Open retnonindya opened 3 years ago
synora
commented
3 years ago At one point, I thought https://wordpress.com/support/transferring-a-site-to-another-wordpress-com-account/ stated you need to add the would-be new owner as the admin of the site, then you can transfer the site to them. The doc doesn't seem to support that though.
I'll keep the bug label on for now unless someone else chimes in otherwise.
simranvijwani
commented
3 years ago It seems @retnonindya's nightmare came true. I had a user in the chat 30882248-hc who wanted to delete their site but could not due to an error. They asked me if they can transfer the site to any random WordPress.com account to get rid of it. I told them they should not, and it wouldn't be possible since they'll need to add them as a user first on their site, but to my surprise, they could transfer the site from https://dashboard.wordpress.com/wp-admin/index.php?page=my-blogs. I tested the same on my test account and was able to replicate it.
@klimeryk Please let me know if you need more information. Thank you!
This came from a test and I'm curious so I opened a GH issue.
So! Transfer website from https://dashboard.wordpress.com/wp-admin/index.php?page=my-blogs -- we all know how to start it.
Now, I just found out that we can transfer the website to another WordPress.com user -- practically, any user on the WordPress.com. The sender (the one who initiate the transfer) received the email for confirmation, yep, and the receiver received an email address, stating that they are the new owner of the website.
Problem is, I noticed that this process can be done by the user to send the website to any WordPress.com user, regardless they registered as the user on the website (be it Admin, Editor, etc) or not.
This is from my personal test. I lurked around my test sites and I wondered if I can send one of them to my personal WordPress.com account. I initiated the transfer when I realized I haven't added my personal WordPress.com account to my test site as an Admin. I always presume I need to add the other user as Admin on the website for the transfer to proceed.
To my surprise, I found the site transferred successfully -- and I received confirmation email on my personal WordPress.com account email.
Bug or Feature Request?
I don't know if this is a bug or if we can upgrade our system/tool for this. Can we add more protection on the site transfer process? I'm afraid if this situation is being used by some folks who want to "dump" their site to another WordPress.com user.
Maybe we can add another layer of protection by ensuring:
Thank you in advance 🙇
Related reading
p7DVsv-9xb-p2
CC. @klimeryk -- My apologies for the ping, Igor. I noticed you are the one who handled the project 🙇 Do let me know if you need more information/testing. Thank youuu!