Title: Some security features needed
Last modified: February 1, 2026

---

# Some security features needed

 *  [locker17](https://wordpress.org/support/users/locker17/)
 * (@locker17)
 * [3 months, 1 week ago](https://wordpress.org/support/topic/some-security-features-needed/)
 * Thanks for writing this plugin which is/was a miss on WordPress.
   I need some 
   security improvements. 1. I just allow users login by email. How can I set that
   at your plugin’s form to allow only email entries?2. How can I block attackers
   from trying hundreds of email addresses to check user logins? Do you have an 
   API or a hook where I can block further password reset attempts?

Viewing 1 replies (of 1 total)

 *  [peterjabu](https://wordpress.org/support/users/peterjabu/)
 * (@peterjabu)
 * [3 months, 1 week ago](https://wordpress.org/support/topic/some-security-features-needed/#post-18806078)
 * Hi [@locker17](https://wordpress.org/support/users/locker17/)
    1. The plugin currently accepts both email addresses and usernames, not ONLY emails.
    2. No built-in rate limiting.
 * I will look at adding this in the near future. In the meantime you could use 
   our developer hooks: [https://docs.wpenhanced.com/frontend-reset-password/faq/#what-hooks-are-available](https://docs.wpenhanced.com/frontend-reset-password/faq/#what-hooks-are-available)
   
   1) Something like this
 *     ```wp-block-code
       add_action( 'somfrp_post_request', 'restrict_reset_to_email_only', 40 );function restrict_reset_to_email_only( $action ) {    if ( 'somfrp_lost_pass' !== $action ) {        return;    }        $user_info = isset( $_POST['somfrp_user_info'] ) ? trim( $_POST['somfrp_user_info'] ) : '';        // Check if it's NOT an email    if ( ! empty( $user_info ) && ! is_email( $user_info ) ) {        $_REQUEST['errors'] = array(            'email_only' => __( 'Please enter a valid email address.', 'frontend-reset-password' )        );        // Prevent further processing by removing the default handler temporarily        remove_action( 'somfrp_post_request', 'somfrp_lost_pass_handler', 50 );    }}
       ```
   
 * 2) More complicated then above but we have some hooks
 * somfrp_post_request, somfrp_lost_pass_action, lostpassword_post
   It is hard for
   me to support custom code but will look at implementing this for you

Viewing 1 replies (of 1 total)

You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fsome-security-features-needed%2F%3Foutput_format%3Dmd&locale=en_US)
to reply to this topic.

 * ![](https://ps.w.org/frontend-reset-password/assets/icon-256x256.png?rev=3445607)
 * [Frontend Reset Password](https://wordpress.org/plugins/frontend-reset-password/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/frontend-reset-password/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/frontend-reset-password/)
 * [Active Topics](https://wordpress.org/support/plugin/frontend-reset-password/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/frontend-reset-password/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/frontend-reset-password/reviews/)

 * 2 replies
 * 2 participants
 * Last reply from: [peterjabu](https://wordpress.org/support/users/peterjabu/)
 * Last activity: [3 months, 1 week ago](https://wordpress.org/support/topic/some-security-features-needed/#post-18806078)
 * Status: not resolved