How to Remove the Password Reset / Change Option From WordPress

Password management in WordPress can be tricky, especially for websites with multiple users or those requiring tight security controls.

We’ve seen numerous situations where clients accidentally locked themselves out after messing with password settings.

While the password reset feature is helpful for regular users, it can become a security concern for business websites or membership sites where you want to maintain strict control over user access.

In this step-by-step guide, we’ll show you how to safely remove the password reset and change options from your WordPress site.

Whether you’re running a membership site or managing a business website, you’ll learn how to disable these features without breaking your WordPress installation.

Why Remove Password Reset/Change Option From WordPress?

You should remove the password reset/change option if you want to prevent users from resetting their passwords on your site.

This can improve security and control, especially for temporary accounts, demo logins, or specific user roles.

Here are the main reasons:

• Temporary or Demo Accounts: You may not want users to change passwords for accounts meant only for testing or demonstrations.
• Security Concerns: Password reset links can be exploited by hackers to attempt unauthorized access.
• Control Over User Access: Some user roles may need restricted abilities, including password changes.

Simply hiding the link on the login page isn’t enough, because savvy users can still access the password reset URL directly. That’s why it’s better to completely disable the password reset functionality for the targeted users.

With that in mind, let’s see how you can easily remove the password reset/change option from WordPress. We’ll cover two ways to remove the password reset option.

The first method simply hides the link from your login page, while the second method completely disables the functionality.

For better security, we recommend the second method, which ensures users cannot access the password reset page even with a direct link.

Ready? Let’s get started.

Method 1: Hide the Password Reset Link Using LoginPress

The easiest way to disable the password reset/change option is with LoginPress. It’s a free WordPress plugin that allows you to customize the login page.

LoginPress offers a wide range of features to customize the appearance of the login page, improving both security and how the page looks.

Step 1: Install and Activate LoginPress

To get started, you will need to install and activate LoginPress. For more details, you can check out our tutorial on how to install a WordPress plugin.

Step 2: Disable Forgot Password

Upon activation, you’ll want to head over to LoginPress » Customizer. This will take you to a built-in editor where you can easily customize any aspect of your WordPress login page.

To remove the ‘Lost your password?’ message, you need to go to the ‘Form Footer’ tab. Clicking on the pencil icon next to ‘Lost your password?’ will also take you to the ‘Form Footer’ tab.

Then, you need to turn off the ‘Enable Footer Text’ option.

This will remove the ‘Register’ and ‘Lost your password?’ options from your login page.

The plugin offers plenty of other cool features.

For example, you can change the button color and text colors, add logos, and even change the background. Just click the pencil icon on whichever spot you want to change or navigate through the left side panel.

Once you are done customizing the WordPress login page, you’ll be ready to save the changes.

Simply hit the ‘Publish’ button in the top left corner to finalize the changes.

Lastly, you need to log out of your WordPress dashboard and try to log in again to check that the lost password option no longer appears.

You have now successfully hidden the password reset link from your WordPress login page.

Method 2: Manually Disable Password Reset Option From WordPress Using WPCode

This method requires you to add code to your WordPress site.

Some tutorials will tell you to edit the files directly, but we don’t recommend this. Even the smallest error while typing code can cause WordPress errors or even make your site inaccessible.

That’s why we recommend using WPCode instead.

It is the best WordPress code snippets plugin that allows you to add custom code in WordPress without editing your theme’s functions.php file.

After thorough testing, we have found it to be the easiest and safest way to add code so you won’t have to worry about breaking your site. To learn more, see our WPCode review.

Step 1: Install and Activate the WPCode Plugin

To get started, you’ll need to install and activate the WPCode plugin. For more information, please see our guide on how to install a WordPress plugin.

Step 2: Add a New Custom Snippet

Then, you’ll need to go to Code Snippets » + Add Snippet.

Since there’s no ready-made snippet for disabling the password reset option, you’ll need to add custom code. You can hover over the ‘Add Your Custom Code’ bar and click ‘Use Snippet.’

On the next screen, you’ll name your custom snippet.

You might want to give it a clear name so you can easily refer to it later if you need to make changes to it.

Next, for the ‘Code Type,’ let’s select the ‘PHP Snippet’ option from the dropdown menu.

Step 3: Insert and Configure the PHP Code

Then, you’ll want to copy and paste the following code into the ‘Code Preview’ text editor:

<?php
/*
 * Plugin Name: Disable Password Reset
 * Description: Disable password reset functionality. Only users with administrator role will be able to change passwords from inside admin area.
 * Version: 1.0
 * Author: WPBeginner
 * Author URI: http://wpbeginner.com
 */

class Password_Reset_Removed
{

  function __construct()
  {
    add_filter( 'show_password_fields', array( $this, 'disable' ) );
    add_filter( 'allow_password_reset', array( $this, 'disable' ) );
    add_filter( 'gettext',              array( $this, 'remove' ) );
  }

  function disable()
  {
    if ( is_admin() ) {
      $userdata = wp_get_current_user();
      $user = new WP_User($userdata->ID);
      if ( !empty( $user->roles ) && is_array( $user->roles ) && $user->roles[0] == 'administrator' )
        return true;
    }
    return false;
  }

  function remove($text)
  {
    return str_replace( array('Lost your password?', 'Lost your password'), '', trim($text, '?') );
  }
}

$pass_reset_removed = new Password_Reset_Removed();
?>

Here is what your screen should look like:

Step 4: Activate and Save Your Snippet

From here, all you need to do is toggle the option from ‘Inactive’ to ‘Active’ at the top of the page.

Then, go ahead and hit ‘Save Snippet’ to finalize the changes.

Congratulations, you are all set!

Now, you can log out of your WordPress admin area so you can check if the password reset option has been removed.

Bonus: Disable Login With Email Address in WordPress

Now that you’ve learned about disabling the ‘Password Reset / Change Option,’ you might want to take your WordPress login security to the next level. One of your options is disabling login with email address.

Let’s say someone wants to hack your WordPress site. If they know your email address, they could try to use it as a username to guess your password.

Disabling login by email makes it harder for attackers to brute-force their way in, as they would need to know the exact username, not just the email.

WPCode has a ‘Disable Login by Email’ snippet you can use.

Simply install and activate the plugin and search for the snippet in its library to apply the code.

For more detailed instructions, you can follow through our guide on how to disable login with email address feature in WordPress.

Frequently Asked Questions About Disabling Password Resets

Here are some questions that our readers frequently ask about disabling password resets:

Is it safe to remove the password reset option in WordPress?

Yes, it is perfectly safe and can be a good security measure for certain types of websites. It reduces the number of ways someone could try to gain unauthorized access to an account.

Just be sure you have a process for users to contact you if they get locked out.

Can administrators still change user passwords?

Absolutely. Site administrators can always reset passwords for any user directly from the WordPress dashboard. Simply go to the ‘Users’ section, edit the user’s profile, and set a new password there.

What should a user do if they forget their password?

If a user forgets their password after you’ve disabled the reset link, they will need to contact a site administrator. The admin can then manually generate a new password for them.

We hope this article helped you learn how to remove the password reset/change option from WordPress. You may also want to check out our guides on how to password-protect your WordPress admin (wp-admin) directory and how to force logout all users in WordPress.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.