-
-
Save ivandoric/e4e46294c4d35eac0ec8 to your computer and use it in GitHub Desktop.
| <?php //Add all of this tu custom page template ?> | |
| <?php | |
| global $wpdb; | |
| $error = ''; | |
| $success = ''; | |
| // check if we're in reset form | |
| if( isset( $_POST['action'] ) && 'reset' == $_POST['action'] ) | |
| { | |
| $email = trim($_POST['user_login']); | |
| if( empty( $email ) ) { | |
| $error = 'Enter a username or e-mail address..'; | |
| } else if( ! is_email( $email )) { | |
| $error = 'Invalid username or e-mail address.'; | |
| } else if( ! email_exists( $email ) ) { | |
| $error = 'There is no user registered with that email address.'; | |
| } else { | |
| $random_password = wp_generate_password( 12, false ); | |
| $user = get_user_by( 'email', $email ); | |
| $update_user = wp_update_user( array ( | |
| 'ID' => $user->ID, | |
| 'user_pass' => $random_password | |
| ) | |
| ); | |
| // if update user return true then lets send user an email containing the new password | |
| if( $update_user ) { | |
| $to = $email; | |
| $subject = 'Your new password'; | |
| $sender = get_option('name'); | |
| $message = 'Your new password is: '.$random_password; | |
| $headers[] = 'MIME-Version: 1.0' . "\r\n"; | |
| $headers[] = 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; | |
| $headers[] = "X-Mailer: PHP \r\n"; | |
| $headers[] = 'From: '.$sender.' < '.$email.'>' . "\r\n"; | |
| $mail = wp_mail( $to, $subject, $message, $headers ); | |
| if( $mail ) | |
| $success = 'Check your email address for you new password.'; | |
| } else { | |
| $error = 'Oops something went wrong updaing your account.'; | |
| } | |
| } | |
| if( ! empty( $error ) ) | |
| echo '<div class="message"><p class="error"><strong>ERROR:</strong> '. $error .'</p></div>'; | |
| if( ! empty( $success ) ) | |
| echo '<div class="error_login"><p class="success">'. $success .'</p></div>'; | |
| } | |
| ?> | |
| <form method="post"> | |
| <fieldset> | |
| <p>Please enter your username or email address. You will receive a link to create a new password via email.</p> | |
| <p><label for="user_login">Username or E-mail:</label> | |
| <?php $user_login = isset( $_POST['user_login'] ) ? $_POST['user_login'] : ''; ?> | |
| <input type="text" name="user_login" id="user_login" value="<?php echo $user_login; ?>" /></p> | |
| <p> | |
| <input type="hidden" name="action" value="reset" /> | |
| <input type="submit" value="Get New Password" class="button" id="submit" /> | |
| </p> | |
| </fieldset> | |
| </form> |
@disstp, You should add nonce to increase security. 🗡️
where to put this code and ho to use it
It should go to a custom page, I think, this was written 6 years ago. I don't remember why I used it for :) ...
it's for a custom reset password page. I put it in a page but it does not work
Congratulations if you are using this code on your website, you have just gave people a way to change access passwords for random members of your website. Looking at the above code a person can do this an unlimited amount of times , they can either guess email addresses until they get one that is associated with a member or if they know someone that is a member they can just type in that persons email address and change that members password.
Also just to add insult to injury you are telling genuine members that they can enter their username to receive a reset link however looking at the above code if a member enters a username it will fail as the the back end code is only accepting email addresses.
Tut tut tut
Is a nonce recommended for more security?