Recently, I needed to build some functionality into a site that disabled the ability to reset the passwords of certain site administrators via the “lost password” form. However, I wanted to leave this option open for other users in case they needed to reset their password after forgetting it.
Thus, the Prevent Password Reset plugin was born.
How the plugin works
Prevent Password Reset is an extremely simple plugin. It adds a checkbox to the “Personal Options” section of each user’s profile page in the WordPress admin as shown in the following screenshot. Anyone who can edit the user’s profile can select this option for the user.
Once this option is selected for a user, their password cannot be reset via the “lost password” form. The following screenshot shows what happens when someone attempts to reset the password for a user with password preventing enabled.
Download the plugin
You can download the latest version from the WordPress plugin repository: Prevent Password Reset Plugin. I hope you enjoy it and can get some type of use out of it.
Please do not ask support questions in the comments below. If you’re in need of plugin support, head over to the Theme Hybrid support forums, which is where I handle support for all my plugins and themes.
That’s an interesting plugin, what circumstances would you need this in?
I didn’t really ask too much about it. I was building this for a client. They wanted it, so it was built. I know it was somewhat related to security and their system.
I know it could be useful if you don’t trust sending passwords over email.
For me, personally, it’d be useful to stop getting emails where people are trying to reset my password on my sites. I still get several of these every week. This was from an old WordPress security bug, which has now been fixed. But, people still try. At least this fixes that issue.
Whoa, now this is interesting. I, too, am wondering what circumstance one could find themselves in where they wouldn’t want to be able to reset their PW to their WP, but I’m gonna go ahead and bet that there’s a very specific one in mind here. Really interesting add-on idea, looking forward to your answer! Thanks in advance!
Is this restriction related to security?
can you explain. why?
Why i need this?
Thx Justin, I was looking for something similar!
Bovespa, it is used to prevent fraud and bad behavior. Like Justin said it can become rather annoying when someone else keeps trying to reset your admin password, when you are the admin…
Great job Justin! Works like a charm. Cheers!
great plugin, can there be like a option where the admin can choose which members should not be allowed to change password this way. ?
Interesting plugin.
few days ago i experience a strange wp error. the reset email cannot be sent out. interestingly enough, I managed to reset the pw through the database. not that difficult though.
This is a nice plugin but I don’t get its idea. What other users will do when they forget password and why do we need to prevent password reset?
Hhahaha.. It’s really cool plugin for new and expencive webmaster…..
I agree. Can the Option be an admin only checkbox. But still a great plugin
I can see the usefulness of this when you’d like to prevent people with bad intentions from trying to reset your password – but then what do you do when you or a legitimate admin forgets their password?
I guess you better hope another admin can help you out, eh?
Depending on whether or not your Wordpress site would be subject to internal control audits (like a SAS70), this is a security issue that could trip a negative report. The idea is that you should not be able to compromise an administrative account of one system (in this case Wordpress) by hacking what might be a non-administrator account of a potentially less secure system like email.
If I can see/control your email, I can steal your password simply by forcing the password reset email to be sent. Then I view/intercept your email depending on how badly I’ve compromised your system, use the link to reset the password and gain control of your administrative account. By failing to adequately address this security issue, it can put you in a state of non-compliance with several different US regulations depending upon the industry you serve and the information you store about your non-admin users.
Thank you very much for this tip. I guess this feature would be good for admins due to the majority of word press hacking that is prevalent these days.
This plugin helps to provide an extra bit of security. Thanks Justin.
Dear, Justin. Great plugin!!
TIP: Add an option in user profile to disable password change. Very usefull!!
Thanks Justin for your wp plugin. Will try it on my wp blog!
Indeed a good Plugin. Was looking for. used to prevent fraud. its annoying when someone else keeps trying to reset our admin password. thanks for the plugin Justin. “this option open for other users in case they needed to reset their password after forgetting it.” Since it has the option to change anytime(certain site administrators), its really helpful.
I use this plugin. It’s really good because i think it helps to keep hackers on a distance.
Hi Justin,
I was looking for something like this because it works alongside the eMember plugin nicely.
My question is this:
Am I able to change the message that users receive that says “Password reset is not allowed for this user” to something more specific to my site? (i.e. “Please use the link located on the News page to reset your password.”)
Thank you!
Hello Justin.
Is it possible to “Stop receiving the Forgot Password email por the admin”? Every time someone is sent this email, it’s reported to me. I can’t disable that and it’s staring to get really annoying.
Thanks for the support.