By default, WordPress allows all users to reset their passwords in multiple ways. The two easiest solutions are to enter a new password in the user profile and to recover the password by using the lost password link on the login page.
However, in some cases, you may want to prevent your users from changing or resetting their passwords. For example, you are running a demo site and only want users to log in with the given username and password. Or you’d like to keep all passwords under control and make sure the password reset function is not abused.
If you are in need of a simple solution to disable password reset in WordPress, then you can consider the following two plugins both of which are easy-to-use. We will introduce the way to use the plugins in detail.
Disable Password Reset with Plainview Protect Passwords
Plainview Protect Passwords is a quite new yet helpful WordPress plugin that protects password modification from both the user profile editor and the password reset link. There are good reasons to use this plugin. For instance,
- You can disable password reset for specific users or based on user roles.
- You are able to exempt certain users from the disallowance. This guarantees enough flexibility as you can bypass the trusted users easily.
- You are able to hide the plugin settings so that they are not accessible to other admins.
To start the protection, you have to install the plugin at first, and then configure its settings in Settings > Protect Passwords. There you will see three sections, including:
- Protected Roles – The user roles for which password reset is disabled.
- Protected Users – The specific users who cannot reset their passwords.
- User Exceptions – The users excepted from the password reset protection.
To decide which users and user roles to be included, you only need to select them from the corresponding inputs. Clicking on the “Save settings” button will make the changes effective.
When you have completed the setup, those users for whom password reset is unavailable are not able to change or recover their passwords. When they use the lost password link to reset passwords, they will receive a warning message.
By default, the plugin settings are accessible to all site admins. To hide them completely, you can add the following line of code to your wp-config.php file.
Enable Protection by Using Disable Password Reset Plugin
Disable Password Reset works out of the box since it comes with no additional settings. Upon successfully installation and activation, it disables the password reset via email function completely for everyone including you, the super admin. When a user tries to reset passwords by using the lost password link, the operation will fail.
Since you cannot recover your password from the login page when the plugin is active, you will have to reset your admin password in the database by using phpMyAdmin in the case you have forgotten your password. Alternatively, you can disable the plugin temporarily by renaming the plugin folder via FTP.
A big difference between this plugin and Plainview Protect Passwords is that the former still allows your users to change their passwords in their profiles. If you need this feature, Disable Password Reset would be the better solution.