in #gdpr-compliance by desrosj. View the logs.
      
      
22 months ago
    
    
  
              
    
      
    #5
  
    
        
          
             @
 @
            
22 months ago
        
    
  
  
    
I like it. If we do this, the patch should also add something like this to wordpress' wp_add_privacy_policy_content call:
“If you request a reset of your password, your IP address will be included in an email to the site administrator."
    
      
    #6
  
    
        
          
             @
 @
            
21 months ago
        
    
  
  
  - Keywords gdpr removed
Removing the GDPR keyword. This has been replaced by the new Privacy component and privacy focuses in Trac.
    
      
    #7
  
    
        
          
             @
 @
            
19 months ago
        
    
  
  
  - Keywords has-patch 2nd-opinion ux-feedback added; needs-patch removed
Hello,
This is my first patch and I'd like to be involved in coming up with a solution to make it through the core. I think that the simple solution of adding IP of the form submitted in the email is one solution but what I think should happen is this:
Like twitter, password reset emails should include the device and location. This is enough information for a user.
For the admin, do admins need to get a password reset email for each user? In the case where a site admin is not getting attacked by bots, this can be annoying.
    
      
    #9
  
    
        
          
             @
 @
            
15 months ago
        
    
  
  
  - Milestone changed from 5.1 to 5.2
At first glance, 43856.diff needs the since annotation updated for wp_get_unsafe_client_ip() and the IP address: %s string is missing a `/* translators: */ comment.
@isharis, are you able to address that and refresh the patch?


 
                       
			     
			 
                
Replying to cefiar:
WP_Community_events::get_unsafe_client_ip()might be useful there.Adding the
gdprkeyword since this could be considered sharing "personal data" with an external system.