In my WordPress v5.7, I have custom login pages.
Below the code to accept password reset request and send the email from custom login page.
add_filter("retrieve_password_message", "custom_password_reset", 99, 4);
function custom_password_reset($message, $key, $user_login, $user_data) {
$key = get_password_reset_key($user_data);
$message = sprintf(__('To reset password for %s, visit the following address:'), $user_data->user_email) . "rnrn";
$message .= site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . "rnrn";
return $message;
}
The above code generates the below URL and sends an email to the user.
https://www.example.com/wp-login.php?action=rp&key=XVBzvTRG17rKaG4brjH6&login=user_name
Below is the form in the custom password reset page:
<form name="resetpassform" id="resetpassform" action="<?php echo esc_url(network_site_url('wp-login.php?action=resetpass', 'login_post')); ?>" method="post" autocomplete="off">
<input type="hidden" id="user_login" value="<?php echo $_GET['login']; ?>" autocomplete="off" />
<input id="pass1" name="pass1" type="password" value="" placeholder="New Password" autocapitalize="off" data-reveal="1">
<input id="pass2" name="pass2" type="password" value="" placeholder="Confirm New Password" autocapitalize="off">
<input type="hidden" name="key" value="<?php echo $_GET['key']; ?>" />
<button type="submit" id="resetpass-button" name="submit">Save New Password</button>
</form>
And the below code is supposed to validate the key+login and reset the password:
function do_password_reset() {
if ('POST' == $_SERVER['REQUEST_METHOD']) {
$rp_key = $_REQUEST['rp_key'];
$rp_login = $_REQUEST['rp_login'];
$user = check_password_reset_key($rp_key, $rp_login);
if (!$user || is_wp_error($user)) {
if ($user && $user->get_error_code() === 'expired_key') {
wp_redirect(site_url('login/reset/?errors=expiredkey'));
} else {
wp_redirect(site_url('login/reset/?errors=invalidkey'));
}
exit;
}
if (isset($_POST['pass1'])) {
if ($_POST['pass1'] != $_POST['pass2']) {
// Passwords don't match
.....
}
if (empty($_POST['pass1'])) {
// Password is empty
.....
}
// Parameter checks OK, reset password
reset_password($user, $_POST['pass1']);
wp_redirect(site_url('login?password=changed'));
} else {
echo "Invalid request.";
}
exit;
}
}
add_action('login_form_rp', 'do_password_reset');
add_action('login_form_resetpass', 'do_password_reset');
Users not able to reset the password from custom login pages and getting errors=invalidkey error.
2
Answers
Your form contains
pass1andpass2as members, yet, your backend expectsrp_keyandrp_login, respectively. The two are incompatible because of this, resulting in the undesired behavior you’ve just described. In order to fix the issue you will need to make sure that thenames of thepasswordinputelements in theformmatches the keys you use at the backend, so you will need to either change theformnames accordingly or the keys you provide to $_REQUESTin order to get them.You did not name the field #user_login please name it
rp_loginso you can get it via$_REQUESTalso same forrp_keyyou named itkeywithout naming a field you won’t get the value of
$_REQUEST['rp_login'];Please check the value before calling the function that you are getting the value.