Support » Plugins » Hacks » Change password for users who fail on login

  • Hi
    I have a site where I create accounts for subscribers (they cannot signup).

    I have a custom login form on my homepage. If the user knows their user/pass then they login and its all fine.

    However, if they try to login, and fail, then I want them to be redirected to a page where they can create a new password.

    I know how to redirect on failure, and I know how to reset the password using wp_set_password but…

    I can’t get the user_id unless they are logged in.

    Can anyone think of a way to do this?

Viewing 5 replies - 1 through 5 (of 5 total)
  • You can use wp_set_current_user() knowing only the username.

    if they try to login, and fail, then I want them to be redirected to a page where they can create a new password.

    What if the error was at the username and not the password?

    What you’re proposing sounds like a security nightmare.

    What happens when a fake user/hacker guesses a real username and then goes and changes the password for that account so that they can gain access to your site through that account?

    As much as I can appreciate trying to make things easier ofr your users, there’s very good reasons that the password reset process works the way that it does now, and it’s not a good idea to do something that will open you up to all sorts of vunerabilities.

    As long as there’s still an e-mail verification step, there’s little extra security risk and a better user experience. I think it’s a reasonable trade-off to consider.

    There would certainly be a big security problem without e-mail verification! But nothing in the original question suggests that the password will be changed without e-mail verification.

    Moderator bcworkz

    (@bcworkz)

    If we’re going to require email verification (I agree it’s necessary), why not use the existing lost password facility? One could restyle the request form and auto redirect or whatever. No need to get the current user or code some password routine, let WP handle it the way it normally does, which we know is reasonably secure. Unless you’re a security expert, coding related routines is dangerous.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Change password for users who fail on login’ is closed to new replies.