Warn if recovery mode available

[iandunn]

It's a known issue that attackers can bypass security plugins by triggering recovery mode. Core mitigates that as best it can, but it's still a possibility. There isn't a way for plugins to opt-out (other than completely disabling the fatal error handler), but it may be reasonable to add a warning to Site Health. That could inform users of the risk of leaving it enabled, so they can judge for themselves, and disable it if they want.

[TimothyBJacobs]

It's not that Core mitigates it. You shouldn't be able engage recovery mode without the user first taking action via an emailed link. If there is a way to bypass that we should fix it in Core.

[iandunn]

You're right, I didn't say that clearly. What I meant was that, in the context of this plugin, an attacker could bypass 2FA if they have access to a compromised email account. That's not necessarily a problem for a WAF plugin or something, but the whole point of this plugin is to protect against situations where the user's password and/or email account are compromised.

[TimothyBJacobs]

Gotcha, understood. I think we need to be very careful about the wording. I think a lot of users would take it as a strong recommendation to turn off Recovery Mode, since it's effectively being communicated by Core.

[jeffpaul]

@iandunn @TimothyBJacobs do you have any input on how this should be phrased and presented within Site Health to make this a bit more actionable for a contributor to come through and help with a PR?