Is it possible to block subscriber users to changing its password?

2 Views

I want to disable changing password option for all my subscriber users.

Is it possible by doing any code tweak or something using any plugin?

Read More

Disable password changing option for subscriber users

If someone has any idea or plugin knowledge to do this then appreciated.

Post Views: 2

Related posts

Leave a Reply

3 comments

  2. If you want to hide the passwords fields on the profile page, you can use the show_password_fields filter

    add_filter('show_password_fields','hide_password_wpse_94968');
function hide_password_wpse_94968() {
    if(!current_user_can('edit_posts')){
        // hide only for subscribers
        return false;
    }
    return true; // for all other users that can edit posts
}

    where we hide it for all users that can’t edit posts (subscribers).

    The subscribers will still be able to retrieve new passwords via wp-login.php?action=lostpassword.

    Before hiding the passwords fields:

    Before hiding

    After hiding the passwords fields:

    enter image description here

  3. This may be a different approach to achieve a similar outcome

    I wanted to be able to prevent anyone from changing the Admin passwords via a forgot password link – I wanted to keep the forgot password link for subscribers

    Be aware that you will need to have an alternative means of resetting the password for administrators (e.g. direct database access) should you be unlucky enough to forget your admin password.

    You can change the “administrator” in this code to whatever user you want to restrict “subscriber” for example.

    If an Administrator tries to reset a password (or rather if your Administrator email has been hacked and a hacker is trying to get hold of a reset link) they shouldn’t be able to.

    They should be blocked with the standard message:

    Password reset is not allowed for this user

    Put this code at the end of your functions.php in your child theme.

    // Block Admin Accounts from external Password Reset

function disable_password_reset() {
  return false; 
}

add_action( 'retrieve_password', 'log_password_requests' );

function log_password_requests( $user_name_or_email ) {
$user = get_user_by( 'login', $user_name_or_email );

if (in_array( "administrator", $user->roles )){
   add_filter ( 'allow_password_reset', 'disable_password_reset' );
   }else{
   remove_filter ( 'allow_password_reset', 'disable_password_reset' );
}
}

    CREDITS – thanks to:

    You get the role using code like this:

    Getting a user role from the user login name

    This was the source of my bit of blocking code:

    https://www.isitwp.com/disable-the-allow_password_reset-feature/

    You can extend the number of options you want to block or perhaps use a ! to select those which are not in the users->roles array should you want that. Thanks to:

    https://stackoverflow.com/questions/2440506/how-to-check-if-an-array-value-exists

    also on
    https://www.geeksforgeeks.org/php-in_array-function/

    This was where I got the code – originally for logging who attempted to change a password – which I used to wrap and trigger the password reset blocking function. It provides the hook to detect when a password reset request was being made and grabs the user who was making it. You could also add a line for logging the user, as this post suggests.

    How can I tell who changed the password?

    This answer gives some useful ideas on how to make a log file separately from the PHP error log:
    https://stackoverflow.com/questions/4660692/is-it-possible-to-print-a-log-of-all-database-queries-for-a-page-request-in-word/4660903#4660903

    I couldn’t find this exact functionality anywhere else so hope it might help somebody.

    Apologies if my code is not entirely WordPress perfect but it has worked on six sites so far and performs as expected. It uses the functionality of the standard wp-login.php template – sorry to those who want more personalised stuff but there is other code here for that.