Title: Duplicate admin &#8220;Password Changed&#8221; email
Last modified: July 1, 2026

---

# Duplicate admin “Password Changed” email

 *  [dev](https://wordpress.org/support/users/devksec/)
 * (@devksec)
 * [2 days ago](https://wordpress.org/support/topic/duplicate-admin-password-changed-email/)
 * Hi,
 * I have been chasing duplicate admin emails on a live store and it traces back
   to WooCommerce core, so I wanted to flag it here.
 * Every time a customer resets their password through the My Account flow, the 
   site admin gets the “[Site] Password Changed” notification twice. Two separate
   sends, identical body (“Password changed for user: X”), about a second apart.
   I confirmed they are two real sends in our mail log, not a single email delivered
   twice by the SMTP layer.
 * Environment:
    - WooCommerce 10.9.1
    - WordPress 7.0
    - Reproduced with all other plugins out of the picture
 * Steps to reproduce:
    1. As a customer, go through Lost Password and follow the reset link to the My 
       Account reset form.
    2. Set a new password.
    3. The admin address receives two identical “Password Changed” emails.
 * Where it comes from:
 * It is in includes/shortcodes/class-wc-shortcode-my-account.php, in set_new_password().
   That method does two things that each end up sending the same core notification:
    - It fires do_action( ‘after_password_reset’, $user, $new_pass ) (around line
      391). WordPress core already hooks wp_password_change_notification onto that
      action in wp-includes/default-filters.php, so this alone triggers the admin
      email.
    - A few lines later (around line 397) it also calls wp_password_change_notification(
      $user ) directly.
 * So one reset runs the notification down two paths and the admin gets two emails.
   Looking at the docblock, the do_action( ‘after_password_reset’ ) call was added
   in 10.9.0 “for parity with core”, but the direct call was left in place, and 
   core’s long standing hook on that action turns the new do_action into a second
   send. On older versions only the direct call existed, so it was a single email.
   That makes this a 10.9.0 regression.
 * Workaround for anyone hitting this:
 * There is a filter wrapping the direct call, so this stops the duplicate:
 * `add_filter( 'woocommerce_disable_password_change_notification', '__return_true');`
 * That leaves WordPress core’s after_password_reset notification as the single 
   send.
 * The reason I am reporting rather than just filtering it away: the default behaviour
   double sends for everyone on 10.9.x, which is a lot of confused store admins.
   It looks like either the new do_action should not also be paired with the direct
   wp_password_change_notification() call, or the direct call should be removed 
   now that the action covers it. Happy to test a patch.
 * Thanks.

Viewing 2 replies - 1 through 2 (of 2 total)

 *  Plugin Support [shahzeen(woo-hc)](https://wordpress.org/support/users/shahzeenfarooq/)
 * (@shahzeenfarooq)
 * [1 day, 17 hours ago](https://wordpress.org/support/topic/duplicate-admin-password-changed-email/#post-18952755)
 * Hi [@devksec](https://wordpress.org/support/users/devksec/)!
 * Thank you for taking the time to investigate this so thoroughly and for providing
   such a detailed report, including the root cause and workaround.
 * I can confirm that this issue has already been reported on our GitHub repository,
   and our developers are aware of it and are currently investigating it:
   [https://github.com/woocommerce/woocommerce/issues/66103](https://github.com/woocommerce/woocommerce/issues/66103)
 * I recommend adding a comment to that GitHub issue as well. That way, you’ll be
   able to follow the discussion and receive updates directly from our developers
   as they work toward a resolution. Your additional findings and testing may also
   be helpful to the investigation.
 * Thank you again for reporting this and for your understanding and cooperation.
 *  [davidcampbell2](https://wordpress.org/support/users/davidcampbell2/)
 * (@davidcampbell2)
 * [9 hours, 31 minutes ago](https://wordpress.org/support/topic/duplicate-admin-password-changed-email/#post-18954410)
 * Since the duplicates are confirmed at the mail-log level with other plugins removed,
   this looks like the password-change notification may be firing twice in the reset-
   password flow. A hook trace around `wp_password_change_notification()` and the
   related WooCommerce account actions would help confirm whether core is triggering
   two separate sends.

Viewing 2 replies - 1 through 2 (of 2 total)

You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fduplicate-admin-password-changed-email%2F%3Foutput_format%3Dmd&locale=en_US)
to reply to this topic.

 * ![](https://ps.w.org/woocommerce/assets/icon.svg?rev=3234504)
 * [WooCommerce](https://wordpress.org/plugins/woocommerce/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/woocommerce/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/woocommerce/)
 * [Active Topics](https://wordpress.org/support/plugin/woocommerce/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/woocommerce/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/woocommerce/reviews/)

 * 2 replies
 * 3 participants
 * Last reply from: [davidcampbell2](https://wordpress.org/support/users/davidcampbell2/)
 * Last activity: [9 hours, 31 minutes ago](https://wordpress.org/support/topic/duplicate-admin-password-changed-email/#post-18954410)
 * Status: not resolved