[wp-trac] [WordPress Trac] #56372: unexpected behavior user.php wp_update_user() detects change in password when there is no change

WordPress Trac noreply at wordpress.org
Mon Aug 15 18:45:50 UTC 2022 

#56372: unexpected behavior user.php wp_update_user() detects change in password
when there is no change
--------------------------+-------------------------
 Reporter:  HamishAhern   |       Owner:  (none)
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:
Component:  Users         |     Version:  6.0
 Severity:  normal        |  Resolution:  worksforme
 Keywords:                |     Focuses:
--------------------------+-------------------------

Comment (by SergeyBiryukov):

 Replying to [comment:2 HamishAhern]:
 > so do you still say its not a common issue now? and that this is not the
 first report of this. I am probably just the first to look for the root
 cause.

 I'm sorry for bad phrasing on my part, I did not mean to downplay the
 issue. Just wanted to note that for the ticket to move forward, it would
 be good to have the steps to reproduce it on a clean install, as it seems
 that the issue could be related to a plugin or theme calling
 `wp_update_user()` with a password that is in some way different, whether
 intentionally or not.

 The changes in question appear to have been made seven years ago in 2015:
 * [32820] / #32430 introduced sending an email when a user's email address
 or password is changed.
 * [35116] / #28435 added a conditional check to avoid accidentally double-
 hashing the password.

 It's absolutely possible that there's an issue here, either in code or
 documentation, so if anyone would like to follow up with more details,
 please feel free to reopen.

 > there is even a webpage article created about it. so that developers can
 work around it.
 > https://wordpress.org/support/topic/turn-off-admin-notification-of-user-
 password-change/

 That support topic says that they get an email every time one of their
 users ''does'' change the password, which can happen quite often on a
 large site, and they just want a way to disable it. It does not say that
 they still get an email when there is no change, so it does not seem the
 same to me.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/56372#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list