If you’ve run a website for a while, you know that you can sometimes get emails from hackers trying to use the “password reset” button. While this shouldn’t work because they don’t have access to your email (hopefully!), it can still be annoying to sift through the spam, and in general, it causes additional workload on your server. My preferred technique to deal with this problem is to mask the wp-login.php page itself. But if you have a bunch of users, you don’t want to confuse them with alternate login pages. One way out of this is to disable the password reset link for all users except the administrators. This way, you can reset their password manually when necessary.
Now obviously this won’t work if your site has hundreds or thousands of visitors. You can’t be expected to manually reset people’s passwords all the time. But if you have just a handful of users (or even one!), then a password reset will happen pretty infrequently, and it shouldn’t be a problem. So let’s see how to do this.
The Code for Disabling Password Resets for Non-Admins
While there are plugins that can do the job, why add a new plugin to your site when you can just add some code manually? I recommend creating your own custom plugin for code. We have a nice knowledgebase article on using a custom plugin for code insertion on WordPress, so I suggest you follow that detailed tutorial. Alternatively, you can just insert the code into the “functions.php” file of your WordPress theme. But it’s a lot more dangerous to do this since if you break something, you can crash your site. With plugins on the other hand, it’s easier to revert the changes, and WordPress itself has built-in mechanisms to safeguard you from self-destructing.
Here’s the code to insert:
// Enable password reset only for admin
function enable_admin_password_reset($allow, $user_id) {
if (user_can( $user_id, 'manage_options' ))
return true;
return false;
}
add_filter ( 'allow_password_reset', 'enable_admin_password_reset', 10, 2 );
This will disable the password reset functionality for all users that don’t have administrator permissions. For example, here is what a standard user will see if they try and reset the password using the “Forgot Password?” text link on the login screen:
You can see that it says “Password reset is not allowed for this user”. Perfect!
So How Do We Reset Passwords Then?
Administrators can always just create a new password for the user and send it to them via the “Users” screen. The downside might be that they’ll have to transmit the new password over an insecure channel like e-mail. Alternatively, they can reset the password to something basic and require the user to log in and change it to something harder to guess.
Admins can also use the backend PHP database to reset the passwords of everyone, including themselves. Here’s a tutorial on resetting it via the PHP backend. This method works even if you’ve been locked out of the admin screen and can’t reset anything because it changes the password directly from the backend. It just requires a few more steps, thanks to the hashing algorithm that MySQL uses to store passwords.
Hardening WordPress is a Constant Endeavor
It requires ongoing vigilance to secure your site from hackers. Here are some Cloudflare Page Rules to get you started, along with a section on Rate Limiting, and more on the NameHero blog. All these methods contribute to keeping WordPress safe from spam and attacks, and you must always monitor their effectiveness.
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!
Leave a Reply