- Level: EnlightenedPosts: 35
Hi,
When requesting a password reset (Lost your password?) it is possible to use either the @username or email address to do the request.
I think this should be restricted to only allow the email address to be used, as this is generally hidden information. Whereas the @username is visible in profile pages and the profile URL of members. Not good, an easy route for hackers and nuisance attempts to compromise other accounts.
So is it possible to restrict the Lost Password reset functionality to only work with email address?
Thanks!
- (BuddyDev Team)Posts: 24766
Hi Michael,
Thank you for the question.
You can enforce it using the following code.
/** * Force password retrieval by email id only. */ add_filter( 'lostpassword_errors', function ( $errors ) { if ( $errors->has_errors() ) { return $errors; } $user_login = isset( $_POST['user_login'] ) ? wp_unslash( $_POST['user_login'] ) : ''; if ( ! $user_login ) { return $errors; } if ( ! is_email( $user_login ) ) { $errors->add( 'invalid_username', __( 'Please use your email id for retrieving password.' ) ); } return $errors; } );Please let me know if it works for you or not?
Regards
Brajesh - Level: EnlightenedPosts: 35
Works great, thankyou!
The Lost Password form however still displays (initially) the prompt “Please enter your username or email address” and above the input text field it says “Username or Email Address” … any way those can also be modified to indicate it accepts email address only? Just for tidiness sake.
If not, thankyou anyway, the functionality is great.
- (BuddyDev Team)Posts: 24766
Hi Michael,
Thank you for confirming that it works.The code does not modify any label(only shows error).
You can use any of the localization plugin to change the text labels( e.g loco translate or something similar).
Regards
Brajesh
You must be logged in to reply to this topic.