WordPress 4.0 Targeted To Fix Multisite New User Password Security Issues

WordPress core contributors are aiming to address an issue with multisite new user emails in the upcoming 4.0 release. Two weeks ago, Daniel Bachhuber opened a ticket proposing that WordPress instruct users to change their passwords when sending new account emails.

When a user is added to a multisite network and has activated his account, WordPress sends out an email that includes the new password:


Several text changes were proposed for the email to urge users to change their passwords after logging in. After a brief discussion during yesterday’s core development meeting, Andrew Nacin moved the issue to the Login and Registration component.

“We’re going to skip this entirely for 3.9,” Nacin said. He highlighted the reasons why the incremental improvements in the proposed patches don’t solve the issue, given that they:

  • Only apply to multisite (emails are sent in plain text for new user registrations in single-site too)
  • Only apply for the fallback email template (these are editable in multisite)
  • Don’t do anything in the dashboard to nag the user

Nacin proposed that the core team tackle the issue for WordPress 4.0 in a way that will clearly improve the user experience. He also suggested that this issue might be combined with work on another enhancement that would allow admins to generate and send new passwords for users.

This is a much larger task than simply changing the email text. “It’ll probably require a group of contributors to storyboard out exactly how all of this should work in an ideal situation, and then we can go about coding it,” Nacin said in response to the ticket. Aaron Jorbin proposed putting together a “Password Process” group to “identify some more concrete changes that we can make in 4.0 (including eliminating sending passwords via email).”

If the team can find some momentum, this issue will be getting attention in WordPress 4.0. If anyone is interested to contribute to this effort, join in on the next dev meeting and make sure to watch the related tickets for notifications.


3 responses to “WordPress 4.0 Targeted To Fix Multisite New User Password Security Issues”

  1. We’ve been “saving up” improvements in this area for a long while. The last major changes came in WordPress 3.0, when we made it so you can create your own username on install, and in 3.1, when we streamlined the password reset process a bit. I think it’s time to see what else we can improve in the login and registration realm.

  2. Just to make sure I understand the problem (as I believe I’m having a similar problem), does this have to do with the fact that password says it is [User Set] in the welcome email when an admin adds a new user, even though the admin side and the front end side never prompted either the admin nor the user for a password?


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.