At some point in time you, or another user of your WordPress site, will forget their password and will need to have it reset. WordPress has automated this activity and made it simple.
Self-service vs. admin-managed password resets
The built-in “lost password” functionality in WordPress is self-service. That is, any user will be able to reset their login password for themselves. There are a number of advantages to self-service instead of having a site administrator reset passwords for others.
- Security. The less information that an admin needs to maintain securely, the better. User passwords are encrypted in the WP database ensuring that they are protected. Reseting passwords for others can create a new security hole because you’ll need to expose the new password during the process of creating it and communicating it to the user.
- Less work for admins. Lets your site do the work for you.
- User convenience. They don’t need to wait for an admin. If you run a e-commerce site you know how valuable this is.
Simply go to your standard log-in page and click the “Lost your password” link beneath the Log In window.
The user will be routed to a new page and prompted to enter their email associated with the login. If their email is not known to the site, an error message will be displayed, “ERROR: There is no user registered with that email address.” Otherwise, they’ll receive a notice to, “Check your mail for the confirmation link.”
An email will be sent to the user notifying them that someone is trying to reset the password. Only by clicking a link within the email will the user be able to continue the process. This step is vital for security: it protects the user from an outsider attempting to reset, then use, their password.
The user is returned to a WP login screen where a strong password has been randomly generated and pre-filled. This password can be used, or overwritten with a password of your choice—just make sure its a strong one.
Finally, continue to reset the password then follow a link to log in with the new password.