Administration Email Address: Allow method to deactivate

[andrewhoyer]

As a manager of many client sites, my email address is used on a lot of sites in the "Administration Email Address" in Settings > General.

Over time, clients move to other vendors, and sometimes this happens without the opportunity to change the Administration Email Address before it is moved. In many cases, this email address remains unchanged for years, and I continue to receive software update, user account, and other emails for accounts I have no contact with, and no way to access to change the setting.

This has been mentioned by other WordPress developers as well, and I believe it is a widespread problem, although one easy to dismiss on a day-to-day basis. I did a search through Trac tickets and didn't see anything like it, so I am posting this ticket in hopes that a solution can be reached.

Ideally, I'd like to see a solution that includes a time-sensitive link (similar to new account registrations) that would allow the owner of the admin to click through to the link, and agree to have the email address removed as the "Administration Email Address".

[jvmd]

This would be a great feature. My inbox gets stuffed with notifications on sites I no longer manage (oldest one is from about 6 years ago).

[bph]

Thinking through a solution, needs to include, what should the current admin email be replaced with? How would WordPress know what's the next email address inline would be?

A first iteration of a solution could be to include it into the privacy workflow of removing data from the site and start an email chain to all Administrators for the site that a person has requested the removal of the email address from the site, and action is necessary.

I have a hard time imagining a one-sided solution. But that's just my lack of imagination.

[webdados]

I don't think we should allow anyone from the outside to change a WordPress option on a website they no longer control, even if it's their email address.

That's not for WordPress to solve. Is for people to solve.
The previous dev should make sure he removes his email before abandoning the project.
If he doesn't have the chance to, WP is literally asking admins every x months (not sure) if the admin email is correct.
If the site owner ignores that question, it's something the previous dev should solve at his end by blocking those emails.

This is not like a "recover password" link. If you could still recover your password it means that the site owner has not deleted your user and then you could fix it yourself. If you cannot access the website with a proper admin user, you should not be able to trigger any change on the WordPress option.

Don't get me wrong, I do get a lot of those emails, and I appreciate the reasoning behind this ticket, but I don't think we should open this Pandora box of allowing a non-admin user to change the WordPress database.

Email filters are your friend :-)

[webdados]

Replying to bph:

Thinking through a solution, needs to include, what should the current admin email be replaced with? How would WordPress know what's the next email address inline would be?

Exactly.

A first iteration of a solution could be to include it into the privacy workflow of removing data from the site and start an email chain to all Administrators for the site that a person has requested the removal of the email address from the site, and action is necessary.

I have a hard time imagining a one-sided solution. But that's just my lack of imagination.

Yes. This can never be triggered only by the external entity.

[audrasjb]

Hello, welcome to WordPress Core Trac and thank you for opening this ticket,

I agree with some of the comments above: this probably more looks like a bug in the processes than an issue introduced by WordPress itself. The main administrator account should be set to the owner of the website, not to the person who installed the website.

[bethannon1]

I get emails like this at least once a month. Sometimes the site was taken over & moved before I had a chance to change the admin email.

I see why initiating a change might be problematic. I think we could have a link in admin notices to report a no longer current admin email that would

1)trigger an email to ALL current Administrator level users that admin notification emails are going to someone who believes that they should not be receiving them, reinforces the importance of a current site admin email, and

2) on the next login of all admin users, have a special “admin email check” splash or an additional special message on the regular splash that repeats the message that the current admin email has been reported as not current and they should update.

Yes, there are the regular prompts about “is this site admin email current”, but some of the sites that I get admin notifications for are not being logged into very frequently at all, AND when someone is logging in they are focused on accomplishing a specific task, and they are more likely to simply click through and perhaps not understand the consequences of affirming an out of date site admin email.

[cpapazoglou]

What if we start now getting proactive?

Instead of trying to solve the existing problem, we can try resolving future problems.

My suggestion:
Instead of allowing an arbitrary email, this form should only allow you to select an existing administrator.

Before that user gets deleted or their role is changed, we should show a dialog for selecting a new site owner.

[webdados]

Replying to cpapazoglou:

What if we start now getting proactive?

Instead of trying to solve the existing problem, we can try resolving future problems.

My suggestion:
Instead of allowing an arbitrary email, this form should only allow you to select an existing administrator.

Before that user gets deleted or their role is changed, we should show a dialog for selecting a new site owner.

That's a good idea, but it will remove a lot of flexibility. If that is implemented, I bet we're going to get angry people asking why they can't freely set any email address they want as the administration email address.

Whatever path we're going, in my opinion, we can't allow someone that no longer has admin access to change an option on the WordPress database, even if it's his email address there.

[askwpgirl]

After seeing various conversations on Twitter with pros and cons of different approaches, let's first define the problem:

1. Email addresses entered in this filed must "accept" an "invite" to "opt in" to receive these emails.

2. There is no "opt out" option. While this doesn't violate CAN-SPAM because they are not promotional in nature, they do end up being a kind of spam.

3. Replacing the email address is contingent on someone else accepting an invite, which I have seen many times they do not.

How things are handled now related to this issue:

Administrators are prompted periodically to confirm this email address is correct. However, as I've noticed with many small businesses, they rarely if ever log into the their site to see this reminder notice and change it.

Possible Solutions:

1. Link in the notification emails: "Do you wish to longer receive these emails? If so, click here." Then have a mechanism like people do for Data Removal requests to notify admins that you wish to be removed from this field.

2. Or tie this field to a WordPress User, and when that user is removed, the person removing the user is prompted to select a new user to receive these emails. Could be any user since this is a non-discriminatory field anyway not tied to any User Level restrictions.

To summarize:

This field has an opt-in and no opt-out.

The field is not tied to a WordPress User so ends up floating out there indefinitely without the person who owns the email being able to request removal.

It is assumed that all WordPress sites are "active" and that the current way things are handled by prompting the logged in Admin to confirm this email address "works" to prompt site owners or administrators to change it. That's a great thing, but many people log in rarely and will never see that.

It can be hard as the person with the email "stuck" in this field to find a contact at the company to request removal. So this being related to a WordPress User solves that or at least a data removal request that is sent to administrators.

[ourwebservices]

A simple way to negate this issue would be to prevent an administrator user from being deleted if its email address matches the site admin. To remove the admin they would need to change and approve the email, otherwise the current admin can keep access until a proper hand over of ownership.

[webdados]

Replying to ourwebservices:

A simple way to negate this issue would be to prevent an administrator user from being deleted if its email address matches the site admin. To remove the admin they would need to change and approve the email, otherwise the current admin can keep access until a proper hand over of ownership.

That's a good concept but has a minor failure point: sometimes site owners just change the developer user password as when they try to delete it they're prompted to either delete posts or move them to another user. For a non-tech savvy website owner, this is a scary prompt, so they give up on deleting the user and just change their password or set them as subscribers.
One can argue that if the user exists, then he can request a password change, regain access and take care of removing his email from the site options, but that's assuming the website is correctly configured to send email (which actually would make the original problem "silent" 🤣).

Anyway: it's a good first approach to the issue.

[Cold Iron Chef]

A few ideas/thoughts:

What if there was just an "unsubscribe" magic link in the admin emails, the same way you can receive a password reset link without needing to log in? Changing the database is obviously out of the question if there is no longer a way to access the CMS from that address, but one could at least opt out of these emails. Even if the email address is correct, avoiding receiving this email from dev and staging environments would be nice.

Another idea could be for WordPress to periodically send an email to the admin email address and check if it bounces back (I wonder if this is even technically possible). If the email address no longer exists, the next time an admin logs into the CMS, they should be forced to choose a new email or try revalidating the existing one (in case the bounce back was an error). Make it non-dismissible (which I know would annoy/scare non-tech-savvy people), but emphasize the importance of having a valid admin address. (If it is dismissible, bury the cancel button three prompts deep. "Danger zone: Are you sure?" "Are you really sure? Type "I don't want to change my admin address.")

These emails annoy me greatly (specifically in the case of dev/staging environments), and it would be nice to opt out without setting up email filters on the client side.

[jorbin]

This is an interesting idea. Thinking through this a bit, my thoughts are as follows:

1. WordPress can't reliably know if the email it sends is received. It's part of why #46349 added the confirmation screen.
2. In many instances, the Administration Email Address is not associated with any but is a distribution list.
3. The current implementation requires someone to confirm they can receive emails for changes to this email address.
4. Having no Administration Email Address is not something that should be encouraged in any way. This would be bad as WSOD protection would not work and numerous notifications would
5. It can not be assumed that the default roles are present on every site or that roles have the same capabilities on every site.
6. There is no way to know if email sends are working correctly without a manual click from someone confirming it.

Ultimatly, I am not opposed to the fact that (to quote an earlier comment) "Email filters are your friend :-)", but I think there might be some changes that are feasible.

Mostly I wonder if emails sent to the Administration Email Address include a link that forces the next user with the admin_email_check_cap to change the email rather than confirm it? This wouldn't be foolproof though as I don't think blocking access to the admin when a change is pending would be a good experience.

[sabernhardt]

non admin users shouldn't be able to change databases

Users need to log in and have sufficient capabilities to change the email address, but ​resetting the 'admin_email_lifespan' option might be an acceptable database change. Then the next admin user to log in should get a prompt to replace the email.

[andrewhoyer]

Replying to audrasjb:

Hi JB,

Thank you for making the initial reply to this ticket. I believe this is an important one to a lot of developers based on early feedback both on 𝕏 and here in the ticket.

I can tell this is going to be a bit of a hot topic, not just because so many people want a solution, but because the solution has so many possibilities and concerns. This needs to be discussed with the community and especially with people who know a lot about core development, security, and various ethical / legal considerations.

I've waited a few days to allow devs to get their initial feedback in before replying, and I will address a number of points below. For each point, I will include one or more snippets of text from any of the previous replies.

this probably more looks like a bug in the processes

There is more to this than saying it's a process problem, or as others have suggested, a "people problem". As developers, we cannot always control what clients do. Or for that matter, the owner of a business. They might sell their company, transfer the website, and the new owners do not update the admin email address. Regardless of the situation, the core problem is that the admin email address links someone to a site without them having any control over it.

The main administrator account should be set to the owner of the
website, not to the person who installed the website.

Owners are often not involved in their website. They might not even have a login, let alone know what to do with admin notifications, or want to receive them. Regardless, owners and developers are allowed to choose their own path with the use of this field, and still not need to deal with having their email address locked into a site for years.

@webdados I don't think we should allow anyone from the outside to change a
WordPress option on a website they no longer control, even if it's their email address.

Let's keep in mind that when someone subscribes to a newsletter, or makes a purchase, or - think of it - unsubscribes, that they are changing something in the database. And they don't even have to be logged in!

I will turn this suggestion back on itself and ask: Should a website be allowed to send email to an address that no longer wants it? The answer should be a distinct no, and indeed there are legal considerations here in some regions. There are cases here where developers have received admin notifications for 10 years (@askwpgirl) with no way to unsubscribe or stop the emails.

@cold-iron-chef it would be nice to opt out without setting up email filters on the client side.

This reply is correct. Others have suggested that email filters are the answer. They are not. What if I change email clients or providers? Must I reset 10 years worth of filters because someone out there can't take 30 seconds to change an email address and WordPress doesn't allow me to change it?

Finally:

I am going to point to above comment askwpgirl which has some good balanced points.

The paths forward that I think are the most promising:

1. A magic link in all admin emails that allows the recipient to unsubscribe. Whether this removes the email (potentially problematic) or sets an opt-out flag, it doesn't matter. All that needs to happen is that WordPress is made aware that no further emails are to be sent to that email address. At the same time, an email could be sent to all admin-level users that a new admin email address must be set. We already have that periodic check in place. It could then show a more urgent notice to encourage admins to reset that value.

2. Instead of an open text field, the "Administration Email Address" is a drop-down list of admin users. This requires many more considerations such as not being able to delete a user that is selected there. Or, what if there is only one admin user? There's some definite potential here, but it needs thought.

3. Hide the "Administration Email Address" altogether, and send notifications to all admin-level users. Perhaps make it a checkbox option in the User settings to receive or not receive the emails. This makes it super simple, and ensures that as soon as a user is removed from the website, no emails reach them. Thinking about it a bit more, I actually like this option the best, even though it's not the simplest.

I welcome more feedback on this by you, or any others in the community who want to note their experience and what solution might be best.

Thank you!
Andrew

[zodiac1978]

Replying to audrasjb:

I agree with some of the comments above: this probably more looks like a bug in the processes than an issue introduced by WordPress itself. The main administrator account should be set to the owner of the website, not to the person who installed the website.

I have to disagree here. The issue is introduced through WordPress itself. In our agency (mostly fitness center) many owners have no interest in managing the websites and don't have or use the access to it. The opposite of the statement is true: Sometimes they need to be admin for some functionality, but the main administrator (from the general settings) is typically the person who installed the website, because WP asks for the mail address in the installation process.

To add another reason:
Many contact form plugins use the main administrator email as default recipient. This can lead to legal problems. E-Mails containing confidential information are sent to people not working for/with a company.

WordPress can and should solve this issue.

[ourwebservices]

Replying to andrewhoyer:

1. A magic link in all admin emails that allows the recipient to unsubscribe. Whether this removes the email (potentially problematic) or sets an opt-out flag, it doesn't matter. All that needs to happen is that WordPress is made aware that no further emails are to be sent to that email address. At the same time, an email could be sent to all admin-level users that a new admin email address must be set. We already have that periodic check in place. It could then show a more urgent notice to encourage admins to reset that value.

2. Instead of an open text field, the "Administration Email Address" is a drop-down list of admin users. This requires many more considerations such as not being able to delete a user that is selected there. Or, what if there is only one admin user? There's some definite potential here, but it needs thought.

3. Hide the "Administration Email Address" altogether, and send notifications to all admin-level users. Perhaps make it a checkbox option in the User settings to receive or not receive the emails. This makes it super simple, and ensures that as soon as a user is removed from the website, no emails reach them. Thinking about it a bit more, I actually like this option the best, even though it's not the simplest.

Based on the ideas around point 2 from last week I've been working on "Site Owner Admin"​https://ourwpplugins.com/site-owner-admin/ which will swap out the current email field with a drop down list of all administrator user accounts.

It will also prevent a matching admin user account from being deleted once one has been set, as well as preventing that user's role from being downgraded to avoid the "content deletion" screen.

While dashboard notices are annoying, it'll also show one for any admin that is in the dashboard.

Currently at v0.3, with 0.4 due this afternoon with the annoying notice added in.

The magic link to set a per user "Don't send me emails" setting could be interesting. If the admin that is the owner email address clicks to no longer receive them, then an generic "Please set an owner" email gets sent to the remaining requesting the change.

Following this "Site Owner Admin" could check for a matching email, but opt-ed out, to then warn on that situation as well.

Emails intended for the site owner only would not be sent to other remaining admins for previously mentioned privacy reasons.

[chesio]

I got this problem too once or twice and it was annoying (and frustrating).

I am glad this discussion happens, as I find the administration address setting peculiar. The administration emails are very useful but only as long as someone on receiving end has a valid administrator account and can act on them.

Therefore my take on this problem would be similar as already suggested in some comments above: tie administration emails with administrator accounts (or some specific capability). I think every administrator user could have an option to opt-in to receive administration emails. This way multiple people could be notified, which would allow to mimic behaviour of distribution list. The first administrator (ie. the person who installs WordPress) should be automatically opted in.

[ourwebservices]

Based on all the prior comments / suggestions, and fitting most what you said below, I created a simple plugin to help solve a lot of these issues: ​https://ourwpplugins.com/site-owner-admin/

It would be good to have the admin field a drop down built into core as part of good governance, but in the mean time Site Owner Admin can help fill the gap, plus extra use cases that are plugin areas.

Replying to chesio:

I got this problem too once or twice and it was annoying (and frustrating).

I am glad this discussion happens, as I find the administration address setting peculiar. The administration emails are very useful but only as long as someone on receiving end has a valid administrator account and can act on them.

Therefore my take on this problem would be similar as already suggested in some comments above: tie administration emails with administrator accounts (or some specific capability). I think every administrator user could have an option to opt-in to receive administration emails. This way multiple people could be notified, which would allow to mimic behaviour of distribution list. The first administrator (ie. the person who installs WordPress) should be automatically opted in.