I just rehosted a site for a client, and am now receiving emails from the site stating I've recently requested to have the administration email changed. I didn't request it, and I've deleted the account the former admin could have used to log in. I've also changed all other passwords, and the host has changed.
This is the second time this has happened. The first time, I tried clicking the link to see if it would tell me the proposed new email that was requested, but instead it just authorized the change. And I couldn't change it back, because the confirmation email went to the new, unauthorized email. So I changed it directly in the database and now know better than to click the link.
I am trying to figure out how these emails are being generated...any ideas? Email I'm receiving is below.
Thanks!
Howdy [name],
You recently requested to have the administration email address on your site changed.
If this is correct, please click on the following link to change it: .php?adminhash=[hash]
You can safely ignore and delete this email if you do not want to take this action.
This email has been sent to [current admin email]
Regards, All at sitename
I just rehosted a site for a client, and am now receiving emails from the site stating I've recently requested to have the administration email changed. I didn't request it, and I've deleted the account the former admin could have used to log in. I've also changed all other passwords, and the host has changed.
This is the second time this has happened. The first time, I tried clicking the link to see if it would tell me the proposed new email that was requested, but instead it just authorized the change. And I couldn't change it back, because the confirmation email went to the new, unauthorized email. So I changed it directly in the database and now know better than to click the link.
I am trying to figure out how these emails are being generated...any ideas? Email I'm receiving is below.
Thanks!
Howdy [name],
You recently requested to have the administration email address on your site changed.
If this is correct, please click on the following link to change it: https://siteurl/wp-admin/options.php?adminhash=[hash]
You can safely ignore and delete this email if you do not want to take this action.
This email has been sent to [current admin email]
Regards, All at sitename http://siteurl
Share Improve this question asked Apr 6, 2018 at 0:04 libbynotzoeylibbynotzoey 1416 bronze badges3 Answers
Reset to default 3I think someone entered the password reset form and you probably have an easy user login for the administrator like 'admin' or so, so that's what they probably entered.
The email also says:
You can safely ignore and delete this email if you do not want to take this action.
So just ignore it.
This is not the email sent from the reset password form.
This email is sent when update_option_new_admin_email() is run, which is when the site_admin option is changed. This option is found under /wp-admin/options-general.php so whoever is attempting to change the site admin email has access to that page. This user must have the manage_options capability and by default that is only granted to user with the administrator role.
If this happens again, you can look at the adminhash option in the database or by PHP:
$adminhash = get_option( 'adminhash' );
$email = $adminhash[ 'newemail' ];
In addition to what @beee sez: You might want to create a new admin-level user, log in as that user, then delete (or demote) the 'admin'-named user. Change the email for that admin user to something else. Then you won't care if someone tries to brute-force the user named 'admin'.