WordPress.org

Ready to get started?Download WordPress

Forums

How to disable password reset feature? (9 posts)

  1. Christian Rank
    Member
    Posted 5 years ago #

    The login screen of the wp-admin area allows to initiate a password reset by klicking on 'Lost your password?'. For security reasons, I wand to disable this feature.

    In the code (wp-login.php), I discovered that there is already code for disabling this feature:
    $allow = apply_filters('allow_password_reset', true, $user_data->ID);

    But this filter appears nowhere else in the code.

    Can anybody enlighten me how disabling the password reset can be achieved in an "official manner"? (Of course, I could hack the code, but then I had to remember to reapply the patch after every update ...)

    Thanks in advance,
    Chris

  2. kyleinwuhan
    Member
    Posted 5 years ago #

    Likewise, I'd be interested in disabling the password reset feature.

    Cheers,

    Kyle

  3. insaneboarder234
    Member
    Posted 5 years ago #

    Hmm, I don't particularly want to hack my installation again due to the fact I will need to remember to re-apply the hack each time I update WordPress.

    Surely there has to be a more suitable way of disabling this feature as it is a security risk - and in fact I have had attacks aimed at the lost password feature of WordPress, which is why I'm here now looking for a solution.

    Does anyone have any potential solutions that aren't hackish?

    Thanks

    -Nick

  4. gariben
    Member
    Posted 5 years ago #

    Same problem here.

    My sites were hacked by using "Lost Password" (My sites were running on WordPress 2.7, using different table prefix, installed login lockeddown plugin, etc.).

    I need a way to stop "Lost Password" access from the hackers.

    Thanks

  5. 4colorgrafix
    Member
    Posted 5 years ago #

    To protect your wordpress install from hackers, change this snippet in your wp-login.php page:

    case 'lostpassword' :
    case 'retrievepassword' :
    
    	if ( $http_post ) {
    		$errors = retrieve_password();
    		if ( !is_wp_error($errors) ) {
    			wp_redirect('wp-login.php?checkemail=confirm');
    			exit();
    		}
    	}
    
    	if ( isset($_GET['error']) && 'invalidkey' == $_GET['error'] ) $errors->add('invalidkey', __('Sorry, that key does not appear to be valid.'));
    
    	do_action('lost_password');
    	login_header(__('Lost Password'), '<p class="message">' . __('Please enter your username or e-mail address. You will receive a new password via e-mail.') . '</p>', $errors);
    
    	$user_login = isset($_POST['user_login']) ? stripslashes($_POST['user_login']) : '';

    Into:

    case 'lostpassword' :
    case 'retrievepassword' :
    /*
    	if ( $http_post ) {
    		$errors = retrieve_password();
    		if ( !is_wp_error($errors) ) {
    			wp_redirect('wp-login.php?checkemail=confirm');
    			exit();
    		}
    	}
    
    	if ( isset($_GET['error']) && 'invalidkey' == $_GET['error'] ) $errors->add('invalidkey', __('Sorry, that key does not appear to be valid.'));
    
    	do_action('lost_password');
    	login_header(__('Lost Password'), '<p class="message">' . __('Please enter your username or e-mail address. You will receive a new password via e-mail.') . '</p>', $errors);
    
    	$user_login = isset($_POST['user_login']) ? stripslashes($_POST['user_login']) : '';
    */
    header("location: http://my-favorite-blogpost/");
  6. Mini0n
    Member
    Posted 5 years ago #

    Some months have passed now...
    Is there any "official" way of doing this, instead of hardcoding?

    Thanks!

  7. Shane G
    Member
    Posted 5 years ago #

    Hi,

    You can only do it via wp-login.php file modification and remove the link of password reset option..

    Thanks,

    Shane G.

  8. Adam Harley
    Member
    Posted 4 years ago #

    Unlikely anyone will read this, but if they do (I found it as the first hit on Google), the corrrect way is to use:

    <?php
    /*
    Plugin Name: Disable Lost Password Feature
    */
    function disable_password_reset() { return false; }
    add_filter ( 'allow_password_reset', 'disable_password_reset' );
    ?>

    It doesn't remove the link, but it will return "Password reset is not allowed for this user" for any user.

    You could also add

    function remove_password_reset_text ( $text ) { if ( $text == 'Lost your password?' ) { $text = ''; } return $text;  }
    
    function remove_password_reset() { add_filter( 'gettext', 'remove_password_reset_text' ); }
    add_action ( 'login_head', 'remove_password_reset' );

    in order to filter out the link without having to change it in each new release of WordPress. Possibly a small performance hit there, but should be small.

  9. Adam Harley
    Member
    Posted 4 years ago #

    function remove_password_reset_text_in ( $text ) { return str_replace( 'Lost your password</a>?', '</a>', $text ); }
    add_filter ( 'login_errors', 'remove_password_reset_text_in');

    I missed one of the additional lost password links apparently.

Topic Closed

This topic has been closed to new replies.

About this Topic