Support » Fixing WordPress » Lost Password, Link In Email Not Valid (key), ‘Fix’ Does Not Work

  • Resolved lisa_clev


    Hi all,

    I am using WordPress 2.5.1. I wish I never upgraded. First of all, I have a plug-in on my blog so that all my members have to register. Now there is an issue with 2.5.1 where if a member looses their password and click the ‘Forgotten Password’ link, the link in the email states “Sorry, that key does not appear to be valid.”

    I started researching this on the internet. I found a couple of sites stating the same thing. Once of them stated that WordPress was already aware of the issue. So I looked into going to WordPress bug site Trac. I found the bug report and apparently the fix. See here:

    I thought this was great. I followed the instructions exactly and edited my php files. Uploaded them, no success. Still the same weird characters. I cleared my cookies and cache, tried again. Still same issue. I removed the files completely, then downloaded the files from Trac thinking I might’ve done something wrong with editing the php files myself. Uploaded and still the same issue.

    I realise other people are having this issue and are locked out of their blog. I’m not locked out of my blog, my users are and I realise I can manually change their passwords but I really do not want to do that. I would rather fix this issue. Is there something I am doing wrong?

    I’m not sure what to do next. I hear they will be releasing 2.5.2 soon because of this issue, but obviously no-one knows when this could be. I really would like to fix this ASAP.

    Thank you for reading.

Viewing 15 replies - 1 through 15 (of 27 total)
  • Moderator Samuel Wood (Otto)

    (@otto42) Admin

    Download the ZIP file with those two changed files here:
    Unzip it using WinZIP or something, then upload those two changed files to your site.

    Now try the forgotten password thing. It should work and not have those weird characters in it. Note that they will have to generate a new email and such through the forgotten password link, this won’t make those old emails magically work.

    Edit: Actually, looking closer at the code, I see that it won’t regenerate the key if one is already there. You’ll need to clear the user_activation_key data or force it to regenerate those.

    Just above that code it gives in wp-login.php is a line that read like this:
    if ( empty($key) ) {

    Try changing it to this:
    if ( empty($key) || preg_match('/[^a-z0-9]/i',$key) != 0) {

    I think that will make it work. Not sure though, have not tested it.

    Now try the forgotten password thing. It should work and not have those weird characters in it. Note that they will have to generate a new email and such through the forgotten password link, this won’t make those old emails magically work.

    Hi, thank you for replying. I did have a reply all typed up for you but I deleted it as I tested something else. I will explain below best as I can. I hope I make sense….

    I’m the admin of my blog, naturally. Again, my blog is private. I have a plug-in on there so only registered users can see my blog. So therefore you have to be registered OK? Make sense so far?

    A couple of day ago I received an email from one of my members. She explained that whatever *I* did she cannot login. That coincided with my upgrade from 2.5 to 2.5.1. She explained that the link she got in the email to get her password said it was invalid. I immediately started testing my blog. I made a new username up. I named that ‘test’ and I did the forgot password. I got an email with a key with funky characters and even though I pasted manually the entire thing in, it didn’t work. I’m sure you are still following me here?

    I uploaded those files already that you linked me to. I then assumed it did not work because I got the exact same generated key with funky characters as above on the test account with the email. That above reason is why I assumed it did not work.

    I then tried it on my husbands account and yes you are right it does work. BUT ONLY because he has not previously requested his password, so he gets a valid key. Now, that is good for people who have not requested their password, but what about those who have? They do not get refreshed emails, they just get the same crappy link with the code all wrong. How do I fix that? I know I can manually change passwords but again, I would rather let my users change their own profiles.

    Thanks again.

    EDIT Thank you for the edit. I will test it now on my test account and let you know. I started this post hours ago but never got around to posting it. Called away, then dinner, then I edited. So hours had passed before I finally click the ‘Post’ button.

    Update: Your code works. Brilliant. Thank you ever so much. Just a thought, but maybe you could add that lovely code into the fix too? Then those people having issues with getting the same funky code in the link, after the blog owner had uploaded the ‘fix’ files. They would be fixed and get a good valid link.

    Again, thank you ever so much. If not, maybe people might see my thread here and get help from your great coding and the fix files.

    I really appreciate your help.


    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    Just a thought, but maybe you could add that lovely code into the fix too?

    Already brought it up on the bug tracker:

    Awesome. Thank you ever so much. Officially resolved!! 🙂


    I wish I could say the same.

    Just upgraded a Private Blog to 2.5.1 and had a User report that the Lost Your Password function was not working.

    I tested it and am getting the same

    Sorry, that key does not appear to be valid.

    after clicking on the link sent via email.

    Found this thread and made all changes as required (all 3).

    Still does NOT work. The only thing that does work is now the key that is sent in the email IS different each time. Still getting the “key does not … valid” message.

    Any suggestions?


    Thanks Otto42 for the fix, is it just Gmail that do not treat certain characters as part of the link or the same goes to others like Yahoo or Live?

    Thank you, I found this topic by searching Google and the little bit of code that Otto42 suggested replacing did the trick. 🙂


    You also have my thanks.. I got the same error.. googled the error and got this forum – installed the 2 files, made the code change.. it all worked

    ¡Muchos gracias, Otto!

    Downloading the two files, editing the wp-login.php file with the code snippet you provided and uploading them over my existing wp-login.php and pluggable.php fixed it. Now myself and my users can reset their passwords all day long without a problem.

    From me also … thank you so much!

    I tried to download the zip file above and my computer is blocking access to the contents after download. i changed all of the security settings that i know how to change and its still blocking them.

    I edited the code suggested above and that alone did not work.

    any suggestions? is there anywhere i can get the files unzipped?

    i’m locked out of my blog rignt now! eek!


    nevermind. i just finally got to the zipped files.

    all is workign perfectly now.


    It’s not entirely clear from the above stream of comments, but to get this to work for users who have previously requested password reset, you have to replace the files AND make an additional change on line 94 of wp-login.php

    Fire up your favourite text editor and replace the line
    if ( empty($key) ) {
    with the line
    if ( empty($key) || preg_match(‘/[^a-z0-9]/i’,$key) != 0) {

    There are other places you could be making the change, I did it on line 94 then it worked.



    if ( empty($key) || preg_match(‘/[^a-z0-9]/i’,$key) != 0) {

    worked perfectly

Viewing 15 replies - 1 through 15 (of 27 total)
  • The topic ‘Lost Password, Link In Email Not Valid (key), ‘Fix’ Does Not Work’ is closed to new replies.