Jb Audras 10:31 am on February 22, 2021
Tags: 5.7 ( 67 ), dev-notes ( 520 )

Send reset password links in WordPress 5.7

WordPress 5.7 introduces a new feature that allows website administrators to manually send a reset password link to existing users. This can be helpful when users lose their password and cannot use the lost password link for any reason.

In terms of workflow, the feature does not directly change the user’s password. It sends them a password reset link via email so they are able to reset their password by themselves. Sending a reset password link is more secure than directly changing the password for the user. Passwords should not be communicated directly.

The reset password email notification is sent using the existing retrieve_password() function, which can be filtered using the retrieve_password hook. Please note that retrieve_password was also moved from wp-login.php to wp-includes/user.php.

This feature can be found in several places in the WordPress Adminadmin (and super admin).

Using the user profile screen

The feature is available on the user profile screen, right above the “Set new password” setting.

Using the action link available on the users list screen

There is also a quick action link available in the users list. It is showed when you hover/focus the user’s row.

Using bulk actions

It is also possible to bulk send password reset links by using the bulk action available in the action dropdown located right above the users list table.

Password reset link email notification

Here is the content of the email notification:

Subject: [SITENAME] Password Reset
- - -

Someone has requested a password reset for the following account:

Site Name: [SITENAME]

Username: [USERNAME]

If this was a mistake, ignore this email and nothing will happen.

To reset your password, visit the following address:

[RESET_PASSWORD_URL]

This password reset request originated from the IP address [IPADDRESS].

The email subject and message can be filtered using the retrieve_password_title and the retrieve_password_message hooksHooks In WordPress theme and development, hooks are functions that can be applied to an action or a Filter in WordPress. Actions are functions performed when a certain event occurs in WordPress. Filters allow you to modify certain functions. Arguments used to hook both filters and actions look the same..

For reference, see ticketticket Created for both bug reports and feature development on the bug tracker. #34281

Props to @chaton666 and @jdy68 for proofreading

#5-7, #dev-notes

Gregory 10:45 am on February 22, 2021

For the time being, this post makes no sense since the feature is not available in WP 5.7 betaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process. 3. It would be really great if you guys schedule your “future feature” posts to the date when those features become available. Thanks.
- Julio Potier 11:01 am on February 22, 2021
  
  Maybe you should test before raging:
  https://www.dropbox.com/s/nbd00rwm210fm9n/Capture%20d%E2%80%99%C3%A9cran%202021-02-22%20%C3%A0%2011.58.31.png?dl=0
  WP 5.7-beta3 Feature is available.
  Have a good day.
- Jb Audras 11:09 am on February 22, 2021
  
  Hi @gioni, and thank you for your comment,
  
  I can confirm the feature is available in WP 5.7 betaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process. 3. The screenshots were made using beta 3.
  
  But if you don’t see the feature on a fresh install, we’re very interested by further details on your installation to check if there is any issue with this feature.
- Gustavo Bordoni 2:34 pm on February 22, 2021
  
  I really don’t understand why people need to be so toxic at first, be kind to other people, @audrasjb thanks so much for the effort on the post.
Gregory 11:42 am on February 22, 2021

That’s my bad! Now I get it.
- Jb Audras 12:07 pm on February 22, 2021
  
  Cool! 🙌
Gregory 12:12 pm on February 22, 2021

I confirm it fully works, but I see two issues:

Showing the IP address of the website adminadmin (and super admin) on the last line “This password reset request originated from the IP address” is inappropriate in terms of privacy and security. It should be removed.

The line “Someone has requested a password reset for the following account:” should start with: “The website admin…”.
- Jb Audras 1:09 pm on February 22, 2021
  
  Thanks for the feedback @gioni!
  
  The best option for such feedback would be to comment in the related ticketticket Created for both bug reports and feature development on the bug tracker.: https://core.trac.wordpress.org/ticket/34281 Thanks!
  
  By the way, there is an information about the IP address and the reset password email in the privacy policy generator (see wp-admin/options-privacy.php?tab=policyguide). FWIW, this is not a new thing, this email wasn’t changed for the new feature.
  
  Concerning using “Someone” to refer to the person who initialized the email, that’s a good point, but we shouldn’t use “the website adminadmin (and super admin)” as this email may also has been generated programatically. It is not necessarily generated by the actions detailed in this note 🙂
  - Carike 1:57 pm on February 22, 2021
    
    I agree that it would be preferable to remove the IP address entirely.
    The reasoning for this is that when a user requests a change of their own password, they would have one of two legitimate interests in knowing the information:
    1.) It is their own IP address;
    2.) Someone is possibly trying to phish / hack them and they have a security-based interest.
    Both of these are legitimate interests.
    
    However, it is not desirable to give users access to the adminadmin (and super admin)’s IP address. I would not even want users to have access to my username (I would feel more comfortable if it included the display name, if any details had to be included at all).
    
    I’m also concerned that with many WordPress users not being very tech savvy (and that is okay, that is the magic of crowd-sourcing code), this feature may make it easier for bad actors to phish.
    Banks have spent billions trying to teach people not to click on any links in e-mails that you did not initiate yourself. :sunflower:
    - Jb Audras 2:01 pm on February 22, 2021
      
      Thanks for putting this together here @carike!
      In that case, I think our best bet is to add a parameter to the retrieve_password function so it’s possible to display the IP when it’s needed (lost password link) and to remove it in all other cases 🙂
Chouby 5:42 pm on February 22, 2021

Hi Jb,
FYI, I just created a ticketticket Created for both bug reports and feature development on the bug tracker. as the email is not sent in the user’s language but always in the administrator’s language: https://core.trac.wordpress.org/ticket/52605
- Jb Audras 12:43 am on February 23, 2021
  
  Yep, thanks!
- Jonathan Desrosiers 3:36 pm on February 24, 2021
  
  You should see this fixed in 5.7 RC1, @chouby. Please let us know if that’s not the case!
  - Chouby 10:10 am on February 25, 2021
    
    Thanks, it works as expected now 🙂
Shaolin 7:03 am on May 21, 2021

I like this new feature, especially the Generate Password ability on the screen.

My users are contantly forgetting their passwords from what I can tell from the logs and while they sometimes do think to click the Lost Password I suspect it doesn’t always arrive as they are back failing again next day (I even put hints on the login box to use a password manager if their browser isn’t auto filling. Persistant failures I tend to contact and offer to reset it for them so this will save much time.
But…all my users are woocommerce and none have access to the wp adminadmin (and super admin), they login and reset passwords from My Account. I noticed when I sent a test reset to my other account (as a customer) it sent them to wp-login.php, which okay I’d rather they didn’t go there but once password was saved they remained in wp-admin dash and got the ‘you do not have permission’ which I suspect will cause confusion.

So I have found the link in User.php and have changed wp-login.php to my-account on the staging site and it appears to be working ok (although as It’s the reset in Woo it doesn’t have the fancy generate password widgetWidget A WordPress Widget is a small block that performs a specific function. You can add these widgets in sidebars also known as widget-ready areas on your web page. WordPress widgets were originally created to provide a simple and easy-to-use way of giving design and structure control of the WordPress theme to the user.. If I kept it as the wp-login.php how would I get it to redire to my account after the password ahs been reset

Either way, I’d rather put the code in my theme functions file than have it overwritten each time so can I just take that section of code and put the edited in fucntions or will there need to be some other overides?

Thanks!
- souri 3:51 pm on May 21, 2021
  
  A really helpful contribution!
  I was surprised seeing the “send password reset” link on my user-dashboard.
  At first I thought I have installed a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party and just forgot it. That caused a little bit confusion. Anway:
  Good work – thanks for this!