Users should be notified of password/e-mail changes

[markjaquith]

We should avoid silent account compromises be notifying users when their password or e-mail address is changed.

[RMarks]

First draft of password notice to user.

[MikeHansenMe]

@rmarks this is good. I think we will have a few people want to alter the wording a bit but otherwise, I think it is good.

[markjaquith]

We need to send this (or a version of this) out for e-mail changes as well.

[MikeHansenMe]

send similar email to original email if email is changed

[markjaquith]

The password change notification wasn't working, because it was added to the lost/reset portion of the code. I moved it to wp_update_user(). Reworded it a little bit.

[tharsheblows]

I've changed it slightly to modify the filters a bit so it's possible to disable the emails and filter all of the wp_mail params.

Eg use cases: send only one email if both password and email modified, disable send if user on email server blacklist, give a notice if the new email address is blocked similarly.

[tharsheblows]

filter wp_mail params and send email

[markjaquith]

cleaned up

[obenland]

Makes sure $send_email_change_email and $send_pass_change_email are set.

[obenland]

The above comment is actually not true, it just avoids the warning/notice when they're not set.

[tharsheblows]

pass users arrays through send email filter too & update inline docs

[markjaquith]

In 32820:

Send emails when a user's email address or password is changed.

• In case of email change, email goes to the OLD address
• Prevents against issues where an account is compromised (say via cookie interception) and then the attacker silently takes over ownership via pw/email changes — now there will at least be a record that something is up

fixes #32430
props RMarks, MikeHansenMe, tharsheblows, obenland

[johnbillion]

I think some improvements can be made to the text in these emails.

1. The "Notice of Password Change" and "Notice of Email Change" subject lines sound a bit clunky. A better phrase would be something like "Email Changed" or "Your email address has been changed".
2. The phrase "If you did not change your password, please contact the Site Administrator at ###ADMIN_EMAIL###" does not make any sense if I am the only user on the site, or if I am the site administrator. How about some logic to only include this line when appropriate? ("Site Administrator" probably shouldn't be capitalised either.)
3. The "Regards, All at ###SITENAME###" signature is indeed similar to the signature that's present in other emails that get sent out, but again it's not appropriate if I'm the only user on the site. Seeing as this is an automated security information email, and does not actually include the regards of anyone, I think this can be dropped. Maybe just leave the site URL in the signature.

[johnbillion]

32430.filters.diff​ improves the newly added filter docs and changes the name of the send_pass_change_email filter to send_password_change_email.

[tharsheblows]

1. Looking at the limited sample of emails I've received, "Email Address Change" seems to be most often used - it should be short enough to make sense when looking at a phone's inbox.

2. I'd send the same emails to everyone. Seeing the exact email everyone else is getting is useful and to test user or role dependent emails it's necessary to make a new account. It'd be nice not to have to do that here as this is such a basic feature. It's also a bit of a double check on the admin email address - as this isn't tied to a user, it can be easy to forget to update it when updating your email address if you're the site administrator (or that might just be me...). Agree that changing the capitalisation would be good.

[boonebgorges]

In 32838:

When updating a user, only send email-change notification if email address is passed.

The notification, introduced in [32380], was firing incorrectly (and throwing
a PHP notice) when wp_update_user() was called without including 'user_email'
in the update data.

Props imath.
Fixes #32684. See #32430.

[johnbillion]

Another issue: a password change notification email will be sent out if a password is specified when adding a new user.

[MikeHansenMe]

I will take a look at this today and get the new user + specified password worked out.

[MikeHansenMe]

Looked into this and chatted with @johnbillion and it does not send the password notification email on new user creation.

[ocean90]

In 32897:

Use 3-digit x.x.x style for 4.3.0 @since versions.

see #32335, #32430.

[obenland]

@MikeHansenMe could you create a patch to address these issues?

[obenland]

@MikeHansenMe any news here?

[MikeHansenMe]

Just chatted with @obenland about this. It not sending the email is expected because the password was specified. Based on sending reset links instead of plain text passwords, this is expected behavior. I think we are all done here based on the original intent of the ticket.

[TobiasBg]

Replying to johnbillion:

32430.filters.diff​ improves the newly added filter docs and changes the name of the send_pass_change_email filter to send_password_change_email.

Can the main idea of this patch get a second look? The current name send_pass_change_email is just terrible.

[markjaquith]

In 33486:

Change send_pass_change_email to send_password_change_email (better name).

see #32430

[swissspidy]

#16470 was marked as a duplicate.