$user_login does not append to WP password reset link after key

March 18, 20230 Views

I’m using HTML custom email templates for WordPress notifications.

Every template works fine. For some reason, though – the password reset template (which works fine otherwise) will not append the user_login variable at the end of the password reset link – which is vital for the key to be valid. The link without the $user_login renders an “invalid key” error on the WP password reset page.

An example of the string in the link is below – note the missing login=username at the very end.

url/wp-login.php?redirect_to=url?action=rp&key=12345678910&login=http://url.com/wp-login.php?redirect_to=url?action=rp&key=12345678910&login=

Here is the code I’m using to modify the template. Does anyone know why this is happening – and if so, how I can fix it?

add_filter ('retrieve_password_message', 'custom_retrieve_password_message', 10, 2);
function custom_retrieve_password_message($content, $key) {
global $wpdb;
$user_login = $wpdb->get_var("SELECT user_login FROM $wpdb->users WHERE user_activation_key = '$key'");
ob_start();
$email_subject = custom_retrieve_password_title();
include('email_header.php');
?>

<p>It looks like you need to reset your password for your account!</p>
<p>To reset your password, visit the following address, otherwise just ignore this email and nothing will happen.<p>
<a href="<?php echo wp_login_url("url") ?>?action=rp&key=<?php echo $key ?>&login=<?php echo $user_login ?>">Reset password</a> 

<?php
include('email_footer.php');
$message = ob_get_contents();
ob_end_clean();
return $message;
}

Post Views: 0

4 comments

I think the problem is that wordpress changed the way the user activation key is saved in the database. The key is hashed before it’s saved in the wp_users table and $key contains the unhashed plain-text activation key. So the following line of your code won’t get a result and $user_login will be empty.

$user_login = $wpdb->get_var("SELECT user_login FROM $wpdb->users WHERE user_activation_key = '$key'");

Try this instead:

add_filter ('retrieve_password_message', 'custom_retrieve_password_message', 10, 2);
function custom_retrieve_password_message($content, $key) {
global $wpdb;
$user_data = get_user_by_email(trim($_POST['user_login']));
$user_login = $user_data->user_login;
ob_start();
$email_subject = custom_retrieve_password_title();
include('email_header.php');
?>

<p>It looks like you need to reset your password for your account!</p>
<p>To reset your password, visit the following address, otherwise just ignore this email and nothing will happen.<p>
<a href="<?php echo wp_login_url("url") ?>?action=rp&key=<?php echo $key ?>&login=<?php echo $user_login ?>">Reset password</a> 

<?php
include('email_footer.php');
$message = ob_get_contents();
ob_end_clean();
return $message;
}

Anonymous says:

March 18, 2023 at 3:19 am
I am not totally sure about all the rest . – but for one thing , you need to get your quotes right . try
```
echo wp_login_url('url')
```
not
```
echo wp_login_url("url")
```
e.g. :
```
<a href="<?php echo wp_login_url('url') ?>?action=rp&key=<?php echo $key ?>&login=<?php echo $user_login ?>">Reset password</a> 
```
or try
```
echo '<a href=' . wp_login_url("url") . '?action=rp&key='.$key.'&login='.$user_login.'>Reset password</a> ';
```
Also – ( and if that is no help ) can you elaborate more where you use it , how and with what templates so we can try and dig deeper ?
Log in to Reply

For anyone interested, this is another solution:

add_filter ('retrieve_password_message', 'custom_retrieve_password_message', 10, 2);
function custom_retrieve_password_message($content, $key) {
global $wpdb;
if ( empty( $_POST['user_login'] ) ) {
     wp_die('<strong>ERROR</strong>: Enter a username or e-mail address.');
 } else if ( strpos( $_POST['user_login'], '@' ) ) {
     $user_data = get_user_by( 'email', trim( $_POST['user_login'] ) );
 }else if(!empty( $_POST['user_login'] )){
     $user_data = get_user_by('login', trim( $_POST['user_login']));
 }elseif ( empty( $user_data ) ){
     wp_die('invalid_email', __('<strong>ERROR</strong>: There is no user registered with that email address.'));
 }
$user_login_name=$user_data->user_login;
ob_start();
$email_subject = 'Your password has been changed';
include('email_header.php');
?>
<p>It looks like you need to reset your password. <br/>To reset your password, <a href="<?php echo wp_login_url("url") ?>?action=rp&key=<?php echo $key ?>&login=<?php echo $user_login_name; ?>">click here</a>, otherwise just ignore this email and nothing will happen.<p>

<?php
include('email_footer.php');
$message = ob_get_contents();
ob_end_clean();
return $message;
}

Additionally, you can use the POST data to check if the username or the email was submitted:

add_filter ('retrieve_password_message', 'custom_retrieve_password_message', 10, 2);
  function custom_retrieve_password_message($content, $key) {
    if ( username_exists($_POST['user_login']) ){
    $user_login = $_POST['user_login'];
} else {
    $user_data = get_user_by_email(trim($_POST['user_login'])); 
    $user_login = $user_data->user_login;
}
    ob_start();
...

Leave a Reply Cancel reply

4 comments

Social Network

Related posts

Leave a Reply Cancel reply

4 comments

Social Network