WordPress 4.0 Targeted To Fix Multisite New User Password Security Issues

WordPress core contributors are aiming to address an issue with multisite new user emails in the upcoming 4.0 release. Two weeks ago, Daniel Bachhuber opened a ticket proposing that WordPress instruct users to change their passwords when sending new account emails.

When a user is added to a multisite network and has activated his account, WordPress sends out an email that includes the new password:

multisite-new-user

Several text changes were proposed for the email to urge users to change their passwords after logging in. After a brief discussion during yesterday’s core development meeting, Andrew Nacin moved the issue to the Login and Registration component.

“We’re going to skip this entirely for 3.9,” Nacin said. He highlighted the reasons why the incremental improvements in the proposed patches don’t solve the issue, given that they:

  • Only apply to multisite (emails are sent in plain text for new user registrations in single-site too)
  • Only apply for the fallback email template (these are editable in multisite)
  • Don’t do anything in the dashboard to nag the user

Nacin proposed that the core team tackle the issue for WordPress 4.0 in a way that will clearly improve the user experience. He also suggested that this issue might be combined with work on another enhancement that would allow admins to generate and send new passwords for users.

This is a much larger task than simply changing the email text. “It’ll probably require a group of contributors to storyboard out exactly how all of this should work in an ideal situation, and then we can go about coding it,” Nacin said in response to the ticket. Aaron Jorbin proposed putting together a “Password Process” group to “identify some more concrete changes that we can make in 4.0 (including eliminating sending passwords via email).”

If the team can find some momentum, this issue will be getting attention in WordPress 4.0. If anyone is interested to contribute to this effort, join in on the next dev meeting and make sure to watch the related tickets for notifications.

There are 3 comments

Comments are closed.