Description
This came from a test and I'm curious so I opened a GH issue.
So! Transfer website from https://dashboard.wordpress.com/wp-admin/index.php?page=my-blogs -- we all know how to start it.
Now, I just found out that we can transfer the website to another WordPress.com user -- practically, any user on the WordPress.com. The sender (the one who initiate the transfer) received the email for confirmation, yep, and the receiver received an email address, stating that they are the new owner of the website.
Problem is, I noticed that this process can be done by the user to send the website to any WordPress.com user, regardless they registered as the user on the website (be it Admin, Editor, etc) or not.
This is from my personal test. I lurked around my test sites and I wondered if I can send one of them to my personal WordPress.com account. I initiated the transfer when I realized I haven't added my personal WordPress.com account to my test site as an Admin. I always presume I need to add the other user as Admin on the website for the transfer to proceed.
To my surprise, I found the site transferred successfully -- and I received confirmation email on my personal WordPress.com account email.
Bug or Feature Request?
I don't know if this is a bug or if we can upgrade our system/tool for this. Can we add more protection on the site transfer process? I'm afraid if this situation is being used by some folks who want to "dump" their site to another WordPress.com user.
Maybe we can add another layer of protection by ensuring:
- The receiver must be added as a user on the website, and...
- If the receiver is not on the site, the sender should see a warning on the Transfer Blog process. Something like: "It seems like this user is not a member on your website. Please invite them first by following the guide HERE."
Thank you in advance 🙇
Related reading
p7DVsv-9xb-p2
CC. @klimeryk -- My apologies for the ping, Igor. I noticed you are the one who handled the project 🙇 Do let me know if you need more information/testing. Thank youuu!