Disable username for "lost password" function

  • This is a tough one. I’ve searched everywhere for a long time.

    The “lost password” page allows either an 1) e-mail or 2) username to be entered.

    My site has a lot of users. Someone figured out how to spook users by entering their usernames in the “lost password” box. These users are confused by the reset password e-mail.

    Usernames are visible on the site. Anyone can find an username, and enter it to repeatedly e-mail that person. I know, it’s stupid. There are people like that out there.

    So, I’d like to disable recovering password by username. Allow it only by e-mail. E-mails are private.

    Frankly, I’m surprised WordPress doesn’t offer this customization in core. This is a SECURITY ISSUE, allowing people to send many emails to users — without needing an e-mail address.

Viewing 6 replies - 1 through 6 (of 6 total)

  • This is NOT a security issue.

    Thread Starter twelfthdragon

    (@twelfthdragon)

    It’s not a security issue in the sense of a bug, but is a security issue nonetheless when anyone can look up an author and have anonymous multiple emails sent to that person. Flood the inbox, even. It’s a security issue when my private e-mail inbox can be exploited. This is a serious concern WordPress developers should look at.

    It is NOT a security issue. At the worst, it’s a nuisance but since there is no leakage of personal information, there’s no security risk. As far as I know, you cannot disable password recovery by username.

    Thread Starter twelfthdragon

    (@twelfthdragon)

    OK, our perspectives differ. What about being blacklisted by e-mail servers? Gmail, Hotmail, Yahoo and others may start considering the domain name as spam, then the legit and good e-mails won’t get through? Registration and lost password emails for the innocent folk.

    This is potentially damaging to my domain name which is quite difficult, if not impossible, to undo. This is more than just a nuisance. If there’s no way to disable it, it should be tabled to WP core developers to address.

    I have never come across a situation where a domain has been blacklisted because of over-use of the Lost Password functionality. If a single individual is abusing this functionality, perhaps you could consider an IP ban.

    Thread Starter twelfthdragon

    (@twelfthdragon)

    Because it hasn’t occurred to you doesn’t mean it doesn’t occur. I would ban IPs but they’re easy to evade/ghost and is only a temporary fix. A cat and mouse game leading to many hours of wasted time.

    I appreciate your dialogue. Will you please consider forwarding this issue to the appropriate person for at least an analysis? I’ve looked at the core file and should take no more than a few minutes to enhance. Thank you, esmi.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Disable username for "lost password" function’ is closed to new replies.