Tagged: Password Reset
Are there any plans to make the “password reset” process use a unique link instead of changing the saved password and emailing it to the user?
Currently anyone can force a password change for a member just by knowing their email address. This kind of unwanted behaviour is why most membership sites use the unique link method (including WordPress itself)
If there aren’t plans to change this behaviour, would it be possible for me to create an Add-on to do it? And if so, what hooks would be needed for this or where is a good place to start?
Thank you for reaching out to us. I have submitted a message to the plugin developers to investigate further your request.
I agree with what you are saying. Originally, for the purpose of keeping the plugin simple, we opted for the current process. Most of our users like that process since that offers a very easy process for their users. Our plugin is really used by people creating small simple membership sites. The feedback that I have collected is that majority of our users still want the current process (since that is working fine for them).
So instead of changing it completely, I want to offer the other method as an option (or via an addon). This is not going to be a trivial feature so you won’t be able to just make this happen by using one hook or something like that. If you are not an expert PHP developer then I wouldn’t recommend that you start creating an addon for it.
Change your password reset page’s URL to point to your site’s WordPress login’s password reset page. So the password reset is taken care of by WP. Usually that URL will be something like the following (you can add it to your navigation menu also):
That password reset process will work fine with our plugin (since after the password is reset by wp, our plugin will get notification from wp and take care of things for that member profile). Let me know if that method works for you.
You must be logged in to reply to this topic.