Support » Fixing WordPress » 4.3 Sends Excessive Amount of Password Change Emails Even Without Requesting

  • I run a busy site, that sees a few hundred new registrations each day. Prior to v4.3, a few dozen a day changed their password (I know from getting notifications of it). After update to 4.3, I get a notification for every new sign up.

    Today I found out that people who registered get spammed to no end with emails from my site, even if they never ask to have their password changed.

    I received emails from several people who told me they never asked to have their email changed, but received 6+ emails titled “password change” from my site.

    What’s going on? Why is v4.3 turning my site into a spam bot?

Viewing 1 replies (of 1 total)
  • Moderator t-p

    (@t-p)

    My users are getting lots of password change emails for no seeming reason

    Most likely, you are using some plugin that integrates your user accounts with accounts on some other system. That plugin is modifying user accounts on some sort of regular basis. It is likely doing so incorrectly, and causing WordPress to trigger the password change emails.

    Get in contact with your plugin’s author, and give them this information:

    The password change email is triggered any time that the wp_update_user() function is called with a user_pass argument. If the plugin is not actually changing the password, then it needs to not update the user with a password field in the arguments array.

    This is because whether or not you change the password, even to the same password, the database will be changed. WordPress doesn’t know the password, only a hash of it. And the same password can be hashed pretty much an infinite number of ways. So if you send it a user_pass, then it actually is rehashing it and updating the entry in the database.

    So, please stop calling wp_update_user() with a user_pass field over and over again. Then no more emails will be sent. Instead, consider checking if the user password has actually changed before trying to change it. You can use the wp_check_password() function for that.

    A TEMPORARY workaround to stop password reset emails is to put this line of code into a plugin on your site and activate it:

    add_filter(‘send_password_change_email’, ‘__return_false’);

    Source: https://wordpress.org/support/topic/read-this-first-%E2%80%93-wordpress-43-master-list?replies=4

Viewing 1 replies (of 1 total)
  • The topic ‘4.3 Sends Excessive Amount of Password Change Emails Even Without Requesting’ is closed to new replies.