Skip to content

Disable Password Reset

Disable Password Reset turns off public “forgot password” self-service for everyone. Use only when you reset passwords another way (manual admin password, WP-CLI, or admin-sent reset links when enabled in settings).

  • Blocks public lost-password requests and redirects those flows back toward login.
  • Hides lost-password UI on the login screen and related front-end links.
  • Redirects WooCommerce My Account lost-password endpoint with a notice.
  • Outstanding email reset links stop working while the module is on.
  • Optional: allow users with edit-user permission to still email reset links from Users screens.
  • Normal login, registration, and logged-in profile password changes stay available.

Enable it if:

  • Account recovery must be handled only by administrators.
  • Public reset forms are being abused for email flooding or account probing.
  • You have a documented admin recovery process (profile password change, WP-CLI, or admin-sent links).
  • Allow admins to send password reset links - when on, users who can edit users may still email reset links from Users screens; public forms stay blocked.
  • Disabled message - shown on the login screen when someone tries recovery; blank uses the default message.
  1. Go to WP PowerSuite -> Modules.
  2. Open Security or search for “Disable Password Reset”.
  3. Toggle Disable Password Reset on.
  4. Configure admin recovery and the disabled message, then save.
  • Enable the module, then open the lost-password link from the login screen.
  • ✅ Pass: recovery is blocked/redirected and your disabled message (or default) appears.
  • If WooCommerce is active, open the My Account lost-password URL.
  • ✅ Pass: endpoint redirects to the account page with a notice.
  • ❌ Fail: confirm the module is on and no custom login plugin bypasses allow_password_reset.
  • Users still receive reset emails. Another plugin may send resets; check Allow admins to send password reset links and any membership plugins.
  • Locked out with no recovery path. An administrator can set a password on the user profile or via WP-CLI even when public reset is off.
  • WooCommerce link still visible in a cached page. Clear cache after enabling.
What does Disable Password Reset do?

It turns off public forgot-password self-service and stops outstanding email reset links while the module is on.

Is Disable Password Reset free?

Yes. Enable it under WP PowerSuite -> Modules.

Can admins still reset passwords?

Yes. Admins can always set a password on a user profile or via WP-CLI. Optionally they can still email reset links from Users screens.

Does login still work?

Yes. Normal login, logout, registration (if enabled), and logged-in profile password changes are not affected.

How do I turn Disable Password Reset off?

Go to WP PowerSuite -> Modules, find Disable Password Reset, and toggle it off.

Developer notes (hooks & filters)

Source: modules/disable-password-reset/module.php. Boot: critical · context: both.

Hooks: allow_password_reset, lostpassword_url, login_message, login_init, template_redirect (WooCommerce lost-password), wp_powersuite_login_email_secure_account_url.