Support » Fixing WordPress » Lost Password system

  • A good friend of mine pointed out and spammed me to prove his point that if anyone losses their password they have the option to enter their e-mail address or username.

    By simply copying and pasting my username he spammed me and I received 20 e-mails about “me” requesting my password.

    Is it possible I could change it so it only requires an e-mail address to recover a password?

Viewing 4 replies - 1 through 4 (of 4 total)
  • One option is to use an email address your friend does not know about. The other option is to install a CAPTCHA based login plugin so that your friend has more work trying to spam you. And please don’t call him a friend if he is spamming you.

    Oh no he’s cool, he was just seeing if I had a limit set up.

    It’s not the e-mail that’s the problem, its the username.

    He doesn’t know my e-mail address but my username and my community’s is exposed and anyone can exploit it.

    Can I set it up so it can only work to use their e-mail as a way to identify?

    But in the mean time I will look for a CAPTCHA plugin.

    Thanks! 😀

    The lost password is there for people who have genuinely lost their password. I don’t know if anything that can be done … yet. There is a login plugin (I forget which one) that blocks you after the third attempt.

    I’ve been thinking about this since I first saw your post, and I don’t think I’d really consider it an exploit. The behavior you describe is really pretty useless for a hacker. There is no payoff. There is no reason to do what your friend did except as a prank. But there might be plugins that make that prank more difficult.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Lost Password system’ is closed to new replies.