Support » Fixing WordPress » User registration: Is the password set only after clicking the email link by def

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator bcworkz

    (@bcworkz)

    A password hash is saved upon registration, but there is no way to know what that password is from the hash. Of course when the link is followed and the user sets the password, the hash is updated accordingly.

    To be pedantic, the user doesn’t have to click the link. They could copy/paste it into a browser. More accurately, they need to follow the link 😛 The nonce included in the link is what gives them authorization to set the password for the user also listed in the link.

    Thank you. So this should then be a valid “confirm your email address” functionality, right? They cannot log in otherwise?

    Moderator bcworkz

    (@bcworkz)

    Right, the nonce that authorizes the password set only appears in the email. There’s no way for a non-admin to set a password without the nonce. So if someone does not provide a valid email that they are able to access, they never get the nonce and nothing can happen.

    Thank you for your help, that was the clear answer I was hoping for!

    Moderator bcworkz

    (@bcworkz)

    YW, happy to help.

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.