Notice of password change email every time user profile updated

I’ve got the same problem… using Membership2 Pro from WPMU Dev and every time a new user account is registered the “Notice of Password Change” email is going out right before the “New Membership” confirmation email.

It appears that this issue with password reset emails being sent when simply clicking “Update User” can occur for two possible reasons (both related to the WP 4.3 update):

If an installed plugin is unnecessarily calling wp_update_user():

The password change email is triggered any time that the wp_update_user() function is called with a user_pass argument. If the plugin is not actually changing the password, then it needs to not update the user with a password field in the arguments array.

This is because whether or not you change the password, even to the same password, the database will be changed. WordPress doesn’t know the password, only a hash of it. And the same password can be hashed pretty much an infinite number of ways. So if you send it a user_pass, then it actually is rehashing it and updating the entry in the database.

So, please stop calling wp_update_user() with a user_pass field over and over again. Then no more emails will be sent. Instead, consider checking if the user password has actually changed before trying to change it. You can use the wp_check_password() function for that. – quoted from this post

Or, if you have ever used a “save passwords” or “remember passwords” feature in your web browser (issue observed in Firefox and Chrome):

The WordPress v4.3 update changed the way passwords are reset on the Edit User panel: the “new password” fields are now hidden behind the “Generate Password” button. When you click that button, a text field appears with an auto-generated password. However, in some cases with Chrome and Firefox, the browser will covertly fill in that (now hidden) change password field (pass1). When you click “Update User”, the browser sends a POST with the pass1 and/or pass2 values set to whatever password you had previously saved with your browser. As a result, WordPress thinks you’re changing the users password and then sends the password reset email.

Here’s how you can test to determine if your browser is sending pass1 or pass2 with values filled in (note this requires PHP debugging to be enabled; if you’re not comfortable with PHP, I don’t recommend making these changes as modifying core files for any reason is not recommended):

After this line (Line 41 in wp-admin/includes/user.php) in WordPress core, add the following, to help debug:

header('Content-Type: text/plain');
print_r($_POST); exit;

Now attempt to reproduce the issue by updating a user. Observe the debug output and see what pass1 and/or pass2 are set to.

I have observed that Google Chrome is autofilling my own password at times, and pass1 and pass2 are in fact POSTd without any interaction on my part.

We have the same issue: every time an admin updates a user profile role (e.g. select user via checkbox, then “Change role to…”) it sends the user a change of password notification. This should not happen, as it’s not a change of password request. I’m running WordPress 4.3. This never happened before this version.

Any idea how to work around this or if anything is being done about it? I’m also having this problem, which basically means I can’t make any updates to members profiles without them having to reset their password. If it’s a browser issue filling in the hidden values, then basically every time I update a user’s profile I’m changing their password to MY password?

I have LastPass, so I don’t need the browser to save any passwords… can I dump some password cache or something to stop this behavior? I tried unchecking the setting in both chrome and firefox, but it still sends me notices so I’m guessing that it’s going by some cache?

Any help is appreciated.

Thanks, I did just go ahead and log out of LastPass but that didn’t seem to help. I added exceptions up the wahoo before I logged out to no avail. I made a lot of changes to the settings in chrome re logging in and passwords which didn’t seem to help. The thing that finally did the trick I think was “more tools” and “clear browsing data” to include passwords and autofills from “the beginning of time” LOL That in itself didn’t work. I had to actually close the browser and restart it and then like magic I didn’t get a notice that I’d changed my password. Haven’t tested it with anyone else’s profile yet, but I think this will do the trick. AS A TEMPORARY WORK AROUND! only! I got LastPass for a reason and I want to use it. As I imagine others want to use their browser extensions to save passwords. So I do hope they fix this. It’s a MAJOR problem.

Anyway, thanks for the help!

Thanks Adam, that worked perfectly. I appreciate the screenshot as that helped a lot finding the particular setting.

@dwlorimer According to https://core.trac.wordpress.org/ticket/33699 it looks like a fix will go out soon, hopefully with the next WP update (v4.3.2). I suggest keeping an eye on that Trac ticket.