WordPress is one of the most popular platforms for creating websites and blogs. With its popularity, the risk of hacking and attacks is significantly high too.
If you leave your WordPress website unattended for long, it’s vulnerable to hacking. To keep a WordPress website safe, you should always update your site — the WordPress core, themes and plugins.
Many websites see a lot of password reset emails from their WordPress installation. It’s easy for anyone to go to the forgot password page of WordPress and request a password reset. Your website usernames is easily found on your website, even with author archives.
A password reset email for your WordPress site can be scary thing to see when you didn’t initiate the process.
Someone has requested a password reset for the following account: “*********”
The email says “If this was a mistake, just ignore this email and nothing will happen.”
Even if nothing happened, the idea that someone is accessing admin login page isn’t comforting.
If your WordPress website is getting lots of password reset requests that you or your users didn’t request, you can disable password reset option in the front-end. You can manually change user passwords via your database or an admin can handle the password resets for users.
In this guide, let’s learn how to remove the Lost Password link from WordPress login page and completely disable the Password Reset option in WordPress. Once the password reset option is disabled, WordPress will not provide any option to recover passwords.
To keep attackers away, it’s a good idea to hide login error messages too.
Don’t like the trouble of making changes to your WordPress theme. Are you a novice and don’t know how to change the codes? Do you want to keep your changes tidy and working even when you switch themes?
Here’s a nifty little WordPress plug to disable WordPress password reset page and remove the lost password recovery link from the login screen.
⮕ Download the WordPress Plugin (No Password Reset)
You can find the codes of the plugin below.
Copy-paste the following codes in your theme’s functions.php file. You can edit the functions.php file within the WordPress dashboard under Appearance > Theme Editor > Theme Functions. You can also edit the file using your hosting file manager or upload using your favourite FTP program.
Remove the Lost Password Link
Here’s the code snippet that will remove the lost password link on the WordPress login page.
// Remove Lost Password Link
function wpf_remove_lostpassword_text ( $text ) {
if ($text == 'Lost your password?'){$text = '';}
return $text;
}
add_filter( 'gettext', 'wpf_remove_lostpassword_text' );
Disable the Password Reset Link
Removing the Lost Password text from the WordPress login page doesn’t really disable password reset function. Anyone can still access the Password Reset page using the URL /wp-login.php?action=lostpassword. Here’s the code snippet that will disable the password reset function in WordPress. When someone tries to access the password reset page, it will redirect to the homepage.
// Disable Password Reset URL & Redirect
function wpf_disable_password_reset() {
if (isset( $_GET['action'] )){
if ( in_array( $_GET['action'], array('lostpassword', 'retrievepassword') ) ) {
wp_redirect( wp_login_url(), 302 );
exit;
}
}
}
add_action( "login_init", "wpf_disable_password_reset" );
In the above code, we are actually checking for the URL query and then redirecting with a 302 (temporarily moved) header message.
Here’s an alternative method, which is part of the core WordPress itself. It makes use of the allow_password_reset filter in WP.
// Disable Password Reset
function disable_password_reset() {
return false;
}
add_filter ( 'allow_password_reset', 'disable_password_reset' );
Customize WP Login Error Message
WordPress displays an error message when someone enters the wrong username or password. WordPress tells precisely what went wrong. Anyone can use this notice to guess usernames. Once the username is found, the step to accessing the website is finding the right password. Brute force method is often used for this purpose.
You can change the default WordPress Login Error Message to more generic message “Something went wrong!” that doesn’t make life easy for attackers.
To change the login error message, simply copy and paste this code into the theme’s functions.php file.
// Change WordPress Error Message
function wpf_change_wordpress_errors(){
return 'The username or password is incorrect. Please consult the website administrator.';
}
add_filter( 'login_errors', 'wpf_change_wordpress_errors' );
Everything has been neatly packages in a file and converted into a plugin. Download the WordPress plugin that includes all the codes placed neatly for easy use on your WordPress site.