Support » Requests and Feedback » Changing Email Method a Security Risk

  • Resolved robbonj

    (@robbonj)



    As we were doing some user maintenance and changing the master email under General Settings, I realized the methodology seems flawed. Specifically, when you change the primary email address on the installation, the notice goes to the new email for approval, but not the old email.

    Every other online account system we’ve used sends a notice to the outgoing address asking them to approve the change. Why is WP not doing the same? Theoretically, a soon to be former employee or contractor could change the primary account email without the true owner knowing and wreak havoc without anyone knowing.

    Am I missing something?

Viewing 6 replies - 1 through 6 (of 6 total)
  • To that point… I just changed my email on my WordPress.org account and same thing:
    I get an email to the new address asking me to approve the change, but no email to the old address to authorize it. I gained access to an account and changed the email when I had no right to, of course, I would also ‘authorize’ it. How is that secure?

    Joy

    (@joyously)

    I disagree. There is no havoc that the receiver of notifications can wreak. The admin email is not a login.
    And I just changed my email address on about 50 different sites (long story), and they all do it differently.

    Thanks for the input, Joy. Doesn’t the admin email get security notices as well as new user creation notices? So I could change the admin email, then create additional admin accounts – which on a big site (e-commerce), could go unnoticed. Then there’s a backdoor into the site.

    Perhaps ‘wreak havoc’ is too strong, but just the same, why wouldn’t the original email address get notified of the change?

    Joy

    (@joyously)

    Well, it’s just another option, out of 100s. If you have admin access to change options, you aren’t notified of all the changes.

    Joy

    (@joyously)

    Why don’t you search Trac for an existing ticket and if it doesn’t exist, create one?
    https://core.trac.wordpress.org/

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Plugin Review Team Rep

    @robbonj – If someone already has admin access then they can change everything anyway, like installing a plugin that edits the email without mailing anyone at all, so it’s really kind of pointless. The barn door’s open already.

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.