Limit password reset attempts in WooCommerce – attempt count limit not working

  • Resolved adam20061

    (@adam20061)


    10 months, 3 weeks ago

    Hi everyone,

    I’m trying to implement a limit on password reset attempts in WooCommerce – specifically, to restrict the number of reset requests to 3 per hour per user (login + IP).

    I successfully shortened the password reset link expiration time to 1 hour with this code:

    add_filter( 'password_reset_expiration', function( $expiration ) {
    return HOUR_IN_SECONDS;
} );

    This works as expected- the reset link expires after 1 hour. The problem:

    I also want to limit the number of password reset attempts via WooCommerce’s /my-account/lost-password/ page. I used this code hooking into wc_process_password_lost:

    add_action( 'wc_process_password_lost', function() {
	if ( empty( $_POST['user_login'] ) ) {
		return;
	}

	$login = sanitize_user( $_POST['user_login'] );
	$ip = $_SERVER['REMOTE_ADDR'];
	$key = 'ag_wc_reset_' . md5( strtolower( $login ) . '_' . $ip );

	$attempts = (int) get_transient( $key );

	if ( $attempts >= 3 ) {
		wc_add_notice( __( 'Too many password reset attempts. Please try again in an hour.', 'woocommerce' ), 'error' );
		wp_redirect( wc_lostpassword_url() );
		exit;
	}

	set_transient( $key, $attempts + 1, HOUR_IN_SECONDS );
}, 5 );

    However, this code does not stop the password reset email from being sent after 3 (or more) attempts. The error notice is not shown and the transient counter does not seem to work properly. Environment:

    • WordPress version: 6.5.x
    • WooCommerce version: 9.0.2
    • Custom plugin with the above code
    • Theme: Hostinger AI(child theme)
    • No other password reset or security plugins active

    What works:

    • Password reset link expiration (1 hour)
    • Password reset emails are sent normally

    What doesn’t work:

    • Limiting the number of reset attempts (transient counter doesn’t persist)
    • WooCommerce error notice (wc_add_notice) does not display

    Question:

    How can I properly limit the number of password reset attempts per hour in WooCommerce?

    Is wc_process_password_lost the correct hook? Or should I use a different hook or approach to block excessive reset requests?

    Thanks in advance for your help!

    Best regards,
    Adam

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support shahzeen(woo-hc)

    (@shahzeenfarooq)

    10 months, 3 weeks ago

    Hi there!

    I understand you’re trying to implement a crucial security feature: limiting password reset attempts on your WooCommerce site to prevent abuse, and you’ve already made good progress with the reset link expiration.

    You’re facing an issue where your custom code, intended to limit reset attempts using a transient, isn’t preventing the password reset email from being sent, and the error notice isn’t displaying as expected.

    Please note that we do not provide support for custom code or customizations. If you need more in-depth support or want to consider professional assistance for customization, I can recommend WooExperts and Codeable.io as options for getting professional help. Alternatively, you can also ask your development questions in the  WooCommerce Community Slack as custom code falls outside our usual scope of support.

    Plugin Support Shameem – a11n

    (@shameemreza)

    10 months, 3 weeks ago

    Hi @adam20061

    Just chiming in to share that you’re right about the expiration filter, that part’s solid.

    That said, for limiting reset attempts, wc_process_password_lost won’t work since it’s a function, not an action hook. Instead, you can use the lostpassword_post hook, which fires early enough to block the email before it’s sent.

    Hope that helps lock it down. Let us know if anything else comes up.

    Thread Starter adam20061

    (@adam20061)

    10 months, 2 weeks ago

    Thank you so much @shameemreza, it’s worked!

    Moses M. (woo-hc)

    (@mosesmedh)

    10 months, 2 weeks ago

    Hi @adam20061,

    So glad to hear that it worked for you.

    If you found the support helpful, feel free to leave a quick review — it means a lot and helps others too. Thanks again: https://wordpress.org/support/plugin/woocommerce/reviews/#new-post

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Limit password reset attempts in WooCommerce – attempt count limit not working’ is closed to new replies.