WordPress 5.3: Site Admin Email Verification Screen

Welcome!

The WordPress coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. development team builds WordPress! Follow this site for general updates, status reports, and the occasional code debate. There’s lots of ways to contribute:

Found a bugbug A bug is an error or unexpected result. Performance improvements, code optimization, and are considered enhancements, not defects. After feature freeze, only bugs are dealt with, with regressions (adverse changes from the previous version) being the highest priority.? Create a ticket in the bug tracker.

Want to contribute? Get started quickly with tickets marked as good first bugs for new contributors or join a bug scrub. There’s more on the reports page, like patches needing testing, and on feature projects page.

Other questions? Here is a detailed handbook for contributors, complete with tutorials.

In WordPress 5.3, a new screen has been introduced to help ensure the site’s administration email remains accurate and up to date. The site’s adminadmin (and super admin) email (as defined when installing WordPress, and found on the Settings > General page) is a critical part of every WordPress site. This new screen will help site owners remain in full control of their site, even as years go by.

How does this work?

By default, administrators will see a screen after logging in that lists the site’s admin email address once every 6 months.

They are presented with 4 actions:

The site’s email is verified as correct: After clicking “The email is correct” button, the user is taken to the Dashboard with an admin notice saying “Thank you for verifying”. The screen will be hidden for 6 months from all administrators.
The site’s email needs to be changed: After clicking the “Update” button, the user is taken to the Settings > General page where they can update the site’s email address. Administrators will be presented with the verification screen the next time they log in.
The user clicks “Remind me later”: the user is taken to the Dashboard. Administators will see the screen again after 3 days have passed.
Back to “Site Name”: When this link is clicked, the user will be taken to the site’s home page. Administrators will be presented with the verification screen the next time they log in.

Available Actions and Filters

Actions

There are a few action hooksHooks In WordPress theme and development, hooks are functions that can be applied to an action or a Filter in WordPress. Actions are functions performed when a certain event occurs in WordPress. Filters allow you to modify certain functions. Arguments used to hook both filters and actions look the same. on the verification page that developers can use to customize the screen.

admin_email_confirm – Fires before the admin email confirm form.
admin_email_confirm_form – Fires inside the admin-email-confirm-form form tagtag A directory in Subversion. WordPress uses tags to store a single snapshot of a version (3.6, 3.6.1, etc.), the common convention of tags in version control systems. (Not to be confused with post tags.), but before any other output.

A new action hook after the form was not introduced. Instead, use the login_footer action, which is called just after the closing </form> tag. The if ( 'confirm_admin_email' === $_GET['action'] ) conditional can be used to check that the email verification screen is being shown.

Filters

One new filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output., admin_email_check_interval, has also been introduced. This filter can be used to change the frequency that administrators should see the verification screen.

The following example changes the interval from the default of 6 months to 2 months:

<?php
function myplugin_admin_email_check_interval( $interval ) {
	return 2 * MONTH_IN_SECONDS;
}
add_filter( 'admin_email_check_interval', 'myplugin_admin_email_check_interval' );

Note: The returned value should always be in seconds.

This filter can also be used to disable the feature by returning a “falsey” value, such as 0, or false.

The following example will disable the admin email verification check:

<?php
add_filter( 'admin_email_check_interval', '__return_false' );

For more information about these changes, check out #46349 in TracTrac An open source project by Edgewall Software that serves as a bug tracker and project management tool for WordPress..

Props to @desrosj for peer review.

#5-3, #admin, #dev-notes

David E. Smith 12:18 pm on September 24, 2019

Neat. How do I disable this? We use a single sign-on mechanism, and users cannot change their email address in WordPress anyway. This will just lead to annoyance and probably support calls.
- John Blackbourn 12:28 pm on September 24, 2019
  
  It might not be completely clear, but this feature relates to the site’s Adminstration Email which is set from the General Settings screen, not the individual user’s email in their profile.
  - Jonathan Desrosiers 1:29 am on October 17, 2019
    
    The article has been updated to clarify this and include examples of how to disable this verification screen!
arena 11:41 am on October 18, 2019

Hope this relies on RFC rules (which ones ?).
Matt Mullenweg 6:28 am on October 22, 2019

How should we measure the effectiveness at solving the stated problem, and what intervals are correct to show it?
- andraganescu 9:21 pm on October 23, 2019
  Hi Matt! This is an interesting question, in this context.
  
  The original issue was that the site health feature would send notifications to adminadmin (and super admin) emails and people complained nobody knows their admin email.
  
  Therefore, since we don’t collect usage data, for privacy concerns, we can only measure indirectly: do people report being locked out of their website’s admin following a site health initiated pause?
  
  Any report and its conclusion will be data points and we won’t have an A vs B set to compare (e.g. this many people were locked out before vs this many people still get locked out).
  
  It is an optimistic feature – we hope by implementing it we reduce an unwanted side effect and solve for the causes of the side effect:
  - outdated admin email
  - admin email set to a catch all email address which is never checked
  - admin email set automatically by the host in the process of one-click-installs
  Because it is an optimistic feature, the baseline is the worst scenario, and the result is how far from it we are.
  
  As for the correctness of intervals the current OWASP cheatsheet for “security questions” uses the term “periodically”, that is a very free form indication.
  
  The default six months, twice a year, appears to be safe enough for general cases (developer handoff of a website, default installation on hosts, long time between visits to admin), while having it customisable allows to cover for special cases.
  - wpblogwriter 11:35 am on November 19, 2019
    
    Hi – I have seen how to disable this function by adding a filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output. returning false… Personally I think it would be much more interesting to have a variable to define in the wp-config.php (wp instance) instead of functions.php (theme). Would that be an enhancementenhancement Enhancements are simple improvements to WordPress, such as the addition of a hook, a new feature, or an improvement to an existing feature. for next WP update?
    - Knut Sparhell 1:47 pm on November 19, 2019
      
      You can and should use a (mu- or ordinary) pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party. New constants is generally avoided, as they cannot be filtered.
      
      Loading a lot of snippets for things that are unrelated to the theme should be put in functions.php (of a child themeChild theme A Child Theme is a customized theme based upon a Parent Theme. It’s considered best practice to create a child theme if you want to modify the CSS of your theme. https://developer.wordpress.org/themes/advanced-topics/child-themes/.). When building a site, always start with a site specific, custom plugin and add modifications (filters/actions) in it, well documented. That may even save you the trouble of creating a child theme in many cases.
- darvishi 4:54 pm on December 1, 2019
  
  Hi Matt !
  
  Promise me in WordPress Version 5.3 to support WebP image format! But it didn’t work. This format is very popular, especially for Google!
  
  Please add support by default in WordPress and Media Library.
mywebmaestro 4:58 pm on November 18, 2019

This seems like a poorly thought out addition… in most sites I’m involved with, there are multiple adminadmin (and super admin) level users. I think most people would assume, when logging in, that this was referring to their admin email address, not the primary admin email address of the site. When it doesn’t match, they’re going to be changing it back and forth. :-/
- paullee357 8:16 pm on December 6, 2019
  
  This is happening to our MU/networknetwork (versus site, blog) site where all of our IT staff are admins and they are getting this prompt. Instead of saying that my email is correct, they may think to adjust to their email.
theoneptd2 9:57 pm on December 6, 2019

A knee-jerk reaction to a near non existent problem.
There should be a simple check-box under the administrator email address to enable or disable this “feature”.

Comments are closed.

Welcome!

Communication

How does this work?

Available Actions and Filters

Actions

Filters

Share this: