Disable Password Reset
Disable Password Reset turns off public “forgot password” self-service for everyone. Use only when you reset passwords another way (manual admin password, WP-CLI, or admin-sent reset links when enabled in settings).
What it does
Section titled “What it does”- Blocks public lost-password requests and redirects those flows back toward login.
- Hides lost-password UI on the login screen and related front-end links.
- Redirects WooCommerce My Account lost-password endpoint with a notice.
- Outstanding email reset links stop working while the module is on.
- Optional: allow users with edit-user permission to still email reset links from Users screens.
- Normal login, registration, and logged-in profile password changes stay available.
When to use it
Section titled “When to use it”Enable it if:
- Account recovery must be handled only by administrators.
- Public reset forms are being abused for email flooding or account probing.
- You have a documented admin recovery process (profile password change, WP-CLI, or admin-sent links).
When not to use it
Section titled “When not to use it”Settings
Section titled “Settings”- Allow admins to send password reset links - when on, users who can edit users may still email reset links from Users screens; public forms stay blocked.
- Disabled message - shown on the login screen when someone tries recovery; blank uses the default message.
How to enable it
Section titled “How to enable it”- Go to WP PowerSuite -> Modules.
- Open Security or search for “Disable Password Reset”.
- Toggle Disable Password Reset on.
- Configure admin recovery and the disabled message, then save.
How to test it
Section titled “How to test it”- Enable the module, then open the lost-password link from the login screen.
- ✅ Pass: recovery is blocked/redirected and your disabled message (or default) appears.
- If WooCommerce is active, open the My Account lost-password URL.
- ✅ Pass: endpoint redirects to the account page with a notice.
- ❌ Fail: confirm the module is on and no custom login plugin bypasses
allow_password_reset.
Troubleshooting
Section titled “Troubleshooting”- Users still receive reset emails. Another plugin may send resets; check Allow admins to send password reset links and any membership plugins.
- Locked out with no recovery path. An administrator can set a password on the user profile or via WP-CLI even when public reset is off.
- WooCommerce link still visible in a cached page. Clear cache after enabling.
What does Disable Password Reset do?
It turns off public forgot-password self-service and stops outstanding email reset links while the module is on.
Is Disable Password Reset free?
Yes. Enable it under WP PowerSuite -> Modules.
Can admins still reset passwords?
Yes. Admins can always set a password on a user profile or via WP-CLI. Optionally they can still email reset links from Users screens.
Does login still work?
Yes. Normal login, logout, registration (if enabled), and logged-in profile password changes are not affected.
How do I turn Disable Password Reset off?
Go to WP PowerSuite -> Modules, find Disable Password Reset, and toggle it off.
Developer notes (hooks & filters)
Source: modules/disable-password-reset/module.php.
Boot: critical · context: both.
Hooks: allow_password_reset, lostpassword_url, login_message, login_init, template_redirect (WooCommerce lost-password), wp_powersuite_login_email_secure_account_url.