How to Remove Lost Password Link and Disable Password Reset in WordPress

WordPress has changed the way it manages user passwords and by default WordPress now recommends strong passwords whenever you forget your password, create a new user or simply want to reset your password. To help create strong passwords, WordPress provides a generator in the Users > All Users dashboard, under Account Management. Also, WordPress removed the default behaviour of emailing passwords to users directly either from initial set up or through a password reset request.

Now when a registered user requests a password reset they are emailed a link that allows them to set a new password in WordPress and the password reset links automatically expire after 24 hours. Also, when updating an email address or password from the user dashboard, a notification is sent to the original user email address notifying them of the change.

While these changes to WordPress password security are a welcomed addition, there is still a risk associated with your email account. If your email account was to become compromised, then the attackers could visit the WordPress login screen and just request a password reset. Now WordPress would then just send a password reset email to your compromised email account and the attacker could gain entry.

In this guide, we will show you how you can remove the Lost Password link from your WordPress login page and completely disable the Password Reset option in WordPress to prevent people from visiting the URL directly using the WordPress functions.php file. We will also show you how to hide any login error messages using CSS in the style.css file or change the error message displayed using the functions.php file.

Important

In this tutorial, we'll be directly editing WordPress theme files and we recommend that you create a child theme of your existing parent theme. By using a child theme you will be able to apply modifications without altering the parent theme files and ensuring any changes you make are kept following any parent theme updates.

Note

If you don't feel comfortable with editing the functions.php file directly, we would recommend you use the Code Snippets plugin. This plugin will enable you to easily add, manage and delete WordPress code snippets from your dashboard. To find out more about adding custom code snippets using a plugin see our tutorial How to Add Custom Code Snippets to WordPress with the Code Snippets Plugin for more information.

In addition to implementing these preventative measures for WordPress security we would highly recommend that you implement Two-Factor Authentication as an addition layer of security for your WordPress logins and users.

You can easily implement Two-Factor Authentication with the plugin Two-Factor, which is available for free on the WordPress repository.

Two Factor Plugin WordPress

The plugin offers a variety of Two-Factor Authentication methods such as Email Authentication codes, Time Based One-Time Passwords (TOTP), FIDO Universal 2nd Factor (U2F) and Backup Codes. All the options are managed in Users > All Users > User Name dashboard, under Account Management.

Two Factor Plugin WordPress Options

How to Remove the Lost Password Link

To remove the Lost Password link from your WordPress login page, simply copy and paste the following code into your functions.php file. You can edit the functions.php file directly in the WordPress dashboard under Appearance > Theme Editor > Theme Functions or edit the file offline and upload using your favourite FTP program.

// Remove Lost Password Link
function vpsb_remove_lostpassword_text ( $text ) {
         if ($text == 'Lost your password?'){$text = '';}
                return $text;
         }
add_filter( 'gettext', 'vpsb_remove_lostpassword_text' );

Now when you access your WordPress login page you will notice that the Lost Password link is no longer displayed.

Remove Password Link Success - WordPress

How to Disable Lost Password URL

Although we have removed the Lost Password text from the WordPress login screen, the Password Reset page is still accessible using /wp-login.php?action=lostpassword.

Disable Password Link - WordPress

To disable the Password Reset URL and redirect back to the WordPress login screen, simply copy and paste the following code into your functions.php file:

// Disable Password Reset URL & Redirect
function vpsb_disable_lost_password() {
    if (isset( $_GET['action'] )){
        if ( in_array( $_GET['action'], array('lostpassword', 'retrievepassword') ) ) {
            wp_redirect( wp_login_url(), 301 );
            exit;
        }
    }
}
add_action( "login_init", "vpsb_disable_lost_password" );

Note

The code above will check to see if the request was for /wp-login.php?action=lostpassword or /wp-login.php?action=retrievepassword and then redirect the request back to the /wp-login.php page using a 301 Permanently Moved redirect.

That’s it. You have now successfully removed the Lost Password text from the login page and disabled direct access to the Lost Password and Retrieve Password URLs. In the next section we will show you some further best practise advice by hiding or changing the default WordPress login error messages.

How to Hide Login Error Messages

When someone entered an incorrect Username or Password into the WordPress login screen, by default WordPress will display an error message such as Unknown username. Check again or try your email address.

Disable Password Link Login Error - WordPress

If you want to hide these Login Error Messages, you can simply copy and paste this code into your style.css file:

#login_error {display: none;}

Now if you enter an incorrect Username or Password, there will be no WordPress Login Error Message displayed on the login screen.

Remove Password Link Success - WordPress

However, while this is useful to prevent the WordPress Login Error Message from being displayed, it’s not very user friendly is you operate a multi-user WordPress site. Therefore, we would recommend that you use the code below to Change WordPress Login Error Message.

Change WordPress Login Error Messages

You can also change the default WordPress Login Error Message to anything you want using the WordPress functions.php file. So, if someone entered an incorrect Username, Email Address or Password you could display a Something went wrong! message. To change the login error message, simply copy and paste this code into your functions.php file:

// Change WordPress Error Messages
function vpsb_change_wordpress_errors(){
  return 'The username or password is incorrect. Please consult your system administrator.’;
}
add_filter( 'login_errors', 'vpsb_change_wordpress_errors' );

Now when someone incorrectly enters a Username, Email Address or Password, you will receive the message The username or password is incorrect. Please consult your system administrator.

Custom Login Error Message - WordPress

Note

You can change the WordPress Login Error Message in the code above, to anything you would prefer simply by changing the return line. For example, if you wanted to change the message to Something went wrong! Please consult your system administrator you would change the code above to return ‘Something went wrong! Please consult your system administrator’;.

That’s it. You have now successfully removed the Lost Password Link from the WordPress login page, disabled the Lost Password URL and redirected back to the WordPress login screen and either hidden or changed the WordPress Login Error Message.

How useful was this guide?

Click on a star to rate it!

Average rating / 5. Vote count:

Be the first to rate this guide.

We are sorry that this guide was not useful for you!

Help us to improve this guide!

Tell us how we can improve this guide?

By VPSBasics

This guide was written by the VPS Basics editorial team, led by Gilberto Van Roosen. They are a unique blend of people, dedicated to providing highly detailed, comprehensive and importantly easy to follow tutorials, written in plain English. They specialise in tutorials for managing Linux servers and its software.

11 Comments for How to Remove Lost Password Link and Disable Password Reset in WordPress

Hi Ed

Thank you for your kind words, it is very much appreciated. Keep an eye out for more guides that we hope you will find just as useful.

Kind Regards
VPSBasics

Leave a Reply to Martin Cancel reply

Note: Your email address will not be published when posting a comment.

Note: All comments are held for moderation and are reviewed by our editorial team prior to approval.

VPSBasics uses Akismet anti-spam filters to reduce spam across our website. Our website is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. Learn how your data is processed.