Multisite: Password Reset on Local Blog

wordpress-password-reset-unmultisite.php

<?php
/**
 * Plugin Name: Multisite: Password Reset on Local Blog
 * Plugin URI:  https://gist.github.com/KZeni/7760876c01ebb681ad439a452dc64427
 * Description: By default, WordPress Multisite uses the main blog for password resets. This plugin enables users to stay in their blog during the whole reset process.
 * Version:     1.1.1
 * Author:      Eric Teubert + KZeni
 * Author URI:  https://gist.github.com/KZeni/7760876c01ebb681ad439a452dc64427
 * License:     MIT
 */

// fixes "Lost Password?" URLs on login page
add_filter(
	"lostpassword_url",
	function ($url, $redirect) {
		$args = ["action" => "lostpassword"];
		$args["wpe-login"] = "true"; // Comment out if not on WP Engine hosting; leave as-is (enabled) if on WPE hosting.

		if (!empty($redirect)) {
			$args["redirect_to"] = $redirect;
		}

		return add_query_arg($args, site_url("wp-login.php"));
	},
	12,
	2
);

// fixes other password reset related urls
add_filter(
	"network_site_url",
	function ($url, $path, $scheme) {
		if (stripos($url, "action=lostpassword") !== false) {
			return site_url("wp-login.php?action=lostpassword", $scheme);
		}

		if (stripos($url, "action=resetpass") !== false) {
			return site_url("wp-login.php?action=resetpass", $scheme);
		}

		return $url;
	},
	12,
	3
);

// fixes URLs in email that goes out.
add_filter(
	"retrieve_password_message",
	function ($message, $key) {
		//return str_replace(get_site_url(1), get_site_url(), $message);
		return str_replace(
			get_site_url(get_network()->site_id),
			get_site_url(),
			$message
		);
	},
	12,
	2
);

// fixes email title
add_filter("retrieve_password_title", function ($title) {
	return "[" .
		wp_specialchars_decode(get_option("blogname"), ENT_QUOTES) .
		"] Password Reset";
});

If you're curious about what all changed from the original gist I forked this from, I've detailed things in my comment on the original gist here: https://gist.github.com/eteubert/293e07a49f56f300ddbb?permalink_comment_id=5024327#gistcomment-5024327 (while it's also visible under the Revisions tab of this gist [although Prettier-ifying the code has the GitHub diff just showing a complete delete & add of the code.])

Okay, I've added the straightforward manual inclusion of wpe-login=true in the URL just in case one is using WP Engine for hosting since WPE expects that & may return a 520 server Cloudflare error without it. Anyone not using WPEngine hosting can feel free to comment that line out (while I'd imagine it should be relatively, if not completely, harmless for hosting that then doesn't need it.)

Hi! Im using WPS Hide Login, my login url changed to /login/ but using your modified version I'm still facing the issue of a user appearing in the main site when the password is reseted. Any suggestions?

Okay, I've added the straightforward manual inclusion of wpe-login=true in the URL just in case one is using WP Engine for hosting since WPE expects that & may return a 520 server Cloudflare error without it. Anyone not using WPEngine hosting can feel free to comment that line out (while I'd imagine it should be relatively, if not completely, harmless for hosting that then doesn't need it.)

@geodefender Just to confirm... are you hosting with WP Engine? If not, you should consider using the code / discussing things at https://gist.github.com/eteubert/293e07a49f56f300ddbb. I say this because my code is a fork of that original gist where all I did was make it so it works with Paid Membership Pro (which you say you're using WPS Hide Login instead of what I'm using & have adapted this code for) and then made it work better with WP Engine.

If you are using WP Engine, I'd still consider giving https://gist.github.com/eteubert/293e07a49f56f300ddbb a try while then just adding that $args["wpe-login"] = "true"; line below their $args = array( 'action' => 'lostpassword' ); line since that's all I did to improve WP Engine compatibility while the other changes I made might not work as well with WPS Hide Login as the original code.

Also, this seems like a no-brainer, but I have to confirm... you did enable the plugin after you added this code to your site, right? Again, it may seem silly to mention, but sometimes things like that slip by some people when it's not a fully packaged plugin available via the installer.

Finally, have you brought this up with the WPS Hide Login support forum? That plugin might be doing something unique that really just doesn't work well with this code, for all I know (when I'm not using that plugin in combination with this, myself.) At that point, it seems like they have their implementation for hiding the standard WordPress login/reset/register/etc. pages and you then need support from them considering what they've implemented isn't meeting your needs for your multisite setup & I'd be somewhat surprised if you're the first one to want/need this behavior while using that plugin (then making sure to mention that you've tried using this just so those on the support forum know that going in.)

Hopefully, that points you in the right direction and/or has some things to potentially try.

@geodefender Oh, and I did do some quick Googling just in case you do host with WP Engine... https://wordpress.org/support/topic/lost-password-link-not-working-7/#post-17070821 shows someone else using WPS Hide Login on WP Engine (while multi-site network wasn't mentioned) where they needed WP Engine support to make a caching exception to get the reset password working properly for them. I'd imagine that would be just as applicable for a multisite network setup just as much as a single site setup (again, just making suggestions for things to possibly try/look into since I'm not using that same plugin as you.)

Also, it's recommended to clear your WP Engine caches fully & reset file permissions (the latter being less likely to be needed, but should be a harmless precaution) via WP Engine's tools after you added & enabled this code as it is possible that you were given a result where some part of it was cached from how it was behaving before while it might be all good if/when the cache refreshes.