Created
June 5, 2014 11:17
-
-
Save ivandoric/e4e46294c4d35eac0ec8 to your computer and use it in GitHub Desktop.
wordpress: create custom reset password page
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php //Add all of this tu custom page template ?> | |
<?php | |
global $wpdb; | |
$error = ''; | |
$success = ''; | |
// check if we're in reset form | |
if( isset( $_POST['action'] ) && 'reset' == $_POST['action'] ) | |
{ | |
$email = trim($_POST['user_login']); | |
if( empty( $email ) ) { | |
$error = 'Enter a username or e-mail address..'; | |
} else if( ! is_email( $email )) { | |
$error = 'Invalid username or e-mail address.'; | |
} else if( ! email_exists( $email ) ) { | |
$error = 'There is no user registered with that email address.'; | |
} else { | |
$random_password = wp_generate_password( 12, false ); | |
$user = get_user_by( 'email', $email ); | |
$update_user = wp_update_user( array ( | |
'ID' => $user->ID, | |
'user_pass' => $random_password | |
) | |
); | |
// if update user return true then lets send user an email containing the new password | |
if( $update_user ) { | |
$to = $email; | |
$subject = 'Your new password'; | |
$sender = get_option('name'); | |
$message = 'Your new password is: '.$random_password; | |
$headers[] = 'MIME-Version: 1.0' . "\r\n"; | |
$headers[] = 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; | |
$headers[] = "X-Mailer: PHP \r\n"; | |
$headers[] = 'From: '.$sender.' < '.$email.'>' . "\r\n"; | |
$mail = wp_mail( $to, $subject, $message, $headers ); | |
if( $mail ) | |
$success = 'Check your email address for you new password.'; | |
} else { | |
$error = 'Oops something went wrong updaing your account.'; | |
} | |
} | |
if( ! empty( $error ) ) | |
echo '<div class="message"><p class="error"><strong>ERROR:</strong> '. $error .'</p></div>'; | |
if( ! empty( $success ) ) | |
echo '<div class="error_login"><p class="success">'. $success .'</p></div>'; | |
} | |
?> | |
<form method="post"> | |
<fieldset> | |
<p>Please enter your username or email address. You will receive a link to create a new password via email.</p> | |
<p><label for="user_login">Username or E-mail:</label> | |
<?php $user_login = isset( $_POST['user_login'] ) ? $_POST['user_login'] : ''; ?> | |
<input type="text" name="user_login" id="user_login" value="<?php echo $user_login; ?>" /></p> | |
<p> | |
<input type="hidden" name="action" value="reset" /> | |
<input type="submit" value="Get New Password" class="button" id="submit" /> | |
</p> | |
</fieldset> | |
</form> |
Congratulations if you are using this code on your website, you have just gave people a way to change access passwords for random members of your website. Looking at the above code a person can do this an unlimited amount of times , they can either guess email addresses until they get one that is associated with a member or if they know someone that is a member they can just type in that persons email address and change that members password.
Also just to add insult to injury you are telling genuine members that they can enter their username to receive a reset link however looking at the above code if a member enters a username it will fail as the the back end code is only accepting email addresses.
Tut tut tut
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
it's for a custom reset password page. I put it in a page but it does not work