The password_reset_key_expired WordPress PHP filter is used to modify the return value of the check_password_reset_key()
function when an old-style key is used.
Usage
add_filter('password_reset_key_expired', 'your_custom_function', 10, 2); function your_custom_function($return, $user_id) { // your custom code here return $return; }
Parameters
$return
(WP_Error): A WP_Error object denoting an expired key. Return a WP_User object to validate the key.$user_id
(int): The matched user ID.
More information
See WordPress Developer Resources: password_reset_key_expired
Examples
Extend the password reset key expiration time
This example extends the password reset key expiration time to 48 hours.
add_filter('password_reset_key_expired', 'extend_password_reset_key_expiration', 10, 2); function extend_password_reset_key_expiration($return, $user_id) { // Check if the key has expired if (is_wp_error($return)) { // Get the user's password reset key timestamp $key_timestamp = get_user_meta($user_id, '_wp_password_reset_key_timestamp', true); // Check if the key has been expired for less than 48 hours if (time() - $key_timestamp < 48 * HOUR_IN_SECONDS) { // Return a WP_User object to validate the key return new WP_User($user_id); } } return $return; }
Prevent password reset for a specific user role
This example prevents password reset for users with the ‘administrator’ role.
add_filter('password_reset_key_expired', 'prevent_password_reset_for_admins', 10, 2); function prevent_password_reset_for_admins($return, $user_id) { // Get the user object $user = new WP_User($user_id); // Check if the user has the 'administrator' role if (in_array('administrator', $user->roles)) { // Return a WP_Error object to indicate that the key is expired return new WP_Error('expired_key', __('Password reset is not allowed for administrators.')); } return $return; }
Always allow password reset
This example always allows password reset, regardless of the key’s expiration status.
add_filter('password_reset_key_expired', 'always_allow_password_reset', 10, 2); function always_allow_password_reset($return, $user_id) { // Return a WP_User object to validate the key return new WP_User($user_id); }
Add a custom error message for expired keys
This example adds a custom error message for expired password reset keys.
add_filter('password_reset_key_expired', 'custom_expired_key_error_message', 10, 2); function custom_expired_key_error_message($return, $user_id) { // Check if the key has expired if (is_wp_error($return)) { // Replace the default error message with a custom one $return->remove('expired_key'); $return->add('expired_key', __('Your password reset key has expired. Please request a new one.')); } return $return; }
Log password reset attempts with expired keys
This example logs password reset attempts with expired keys for further investigation.
add_filter('password_reset_key_expired', 'log_expired_key_attempts', 10, 2); function log_expired_key_attempts($return, $user_id) { // Check if the key has expired if (is_wp_error($return)) { // Get the user object $user = new WP_User($user_id); // Log the expired key attempt error_log("Expired password reset key attempt for user: {$user->user_login} (ID: {$user_id})"); } return $return; }