The password_reset_key_expired WordPress PHP filter is used to modify the return value of the check_password_reset_key() function when an old-style key is used.
Usage
add_filter('password_reset_key_expired', 'your_custom_function', 10, 2);
function your_custom_function($return, $user_id) {
// your custom code here
return $return;
}
Parameters
$return(WP_Error): A WP_Error object denoting an expired key. Return a WP_User object to validate the key.$user_id(int): The matched user ID.
More information
See WordPress Developer Resources: password_reset_key_expired
Examples
Extend the password reset key expiration time
This example extends the password reset key expiration time to 48 hours.
add_filter('password_reset_key_expired', 'extend_password_reset_key_expiration', 10, 2);
function extend_password_reset_key_expiration($return, $user_id) {
// Check if the key has expired
if (is_wp_error($return)) {
// Get the user's password reset key timestamp
$key_timestamp = get_user_meta($user_id, '_wp_password_reset_key_timestamp', true);
// Check if the key has been expired for less than 48 hours
if (time() - $key_timestamp < 48 * HOUR_IN_SECONDS) {
// Return a WP_User object to validate the key
return new WP_User($user_id);
}
}
return $return;
}
Prevent password reset for a specific user role
This example prevents password reset for users with the ‘administrator’ role.
add_filter('password_reset_key_expired', 'prevent_password_reset_for_admins', 10, 2);
function prevent_password_reset_for_admins($return, $user_id) {
// Get the user object
$user = new WP_User($user_id);
// Check if the user has the 'administrator' role
if (in_array('administrator', $user->roles)) {
// Return a WP_Error object to indicate that the key is expired
return new WP_Error('expired_key', __('Password reset is not allowed for administrators.'));
}
return $return;
}
Always allow password reset
This example always allows password reset, regardless of the key’s expiration status.
add_filter('password_reset_key_expired', 'always_allow_password_reset', 10, 2);
function always_allow_password_reset($return, $user_id) {
// Return a WP_User object to validate the key
return new WP_User($user_id);
}
Add a custom error message for expired keys
This example adds a custom error message for expired password reset keys.
add_filter('password_reset_key_expired', 'custom_expired_key_error_message', 10, 2);
function custom_expired_key_error_message($return, $user_id) {
// Check if the key has expired
if (is_wp_error($return)) {
// Replace the default error message with a custom one
$return->remove('expired_key');
$return->add('expired_key', __('Your password reset key has expired. Please request a new one.'));
}
return $return;
}
Log password reset attempts with expired keys
This example logs password reset attempts with expired keys for further investigation.
add_filter('password_reset_key_expired', 'log_expired_key_attempts', 10, 2);
function log_expired_key_attempts($return, $user_id) {
// Check if the key has expired
if (is_wp_error($return)) {
// Get the user object
$user = new WP_User($user_id);
// Log the expired key attempt
error_log("Expired password reset key attempt for user: {$user->user_login} (ID: {$user_id})");
}
return $return;
}