How to Make a New Lost Password or Password Reset Page for WordPress

Here is some code you can use to make a custom lost password or password reset page for your WordPress website.

<?php  
/*
Template Name:  Jafty lost pw pg
Created by: Ian L. of Jafty.com
Template site: jafty.com/blog
*/

get_header()
?>
<div class=”wrapper”>

    <?php
        global $wpdb;

        $error = ”;
        $success = ”;

        // check if we’re in reset form
        if( isset( $_POST[‘action’] ) && ‘reset’ == $_POST[‘action’] )
        {
            $email = $wpdb->escape(trim($_POST[’email’]));

            if( empty( $email ) ) {
                $error = ‘Enter a username or e-mail address..’;
            } else if( ! is_email( $email )) {
                $error = ‘Invalid username or e-mail address.’;
            } else if( ! email_exists( $email ) ) {
                $error = ‘There is no user registered with that email address.’;
            } else {

                $random_password = wp_generate_password( 12, false );
                $user = get_user_by( ’email’, $email );

                $update_user = wp_update_user( array (
                        ‘ID’ => $user->ID,
                        ‘user_pass’ => $random_password
                    )
                );

                // if  update user return true then lets send user an email containing the new password
                if( $update_user ) {
                    $to = $email;
                    $subject = ‘Your new password’;
                    $sender = get_option(‘name’);

                    $message = ‘Your new password is: ‘.$random_password;

                    $headers[] = ‘MIME-Version: 1.0’ . “\r\n”;
                    $headers[] = ‘Content-type: text/html; charset=iso-8859-1’ . “\r\n”;
                    $headers[] = “X-Mailer: PHP \r\n”;
                    $headers[] = ‘From: ‘.$sender.’ <‘.$email.’>’ . “\r\n”;

                    $mail = wp_mail( $to, $subject, $message, $headers );
                    if( $mail )
                    $success = ‘Check your email address for you new password.’;
                        
?>
<script>
//change the url to the page in your site you want to see after password reset is done:
document.location=”http://www.your_site.com.au/check-email/”;
</script>    
<?php

                } else {
                    $error = ‘Oops something went wrong updaing your account.’;
                }

            }

        }
    ?>

    <!–html code–>
<div id=”content” class=”col-full”>
<div id=”main-sidebar-container”>
<div id=”main”>
    <div id=”contact-page” class=”page”>
    <h1 class=”title”>My Account</h1>
    <h2><?php the_title(); ?></h2><div style=”width:333px;height:7px”></div>
    <form method=”post”>
        <fieldset>
            <p>Please enter your email address. You will receive a temporary password via email.</p>
            <p><label for=”user_login”>E-mail:</label>
                <input type=”text” name=”email” id=”user_login”  value=”” />
                <input type=”hidden” name=”action” value=”reset” />
                &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
                <input type=”submit” value=”Get New Password” class=”button” id=”submit” />
            </p>
        </fieldset>
    </form>
    </div>
</div><!– /main –>
</div><!– /#main-sidebar-container –>      
</div>
</div>
<?php get_footer() ?>

To make this work you have to copy the above code to a file and name it something like “template-lost-pw.php” and upload it to your current theme’s directory. Then simply create a new page in wp-admin with no content but a title for your lost password page and set the page template to “Jafty lost pw pg”, save the page and it will work!

Summary

That should do it. Just make a couple simple edits to the code above and you should be off and running with a custom lost password page for your WordPress site! Change the urls around line 60 where it says …your_site…. to your own and it should work pretty much out of the box.

4 Replies to “How to Make a New Lost Password or Password Reset Page for WordPress”

  1. Bad juju! You should never send a password in an email. You should only send a unique link that will reset that user’s password. And that link should expire in a short amount of time.

    Your technique fails all Security 101 recommendations.

    1. Valid Point! Thanks for bringing that up. I should have mentioned that perhaps. If you are a web developer however, I am sure you probably had to do things that you may not approve of to make a client happy sometimes. In this case, a client insisted that the password be emailed to users. The client isn’t operating a site that requires stringent security necessarily. That doesn’t make it safe, I’m just saying that there are cases where such code could be needed, so I posted it. I do appreciate you bringing it to reader’s attention how it might not be safe. I guess I took it for granted that it went without saying. -Ian L.

  2. The template worked great. I do have one question though…My Theme comes with a custom login page and under that you have the typical password reset link. This unfortunately takes you to the standard WordPress password reset page. How could one get a redirect from login page’s reset password to the password custom page.

    FYI, the guy above is nuts…..passwords are sent by developers to associates ALL THE TIME through the mail. If you use best practices in dealing with those passwords, getting them hacked isn’t very likely.

Leave a Reply

Your email address will not be published. Required fields are marked *