[wp-trac] [WordPress Trac] #12682: Multiple password reset emails can be annoying

WordPress Trac noreply at wordpress.org
Tue Mar 4 04:42:15 UTC 2014


#12682: Multiple password reset emails can be annoying
----------------------------+-----------------------
 Reporter:  SergeyBiryukov  |       Owner:
     Type:  enhancement     |      Status:  assigned
 Priority:  normal          |   Milestone:  3.9
Component:  Users           |     Version:  2.9.2
 Severity:  normal          |  Resolution:
 Keywords:  has-patch       |     Focuses:
----------------------------+-----------------------

Comment (by nacin):

 I would suggest something a bit less harsh. I've totally done three or
 four password requests for a service before I realize where the heck the
 email is going. (Now imagine an attacker could fill up the quota.) What's
 the appropriate balance between two kinds of annoyances? Something to
 think about (and research). If someone provides an email address, is it
 more lenient than a username, which is public?

 Implementation-wise, I think this ideally hooks in on allow_password_reset
 and does all of the logic there — it either updates metadata with a new
 timestamp or returns WP_Error if requests are being made too quickly.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/12682#comment:16>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list