Support » Fixing WordPress » How to disable password reset feature?

  • The login screen of the wp-admin area allows to initiate a password reset by klicking on ‘Lost your password?’. For security reasons, I wand to disable this feature.

    In the code (wp-login.php), I discovered that there is already code for disabling this feature:
    $allow = apply_filters(‘allow_password_reset’, true, $user_data->ID);

    But this filter appears nowhere else in the code.

    Can anybody enlighten me how disabling the password reset can be achieved in an “official manner”? (Of course, I could hack the code, but then I had to remember to reapply the patch after every update …)

    Thanks in advance,
    Chris

Viewing 8 replies - 1 through 8 (of 8 total)
  • Likewise, I’d be interested in disabling the password reset feature.

    Cheers,

    Kyle

    Hmm, I don’t particularly want to hack my installation again due to the fact I will need to remember to re-apply the hack each time I update WordPress.

    Surely there has to be a more suitable way of disabling this feature as it is a security risk – and in fact I have had attacks aimed at the lost password feature of WordPress, which is why I’m here now looking for a solution.

    Does anyone have any potential solutions that aren’t hackish?

    Thanks

    -Nick

    Same problem here.

    My sites were hacked by using “Lost Password” (My sites were running on WordPress 2.7, using different table prefix, installed login lockeddown plugin, etc.).

    I need a way to stop “Lost Password” access from the hackers.

    Thanks

    To protect your wordpress install from hackers, change this snippet in your wp-login.php page:

    case 'lostpassword' :
    case 'retrievepassword' :
    
    	if ( $http_post ) {
    		$errors = retrieve_password();
    		if ( !is_wp_error($errors) ) {
    			wp_redirect('wp-login.php?checkemail=confirm');
    			exit();
    		}
    	}
    
    	if ( isset($_GET['error']) && 'invalidkey' == $_GET['error'] ) $errors->add('invalidkey', __('Sorry, that key does not appear to be valid.'));
    
    	do_action('lost_password');
    	login_header(__('Lost Password'), '<p class="message">' . __('Please enter your username or e-mail address. You will receive a new password via e-mail.') . '</p>', $errors);
    
    	$user_login = isset($_POST['user_login']) ? stripslashes($_POST['user_login']) : '';

    Into:

    case 'lostpassword' :
    case 'retrievepassword' :
    /*
    	if ( $http_post ) {
    		$errors = retrieve_password();
    		if ( !is_wp_error($errors) ) {
    			wp_redirect('wp-login.php?checkemail=confirm');
    			exit();
    		}
    	}
    
    	if ( isset($_GET['error']) && 'invalidkey' == $_GET['error'] ) $errors->add('invalidkey', __('Sorry, that key does not appear to be valid.'));
    
    	do_action('lost_password');
    	login_header(__('Lost Password'), '<p class="message">' . __('Please enter your username or e-mail address. You will receive a new password via e-mail.') . '</p>', $errors);
    
    	$user_login = isset($_POST['user_login']) ? stripslashes($_POST['user_login']) : '';
    */
    header("location: http://my-favorite-blogpost/");
    Mini0n

    (@mini0n)

    Some months have passed now…
    Is there any “official” way of doing this, instead of hardcoding?

    Thanks!

    Shane G

    (@shane-g)

    Hi,

    You can only do it via wp-login.php file modification and remove the link of password reset option..

    Thanks,

    Shane G.

    Unlikely anyone will read this, but if they do (I found it as the first hit on Google), the corrrect way is to use:

    <?php
    /*
    Plugin Name: Disable Lost Password Feature
    */
    function disable_password_reset() { return false; }
    add_filter ( 'allow_password_reset', 'disable_password_reset' );
    ?>

    It doesn’t remove the link, but it will return “Password reset is not allowed for this user” for any user.

    You could also add

    function remove_password_reset_text ( $text ) { if ( $text == 'Lost your password?' ) { $text = ''; } return $text;  }
    
    function remove_password_reset() { add_filter( 'gettext', 'remove_password_reset_text' ); }
    add_action ( 'login_head', 'remove_password_reset' );

    in order to filter out the link without having to change it in each new release of WordPress. Possibly a small performance hit there, but should be small.

    function remove_password_reset_text_in ( $text ) { return str_replace( 'Lost your password</a>?', '</a>', $text ); }
    add_filter ( 'login_errors', 'remove_password_reset_text_in');

    I missed one of the additional lost password links apparently.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘How to disable password reset feature?’ is closed to new replies.