Two Giraffes

Archive for December, 2010

Quick Hack: How to disable password resets & changes for wordpress users

One of my client sites ran into a problem where a group of users who share the same login/password, would change the password for the profile, causing all of the other users to become locked out. I wont get into specific details of why their aren’t individual username and password combinations, but here is a quick hack I used to disable this from happening. Below is what the admin screen looks like after this quick hack. The change password option is gone.

To actually disable the password fields in the wp admin, I just commented lines out of user-edit.php in the wp-admin directory. Ill admit, this isnt the best way to do it, as the admin account wont be able to change the password, but in this case, I was looking for something to quickly remove these fields, as I knew I wouldnt be changing the fields anytime soon. I could have set a cron to change the password. Here are lines I removed (lines 291-303)

1
2
3
4
5
6
7
8
9
10
<!--?php $show_password_fields = apply_filters('show_password_fields', true, $profileuser); if ( $show_password_fields ) : ?-->

<label for="pass1"><!--?php _e('New Password'); ?--></label>

<input id="pass1" name="pass1" size="16" type="password" /> <span class="description"><!--?php _e("If you would like to change the password type a new one. Otherwise leave this blank."); ?--></span>

<input id="pass2" name="pass2" size="16" type="password" /> <span class="description"><!--?php _e("Type your new password again."); ?--></span>
<div id="pass-strength-result"><!--?php _e('Strength indicator'); ?--></div>
<p class="description indicator-hint"><!--?php _e('Hint: The password should be at least seven characters long. To make it stronger, use upper and lower case letters, numbers and symbols like ! " ? $ % ^ &amp; ).'); ?--></p>
<!--?php endif; ?-->

By commenting out that code, the change password field is completely removed from the profile screen. Unfortunately, that wasnt enough as WordPress still allows you to reset the password via email. I found a solution in this support thread on wordpress.org

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<!--?php<br /--> /*
Plugin Name: Disable Lost Password Feature
*/

function disable_password_reset() { return false; }
add_filter ( 'allow_password_reset', 'disable_password_reset' );
function remove_password_reset_text ( $text ) { if ( $text == 'Lost your password?' ) { $text = ''; } return $text;  }

function remove_password_reset() { add_filter( 'gettext', 'remove_password_reset_text' ); }
add_action ( 'login_head', 'remove_password_reset' );

function remove_password_reset_text_in ( $text ) { return str_replace( 'Lost your password?', '', $text ); }
add_filter ( 'login_errors', 'remove_password_reset_text_in');

?&gt;

After activating the above plugin, that should leave no possible way for a user to change their password. Its not a perfect solution, just something I quickly threw together. I would love to hear if any other developers have come across this, and if so, what their solution was.