Remove plaintext passwords from multisite activation flow

[mikelittle]

Summary

• After account activation, redirect users to the password reset page instead of displaying the plaintext password on wp-activate.php
• Replace plaintext passwords in welcome emails with a message directing users to set their password via the login page
• Invalidate the wp-user-signups plugin cache after activation so the admin signups list reflects the correct status

Fixes https://github.com/humanmade/product-dev/issues/2009

Changes

All changes in inc/signup_notification/namespace.php:

• bootstrap() — Register two new hooks at priority 20 on wpmu_activate_user and wpmu_activate_blog to redirect after welcome emails fire at priority 10
• altis_welcome_notification() — Replace PASSWORD placeholder with a message instead of the actual password
• altis_welcome_user_notification() — Same change as above
• redirect_to_password_reset() — New function for user-only activations. Generates a reset key, invalidates signups cache, and redirects to wp-login.php?action=rp
• redirect_blog_user_to_password_reset() — New function for blog activations. Same approach, using network_site_url() for the login URL to avoid wp_safe_redirect() rejecting cross-host subdomain redirects

Test plan

• Create a user-only signup via Network Admin > Signups > Add New
• Activate the user via the activation email link
• Verify: user is redirected to the password reset form (not the activation page)
• Verify: the welcome email does NOT contain a plaintext password
• Verify: Network Admin > Signups shows the user as activated with a timestamp
• Create a blog signup and activate it
• Verify: same redirect and email behaviour for blog signups
• Test "already active" case — should show existing message, no redirect

🤖 Generated with Claude Code

[mikelittle]

Testing:
Created new user:

User gets activation email

User clicks link and is redirected to set password page

User logs in with new password

User is logged in

Welcome email does not contain password

[wisyhambolu]

Looks good.

[github-actions]

Successfully created backport PR for v23-branch:

• [Backport v23-branch] Remove plaintext passwords from multisite activation flow #924

[github-actions]

Successfully created backport PR for v24-branch:

• [Backport v24-branch] Remove plaintext passwords from multisite activation flow #925

[github-actions]

Successfully created backport PR for v25-branch:

• [Backport v25-branch] Remove plaintext passwords from multisite activation flow #926

[github-actions]

Successfully created backport PR for v26-branch:

• [Backport v26-branch] Remove plaintext passwords from multisite activation flow #927