With the release of WordPress 4.3, password management took a giant leap forward. Strong passwords are now encouraged by default. As well, WordPress no longer emails passwords to users, either initially or in the case of a reset.
When a user is registered, they are emailed a link that will allow them to set up their new password. Also, if a user updates their email address or password from within the dashboard, they will receive a notification at their original email address notifying them of the change.
Reset links are also set to expire after just 24 hours which further increases security.
Even with these positive changes, there is still the risk that if your email address is compromised, a hacker could visit the WordPress login screen and request a password reset, for which a link would conveniently arrive in your now hacked email.
In order to prevent this from happening, one of the things you can do (in addition to using dual-factor authentication), is to remove the password reset or change option from the WordPress login.
By doing this, even if your email is hacked, it will be impossible to request a new password link.
Remove the Password Reset or Change Option From the WordPress Login
Disabling the “Lost your password?” option from the default WordPress login is relatively simple. The increased security requires adding a few lines of code to your themes functions.php file. As you’re working through this, remember that steps 3, 4, and 5 are critical because if you make an error in your functions.php file, you will break your site. Let’s get started:
1. Login into your cPanel and navigating to your file manager (or use an FTP client).
2. To find your themes functions.php file, navigate to wp-content >> themes >> your theme directory >> functions.php
3. Select your functions.php file and click copy (located in the top menu).
4. In the bottom field of the pop-up window, type functions-original.php at the end of the last / and then click copy.
5. You should now see your copied file in the File manager.
6. Next, Select your functions.php file and click edit, then edit again when the pop-up is visible.
7. Navigate to the bottom of the file, add one line and paste the code below into the bottom of the file.
function disable_password_reset() { return false; } add_filter ( 'allow_password_reset', 'disable_password_reset' );
8. Click Save, close, and test your site.
After making the change to your functions.php file, any attempt to recover a lost password will result in an error message as seen below.
Improving Security Is an Incremental Process
Unfortunately, there is no single specific change that will allow you to lock down your WordPress blog or website and prevent hackers from gaining access. However, as with most preventative measures, each action you take can have a cumulative positive effect. Preventing a user from requesting a password reset directly from the login effectively closes one more door, making it just a little harder for a hacker to gain access.