diff --git wp-login.php wp-login.php
index 268d2b3..9aa6481 100644
--- wp-login.php
+++ wp-login.php
@@ -271,6 +271,7 @@ function retrieve_password() {
global $wpdb, $wp_hasher;
$errors = new WP_Error();
+ $current_time = time();
if ( empty( $_POST['user_login'] ) ) {
$errors->add('empty_username', __('ERROR: Enter a username or e-mail address.'));
@@ -283,6 +284,15 @@ function retrieve_password() {
$user_data = get_user_by('login', $login);
}
+ // Check if more than 5 password reset requests are made within 24 hours
+ $user_pass_requests = get_user_meta($user_data->ID, 'user_pass_requests', TRUE );
+
+ if ( is_null( $user_pass_requests ) || empty( $user_pass_requests ) || !is_array( $user_pass_requests ) || ( $current_time - $user_pass_requests['recent'] >= DAY_IN_SECONDS ) )
+ $user_pass_requests = array( 'count' => 0, 'recent' => 0 );
+
+ if ( ( $user_pass_requests['count'] >= 5 ) && ( $current_time - $user_pass_requests['recent'] < DAY_IN_SECONDS ) )
+ $errors->add('request_exceeds', __('ERROR: You have exceeded password reset requests allowed in a today. Please try again after 24 hours'));
+
/**
* Fires before errors are returned from a password reset request.
*
@@ -356,6 +366,11 @@ function retrieve_password() {
$hashed = $wp_hasher->HashPassword( $key );
$wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user_login ) );
+ $user_pass_requests['count'] += 1;
+ if ( $user_pass_requests['recent'] == 0 )
+ $user_pass_requests['recent'] = $current_time;
+ update_user_meta( $user_data->ID, 'user_pass_requests', $user_pass_requests );
+
$message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
$message .= network_home_url( '/' ) . "\r\n\r\n";
$message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
@@ -595,6 +610,8 @@ case 'rp' :
exit;
}
+ update_user_meta( $user->ID, 'user_pass_requests', array( 'count' => 0, 'recent' => 0 ) );
+
wp_enqueue_script('utils');
wp_enqueue_script('user-profile');