[wp-trac] [WordPress Trac] #64316: Unnecessary and confusing addition of (unusable) login URL on end of new user notification

Fri Nov 28 14:54:55 UTC 2025

#64316: Unnecessary and confusing addition of (unusable) login URL on end of new
user notification
------------------------------------+------------------------------
 Reporter:  clayray                 |       Owner:  (none)
     Type:  defect (bug)            |      Status:  new
 Priority:  normal                  |   Milestone:  Awaiting Review
Component:  Login and Registration  |     Version:  6.8.3
 Severity:  normal                  |  Resolution:
 Keywords:                          |     Focuses:
------------------------------------+------------------------------
Description changed by sabernhardt:

Old description:

> In wp-includes/pluggable.php, in the wp_new_user_notification function,
> on line 2285, the login URL is added to a message just after another URL
> which allows them to set their password.
>
> LINE 2283       $message .= network_site_url( 'wp-login.php?login=' .
> rawurlencode( $user->user_login ) . "&key=$key&action=rp", 'login' ) .
> "\r\n\r\n";
>
> LINE 2285       $message .= wp_login_url() . "\r\n";
>

> This is confusing (since they can't log in yet anyway, not having set a
> password) and on some email clients (such as the popular ProtonMail), the
> carriage returns and new lines seem to be ignored altogether, meaning
> that this login URL is just tacked right on the end of the previous URL,
> like this...
>
> Username: test To set your password, visit the following address:
> https://[domain]/wp-login.php?login=test&key=[KEY]&action=rp
> https://[domain]/wp-login.php
>
> Since for some reason the URL is not in a link the user can click, they
> will be copy-pasting the URL into their browser URL field. Most users
> will not notice that there are two separate URLs, so instead of being
> able to set a password, they will simply end up on an unusable login
> page.
>
> Please get rid of the login URL at line 85, and, if possible, turn the
> other URL into a clickable link.

New description:

 In `wp-includes/pluggable.php`, in the `wp_new_user_notification`
 function, on [https://github.com/WordPress/wordpress-
 develop/blob/6.8.3/src/wp-includes/pluggable.php#L2285 line 2285], the
 login URL is added to a message just after another URL which allows them
 to set their password.

 LINE 2283       `$message .= network_site_url( 'wp-login.php?login=' .
 rawurlencode( $user->user_login ) . "&key=$key&action=rp", 'login' ) .
 "\r\n\r\n";`

 LINE 2285       `$message .= wp_login_url() . "\r\n";`

 This is confusing (since they can't log in yet anyway, not having set a
 password) and on some email clients (such as the popular ProtonMail), the
 carriage returns and new lines seem to be ignored altogether, meaning that
 this login URL is just tacked right on the end of the previous URL, like
 this...

 `Username: test To set your password, visit the following address:
 https://[domain]/wp-login.php?login=test&key=[KEY]&action=rp
 https://[domain]/wp-login.php`

 Since for some reason the URL is not in a link the user can click, they
 will be copy-pasting the URL into their browser URL field. Most users will
 not notice that there are two separate URLs, so instead of being able to
 set a password, they will simply end up on an unusable login page.

 Please get rid of the login URL at line 2285, and, if possible, turn the
 other URL into a clickable link.

--

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64316#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform