WordPress 5.7 Lets Administrators Send Password Reset Links

It’s that time in the release cycle when all the dev notes are rolling out ahead of the next major update. These notes include technical summaries of all the goodies coming in the next release. If you haven’t been paying close attention, there are always a few happy surprises in there that pop up as conclusions to tickets that contributors have been working on for years.

The new password reset feature coming in WordPress 5.7 allows administrators to manually send a password reset link to users, resolving a five-year old ticket. Instead of having to instruct a user about where to go to click on the lost password link and follow the steps, this new feature lets administrators push a button in the admin to send the link. If you have ever had to support clients or a community of users who may not be very technically inclined, this new password reset feature will save lots of time in helping users regain access to their accounts.

The “Send password reset” link is available in several places. Administrators can find the link on the Users screen, as well as in the bulk actions dropdown menu.

It is also available on the individual user screen with a button and a note clarifying that this action will not change the user’s password or force the user to change it.

The password reset email notification includes the site name, username, a password reset link, and the IP address where the request originated:

This password reset request originated from the IP address [IPADDRESS].

There is an open discussion on the original ticket regarding whether this email notification should include the administrator’s IP address.

“The IP address (while fraught with privacy concerns) is the only thing validating that this email came from the website and is not a phishing email,” contributor Gabriel Mariani said. “Unless there is a better way to validate the authenticity of the email I’d say it would be worthwhile to keep it.”

Others see the IP address as useful only if a user is attempting to verify that it is their own IP address or collecting the information to prevent a phishing attack. Giving out the administrator’s IP address doesn’t seem pertinent to either of those concerns.

“I could use my phone to send a reset, and I would have no idea what my IP was,” Mika Epstein said. “And that can easily be faked. Omitting the IP actually reduces the data being sent out that could be used by bad-actors.

“I think it’s more likely we’d have a savvy bad actor than end users who would need to ask for a password reset but also know what a valid IP is and how to ask about it.”

This part of the email text may be iterated on in subsequent patches or future releases of WordPress. Check out the dev note for more discussion on this feature, along with information about further customizing the notification email.

4

4 responses to “WordPress 5.7 Lets Administrators Send Password Reset Links”

  1. Wow! I had no idea about this feature. I subscribed this sites newsletter and I must say everytime I read a post either visiting the site or in my mail itself, it adds value to my life.

    Learned a lot from these articles. I wasn’t aware of 80% of updates that I got to know from here.

    Report

  2. This is so nice. Next time a client says that they cannot access their Dashboard because they forgot their password, this will certainly make it easier for administrators to lead them to that Dashboard. Thanks WordPress & Thanks WPTavern for another great post.

    Report

  3. “Instead of having to instruct a user about where to go to click on the lost password link and follow the steps, this new feature lets administrators push a button in the admin to send the link.”

    This suggests a number of admins were having a failure of imagination: it’s always been possible for the admin to visit the login page and type in the user’s login, to send them the lost password email. So, this new feature really only means clicking a link in the admin instead of the front-end. Nice to have, but as I say, it was always possible.

    Report

Newsletter

Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: