Index: src/wp-includes/user.php =================================================================== --- src/wp-includes/user.php (revision 32936) +++ src/wp-includes/user.php (working copy) @@ -2458,11 +2458,25 @@ $wp_hasher = new PasswordHash( 8, true ); } - if ( $wp_hasher->CheckPassword( $key, $row->user_activation_key ) ) + $expire_time = apply_filters( 'password_reset_expiration', DAY_IN_SECONDS ); + + if ( strpos( $row->user_activation_key, ':' ) !== false ) { + list( $pass_exp, $pass_key ) = explode( ':', $row->user_activation_key, 2 ); + } else { + $pass_key = ''; + $pass_exp = 0; + } + + if ( time() > strtotime( $expire_time, $pass_exp ) ) { + return new WP_Error( 'expired_key', __( 'Your password reset token has expired.' ) ); + } + + if ( $wp_hasher->CheckPassword( $key, $pass_key ) ) { return get_userdata( $row->ID ); + } if ( $key === $row->user_activation_key ) { - $return = new WP_Error( 'expired_key', __( 'Invalid key' ) ); + $return = new WP_Error( 'expired_key', __( 'Your password reset token has expired.' ) ); $user_id = $row->ID; /** Index: src/wp-login.php =================================================================== --- src/wp-login.php (revision 32936) +++ src/wp-login.php (working copy) @@ -363,7 +363,7 @@ require_once ABSPATH . WPINC . '/class-phpass.php'; $wp_hasher = new PasswordHash( 8, true ); } - $hashed = $wp_hasher->HashPassword( $key ); + $hashed = time() . ':' . $wp_hasher->HashPassword( $key ); $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user_login ) ); $message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n"; @@ -531,7 +531,7 @@ if ( 'invalidkey' == $_GET['error'] ) $errors->add( 'invalidkey', __( 'Sorry, that key does not appear to be valid.' ) ); elseif ( 'expiredkey' == $_GET['error'] ) - $errors->add( 'expiredkey', __( 'Sorry, that key has expired. Please try again.' ) ); + $errors->add( 'expiredkey', __( 'Your password reset link has expired. Please request a new link below.' ) ); } $lostpassword_redirect = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';