Make WordPress Core

Opened 4 years ago

Closed 3 months ago

Last modified 3 months ago

#49860 closed enhancement (duplicate)

Add a filter to disable the "Lost password" ability completely

Reported by: ttodua's profile ttodua Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords:
Focuses: Cc:


there is existing hook allow_password_reset which doesn't work as intended.
For example, setting that filter to false still allows to output "Lost your password" (in the bottom of login page) and even the "wp-login.php?action=lostpassword" urls continue to work.

Many people today uses 3rd party authorizations (Google sign in, facebook, etc etc) and want to have disabled internal registration/password reset forms.
It will be good to have a filter to disable "Lost password" ability completely.

However, if users are allowed to be registered on site, then it doesn't have any meaning to have "Lost password" disabled, so, only if "registration is disabled", after that can be checked if "Lost password" is disabled from filter, and depending that remove the functionality/output.

Attaching patch.

also, one important thing for styling and targeting, is that the p tag had its own class.

Attachments (3)

49860.patch (2.6 KB) - added by ttodua 4 years ago.
49860-2.patch (919 bytes) - added by ttodua 4 years ago.
49860-3.patch (1.3 KB) - added by ttodua 3 months ago.

Download all attachments as: .zip

Change History (11)

#1 follow-up: @Otto42
4 years ago

The allow_password_reset file actually does work as intended, as it is intended to provide a way to allow password resets to be disabled on a per-user basis. It takes both a truthy value and a user ID number. This is so that if you want password resets to be disabled for important accounts (example, admins) then you can have them coded to not allow it for those accounts specifically.

If you want to hide the password reset process entirely, then that would be a matter of adding a different system of filters or actions. The existing filter for allow_password_reset would not make sense to override this functionality.

#2 @SergeyBiryukov
4 years ago

  • Summary changed from Update to wp-login.php to Add a filter to disable the "Lost password" ability completely

4 years ago

#3 in reply to: ↑ 1 @ttodua
4 years ago

Replying to Otto42:

Otto, yes I understand that filter does something, but actually the name (allow_password_reset) it too general and directly leans the mind that the filter should ALLOW/DISALLOW the password reset functionality at all.

So, with the patch you will see that I refer the more intermediate and acceptable way to "disable password resets" totally with a programmatic way (i explained why that is important, as many sites [including ours] use only Google/Facebook logins, instead of wp-signups), so, when there is disabled "password reset" (because there is no need, as on-site registrations are disabled), people shouldn't see even "Lost password?" link in the bottom of login page. that's quite logical.

#4 follow-up: @Otto42
4 years ago

Well, I agree that may not be the best name for the filter, but it is what it is and it can't really be changed now.

As for the patch, I would say that allow_password_reset_for_existing_users isn't the best hook name either. Also, if you're only allowing third-party service logins, then disabling the whole screen entirely and replacing it with whatever the login methods are would seem to make more sense.

Removing the reset link is fair enough to have as a filterable thing, but I'd probably just put a filter on the actual output of the link. That would let you remove it, replace it with something else, add to it with additional links, etc.

#5 in reply to: ↑ 4 @ttodua
4 years ago

Replying to Otto42:
1) filtering "Lost password" link - ah, nice catch, how I hadn't thought about that. will attach new patch.
2) 'allow_password_reset_for_existing_users' - i will change to shorter...

generally, changing the whole login screen is not any point of the patch. It requires the technical/designer interventions, while just using 3-rd party plugins (for FB/GOOGLE login) just does all the thing. the only missing thing there was to "disable Lost password" and that would be nice to be hookable something like the proposed patch. Personally I am working on one plugin (with external service login) which would then just have a simple option to hook into WP, to ALLOW/DISALLOW forgot password.

btw, adding class for "username field" would have been also good, as it's a pure <p> tag at this moment, impossible to be targeted from CSS easily. (using advanced phseudo first-child selectors or like that, which is not good)

4 years ago


#6 @ttodua
4 years ago


Last edited 3 months ago by ttodua (previous) (diff)

3 months ago

#7 @ttodua
3 months ago

  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #60529.

#8 @swissspidy
3 months ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.