I want to send custom password to user instead of reset password link. I can not find any such option in the admin panel. How can I do it?
When user resets his password, I want him to get new password on his mail.
I do not want to change core files. Also I am bit new to WordPress.
Current flow: user gets reset password link that he can use to set password
FLow wanted: user will be sent new password to login
I want to send custom password to user instead of reset password link. I can not find any such option in the admin panel. How can I do it?
When user resets his password, I want him to get new password on his mail.
I do not want to change core files. Also I am bit new to WordPress.
Current flow: user gets reset password link that he can use to set password
FLow wanted: user will be sent new password to login
- 5 I would recommend against this - sending the password reset link allows for a more secure method of resetting the user's password. Providing a password in plaintext via email is a Bad Idea, from a security standpoint. – phatskat Commented Feb 6, 2019 at 21:34
1 Answer
Reset to default 5You can use retrieve_password_message hook for that.
That filter is applied as this:
apply_filters( 'retrieve_password_message', string $message, string $key, string $user_login, WP_User $user_data )
So you'll have access to $user_login of the user. It means, that you can write a filter function that will create random password for that user and then send it.
function my_reset_password_email( $message, $key, $user_login, $user_data ) {
$user_tmp_password = wp_generate_password(12); // it will generate pass with length of 12 characters
wp_set_password( $user_tmp_password, $user_data->ID );
$message = "Looks like you forgot your password!\n\n";
$message .= "...\n";
$message .= 'Your new temporary password: ' . $user_tmp_password . "\n\n";
$message .= 'Kind Regards';
return $message;
}
add_filter( 'retrieve_password_message', 'my_reset_password_email', 10, 4 );
So this will do what you wanted to, but...
I would really recommend not to use such approach. Why? Because anybody will be able to reset your password and prevent you from logging in. All I have to know to reset your password is your e-mail address. If I go to "I forgot my password" and put your email in there, your password will get changed and you'll get email with new one. But if that email goes to spam and you go to the site, you won't be able to log in and you won't know why...
Also it's a very, very bad idea to send passwords in emails and you should never do this.
And if you really, really have to, then at least force user to change his password after first logging in.