Boosting your WordPress site’s security is important, and an easy way to do that is by removing the password reset option.
Normally, WordPress allows users to reset their passwords using their email addresses. While this is really convenient, it can also be a target for hackers.
Turning off the password reset option adds an extra layer of protection. Even though it’s a small change, it can make a big difference. This way, only you or trusted users can change passwords.
In this guide, we’ll show you how to remove the password reset/change option in WordPress step-by-step.
Why Remove Password Reset/Change Option From WordPress?
If you allow user registration on your WordPress site, then the password reset option allows users to recover lost passwords. Normally, you wouldn’t want to change that.
However, in some usage scenarios, you might want to remove this option for specific users or user roles on your WordPress site.
For example, you may have created a temporary account for someone or a demo site where users can log in with a demo username and password.
Also, having the password reset option gives hackers another way to attempt entry into your website. If you are particularly concerned about WordPress security, you may wish to remove the option for users to reset their own passwords.
The easier solution would be to remove the password reset link. However, some savvy users may already know the URL to use to access the password reset form.
With that in mind, let’s see how you can easily remove the password reset/change option from WordPress:
Ready? Let’s get started.
Method 1: Disable Password Reset/Change Option Using LoginPress
The easiest way to disable the password reset/change option is with LoginPress. It’s a free WordPress plugin that allows you to customize the login page.
LoginPress offers a wide range of features to customize the appearance of the login page to improve the security and how the way the page looks.
Step 1: Install and Activate LoginPress
To get started, you will need to install and activate LoginPress. For more details, you can check out our tutorial on how to install a WordPress plugin.
Note: The free version has everything you need to disable the password reset/change option. That said, the paid version has advanced security features like the ability to customize the login URL, limit login attempts, and more.
Step 2: Customize the Settings
Next, let’s head over to the LoginPress » Settings page from your WordPress dashboard. On the settings page, you have a ton of options to customize your login page. Many of the other tabs are paid features, but the settings options are available for free users.
One thing you probably want to turn on is the ‘Force Password Reset’ option. Once you’ve toggled that option, you’ll need to set the duration in days, after which the user will be forced to change their password again.
A good rule of thumb for WordPress security purposes is to change your password every 90 days. Also, you can choose which user roles you want to enforce this password reset rule for.
Below that, you can also set the number of minutes a user is allowed to access the backend of your WordPress site before the session expires. In addition, you can add custom password fields in the user registration form, along with other settings.
Once you’ve selected all the options you’d like to customize, simply hit the ‘Save Changes’ button.
Step 3: Disable Forgot Password
From here, you’ll want to head over to LoginPress » Customizer. This will take you to a built-in editor where you can easily customize any aspect of your WordPress login page.
To remove the ‘Lost your password?’ message, you need to go to the ‘Form Footer’ tab. Clicking on the pencil icon next to ‘Lost your password?’ will also take you to the ‘Form Footer’ tab.
Then, you need to turn off the ‘Enable Footer Text’ option.
This will remove the ‘Register’ and ‘Lost your password?’ options from your login page.
The plugin offers plenty of other cool features.
For example, you can change the button color and text colors, add logos, and even change the background. Just click the pencil icon on whichever spot you want to change or navigate through the left side panel.
Once you are done customizing the WordPress login page, you’ll be ready to save the changes.
Simply hit the ‘Publish’ button in the top left corner to finalize the changes.
Lastly, you need to log out of your WordPress dashboard and try to log in again to check that the lost password option no longer appears.
You have now successfully removed the password reset/change option from WordPress.
Method 2: Manually Disable Password Reset Option From WordPress Using WPCode
This method requires you to add code to your WordPress site.
Some tutorials will tell you to edit the files directly, but we don’t recommend this. Even the smallest error while typing code can cause WordPress errors or even make your site inaccessible.
That’s why we recommend using a code snippets plugin like WPCode instead.
This popular plugin allows you to add custom code in WordPress without editing your theme’s functions.php file, so you won’t have to worry about breaking your site.
You can use the free version of WPCode for this tutorial. However, if you upgrade to the premium version, you’ll have access to more ready-made snippets and advanced features, including a code generator, revision history, and smart conditional logic.
To get started, you’ll need to install and activate the WPCode plugin. For more information, please see our guide on how to install a WordPress plugin.
Then, you’ll need to go to Code Snippets » + Add Snippet.
Since there’s no ready-made snippet for disabling the password reset option, you’ll need to add custom code. You can hover over the ‘Add Your Custom Code’ bar and click ‘Use Snippet.’
On the next screen, you’ll name your custom snippet.
You might want to give it a clear name so you can easily refer to it later if you need to make changes to it.
Next, for the ‘Code Type,’ let’s select the ‘PHP Snippet’ option from the dropdown menu.
Then, you’ll want to copy and paste the following code into the ‘Code Preview’ text editor:
<?php
/*
* Plugin Name: Disable Password Reset
* Description: Disable password reset functionality. Only users with administrator role will be able to change passwords from inside admin area.
* Version: 1.0
* Author: WPBeginner
* Author URI: http://wpbeginner.com
*/
class Password_Reset_Removed
{
function __construct()
{
add_filter( 'show_password_fields', array( $this, 'disable' ) );
add_filter( 'allow_password_reset', array( $this, 'disable' ) );
add_filter( 'gettext', array( $this, 'remove' ) );
}
function disable()
{
if ( is_admin() ) {
$userdata = wp_get_current_user();
$user = new WP_User($userdata->ID);
if ( !empty( $user->roles ) && is_array( $user->roles ) && $user->roles[0] == 'administrator' )
return true;
}
return false;
}
function remove($text)
{
return str_replace( array('Lost your password?', 'Lost your password'), '', trim($text, '?') );
}
}
$pass_reset_removed = new Password_Reset_Removed();
?>
Here is what your screen should look like:
From here, all you need to do is toggle the option from ‘Inactive’ to ‘Active’ at the top of the page.
Then, go ahead and hit ‘Save Snippet’ to finalize the changes.
Congratulations, you are all set!
Now, you can log out of your WordPress admin area so you can check if the password reset option has been removed.
Bonus: Disable Login With Email Address in WordPress
Now that you’ve learned about disabling the ‘Password Reset / Change Option,’ you might want to take your WordPress login security to the next level. One of your options is disabling login with email address.
Let’s say someone wants to hack your WordPress site. Then, having your email could help them guess your password or hack your email account.
WPCode has a ‘Disable Login by Email’ snippet you can use.
Simply install and activate the plugin and search for the snippet in its library to apply the code.
For more detailed instructions, you can follow through our guide on how to disable login with email address feature in WordPress.
Expert Tip: If your WordPress site got hacked, don’t panic – We have a Hacked Site Repair service to help! Our team of experts will quickly identify and fix the issues to get your site running smoothly again. We offer a thorough cleanup, ensuring all malicious code is removed. Reach out to us today and restore your peace of mind!
We hope this article helped you learn how to remove the password reset/change option from WordPress. You may also want to check out our guides on how to password-protect your WordPress admin (wp-admin) directory and how to force logout all users in WordPress.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
Billy
The Script you wrote on the top Method 2: Manually Disable Password Reset Option From WordPress. Is this still good ? Does it need to be updated ?
WPBeginner Support
The second method in our article should still work unless we hear otherwise.
Admin
CG
Hi,
how to remove all the other Options from the user-page?
WPBeginner Support
While we don’t have a tutorial for that at the moment, for what it sounds like you’re wanting you may want to take a look at our guide on How to Limit Dashboard Access
Admin
Rich Adams
Creating the plugin works perfectly, thank you.
Hoowever the Security plugin WordFence shows a warning now:
“The Plugin “Disable Password Reset” appears to be abandoned (updated November 10, 2016, tested to WP 4.6.12).
Type: Plugin Abandoned”
Is there a way to update this plugin to avoid the warning?
TIA!
WPBeginner Support
Hi Rich,
Try changing plugin name in the code.
Admin
Francine Paino
I am a member of a writing organization and unfortunately, the member who was in charge of our website died suddenly. No one knows the password. We have created a new website on WordPress, but we need to take down the old one. Having two sites is causing a great deal of confusion.
How do we bypass the password? Is there someone to contact regarding this problem?
Thank you in advance for your assistance with this problem.
FP
WPBeginner Support
Hi Francine,
If the old website is a self hosted WordPress.org website, then it is hosted by a hosting company. You can request the hosting company to take down the website. However, hosting companies usually do this only when the request is made by a deceased customer’s next of kin or someone with legal rights.
Admin
Imer García
That’s still works with the recent versions of WP? Because Im just do it in 2 hosted in my local machine, and nothing happens. The plugin is installed and activated, but the “Forgot Your Password” option remains in the login form.
Thanks
Kristi Buchanan
I recently got a new computer and I need to know how disable the password to be able to get into it so I can finish setting it up?
Lo
Great! thank you
Priya Singh
Hi Team,
This is extremely fantastic tutorial you have shared on this amazing blog because i was thinking to try it through my dashboard but i was unable to do and when i visited on this awesome WPbeginner site and i found it.
so in this case thanks a lot .
Saeed Khan
The plugin generated 3 characters of unexpected output during activation. If you notice “headers already sent” messages, problems with syndication feeds or other issues, try deactivating or removing this plugin.
Please help how to fixed this issue??
WPBeginner Support
If you are using the code method, then this could mean that there is extra space after php closing tag. You can delete those extra spaces, you can also delete the PHP closing tag ?>
Admin
Adam Edgar
that doesnt remove my error message
“The plugin generated 1 characters of unexpected output during activation. If you notice “headers already sent” messages, problems with syndication feeds or other issues, try deactivating or removing this plugin.”