Make WordPress Core

Opened 2 months ago

Last modified 2 months ago

#60529 new defect (bug)

Filter to disable "password reset"

Reported by: ttodua's profile ttodua Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords: 2nd-opinion dev-feedback
Focuses: Cc:


there is existing filter allow_password_reset which doesn't work as it might sound..
For example, setting that filter to false still allows the "wp-login.php?action=lostpassword" url continue to work.

Many people today uses 3rd party authorizations (Google sign in, facebook, etc etc) and want to have disabled internal registration/password reset forms.
It will be good to have a filter to disable "Lost password" capability completely.

(Also, I assumed that if users are allowed to be registered on site, then it doesn't have any point to have "Lost password" disabled, so, the check includes whether "registration is disabled".)

Attachments (2)

60529-1.patch (1.3 KB) - added by ttodua 2 months ago.
60529-2.patch (1.3 KB) - added by ttodua 2 months ago.
remove registration status check

Download all attachments as: .zip

Change History (7)

2 months ago

#1 @ttodua
2 months ago

#49860 was marked as a duplicate.

#2 @rcreators
2 months ago

Hello @ttodua

It's not good to disable forget password entirely.

As per your logic, let's say someone created their account with Facebook login while their email is with Google. Somehow they lost their FB account and due to that they cannot login on the website. So forget password will help them to reset the password with the email or username.

Apart from that, I never see any website which have social login and so they removed forgot password or reset password from website. All major website still have both options.

Let's see if anyone else have opinion on it.

#3 @ttodua
2 months ago

thanks for input, but I think you misunderstood the point of the topic.
First, there is no judgement whether this is good or bad for someone, the website owners know what's good for them, so the filter will just give them an ability. I nowhere mentioned that "it should be default for all users in the world":) Even the patch suggests that it's not enabled by default.

Second, if they loose access to their google account (you emphasize on facebook only, but most of sites , like us, use GOOGLE and APPLE logins only) and they can't login to their gmail, then what's point of password reset?::

Last edited 2 months ago by ttodua (previous) (diff)

2 months ago

remove registration status check

This ticket was mentioned in Slack in #core-test by ankit-k-gupta. View the logs.

2 months ago

#5 @Ankit K Gupta
2 months ago

  • Keywords 2nd-opinion dev-feedback added
Note: See TracTickets for help on using tickets.