Chapter in this post:
One of my customers has been receiving e-mails every day for two weeks in which someone tries to reset the password for a WordPress user. That means, someone pretends to be the admin user and then uses the "forgot password function" of the WordPress login to trigger this email.
In the wording it looks like this:
Subject: [WordPress site name] Reset password
Someone has requested a password reset for the following user account:
Website name: XYZ
Username: horst (or whatever the user's name is)
If this was not intended, just ignore this email. Then nothing will happen.
To reset your password, visit the following address:
(this is where the URL to trigger the password reset follows)
The good news about it is: The many "forgotten password" queries that you receive are just one thing that bothers you at first. Basically, however, security is still given, because the “attacker” cannot do much if he does not also get access to the e-mails, because without the e-mails he cannot initiate a password reset or change a password.
In spite of everything, I initially had the plug-in "Login LockDown“Installed, which prevents brute force attacks on the admin login and blocks IPs if you use an incorrect password for the login several times.
However, the annoying password change requirements didn't stop there and the customer was still bombarded with emails.
Ultimately, the solution should be to completely deactivate the “Forgot password” function, because we don't actually need it. Both my customer and I have been using the same login for years and have not yet forgotten it.
In order to prevent the mails, this password reset function would simply have to be deactivated.
Looking for solutions, I wanted to get by without an additional plugin and find a PHP script that I can put in the functions.php of the theme. There were also some free scripts that looked short and good, but - although these are from the beginning of 2020 - they work with the current WordPress version 5.5. no more.
In the end I got through one of the many instructions on the plugin "Plainview Protect Passwords“Became aware and installed it. It does not switch off the forgotten password function completely, but you can deactivate a password change for certain (or all) users and thus prevent the sending of password reset emails.
If you call up the page of the plugin in the WordPress repository, you will get the following warning message:
This plugin hasn't been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.
However, the warning that the plugin has not been tested with the last three major versions of WordPress is unfounded. For me it works fine under WordPress 5.5.
To do this, install the plugin and then go to Settings> Protect Passwords to the admin area of the plugin.
In the second field “Protected users” you now select all users with the CMD or CTRL key pressed and go to “Save settings” at the bottom. Now the passwords of all users can no longer be changed using the forgotten password function.
You can still call up the form and enter an email address or a username, but then you get the following error message:
It is not allowed to reset the password for this user.
That finally put an end to the annoying emails and my customer (and I) could concentrate on work again.
If you also have a good knack for WordPress or are struggling with a little problem, please let me know via the comment function.
With Lynne, a graphic artist and designer has joined the team who contributes articles on the topics of homepage, web development and Photoshop. YouTube has recently become one of her areas of activity. Lynne is (unintentionally) very good at generating error messages and thus ensures a steady influx of problem-solving articles, which repeatedly make the Sir Apfelot blog a popular contact point for Mac users.