Title: Reset password link Last modified: January 22, 2018 --- # Reset password link * [Steve](https://wordpress.org/support/users/stevenaive/) * (@stevenaive) * [8 years, 4 months ago](https://wordpress.org/support/topic/reset-password-link-5/) * I’m setting up a WordPress site on my server (so not on WordPress.com) for a new client. They have raised a couple of security questions regarding the reset password links that WordPress sends out when a user forgets their password: * 1. Do these links expire and if so, how long do they remain valid for? * 2.Assuming someone other than the intended recipient had access to the link ( and it hadn’t been used already), is there anything to stop that person using the link to reset a password? Viewing 3 replies - 1 through 3 (of 3 total) * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [8 years, 4 months ago](https://wordpress.org/support/topic/reset-password-link-5/#post-9889019) * > 1. Do these links expire and if so, how long do they remain valid for? * I am 99% sure that the link does not expire. I’ll try to confirm that later. * > 2.Assuming someone other than the intended recipient had access to the link( > and it hadn’t been used already), is there anything to stop that person using > the link to reset a password? * If you cannot control your email then don’t worry about WordPress password reset links: you’ve bigger problems to worry about. * Here’s why I state that. Email and occasionally SMS text messages (not a WordPress feature, I’m just being complete) are fallback for password resets. If you cannot control those fallbacks then many more things besides WordPress fall flat on their face security wise. * That fallback is an ugly compromise. You want to have account security but you also want to ensure that your users are not locked out in the fallback as well. * If you are really concerned about it, and that’s good, then consider 2FA via a plugin. * [https://wordpress.org/plugins/search/2FA/](https://wordpress.org/plugins/search/2FA/) * I personally use this one. * [https://wordpress.org/plugins/two-factor/](https://wordpress.org/plugins/two-factor/) * I don’t use it for regular users, just privileged accounts. If a regular user account gets compromised then I can fix it. If that happens to an admin level account then it will mean much more work. * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [8 years, 4 months ago](https://wordpress.org/support/topic/reset-password-link-5/#post-9889052) * Correction: the email link expires in 24 hours. It uses a nonce. * ``` $expiration_duration = apply_filters( 'password_reset_expiration', DAY_IN_SECONDS ); ``` * Which means that a day later the link will _not_ be valid. * Thread Starter [Steve](https://wordpress.org/support/users/stevenaive/) * (@stevenaive) * [8 years, 4 months ago](https://wordpress.org/support/topic/reset-password-link-5/#post-9893590) * Thanks for the info Jan. I’ll check out those two plugins. Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘Reset password link’ is closed to new replies. * In: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/) * 3 replies * 2 participants * Last reply from: [Steve](https://wordpress.org/support/users/stevenaive/) * Last activity: [8 years, 4 months ago](https://wordpress.org/support/topic/reset-password-link-5/#post-9893590) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics