I want to disable changing password option for all my subscriber users.
Is it possible by doing any code tweak or something using any plugin?
If someone has any idea or plugin knowledge to do this then appreciated.
I want to disable changing password option for all my subscriber users.
Is it possible by doing any code tweak or something using any plugin?
If someone has any idea or plugin knowledge to do this then appreciated.
Share Improve this question edited Apr 8, 2013 at 7:28 Frank asked Apr 8, 2013 at 7:19 FrankFrank 1763 silver badges13 bronze badges 03 Answers
Reset to default 3You can try
if( current_user_can( 'subscriber' ) ) {
add_filter( 'show_password_fields', '__return_false' );
}
see also http://wpengineer/2285/disable-password-fields-for-non-admins/
http://adambrown.info/p/wp_hooks/hook/show_password_fields
If you want to hide the passwords fields on the profile page, you can use the show_password_fields filter
add_filter('show_password_fields','hide_password_wpse_94968');
function hide_password_wpse_94968() {
if(!current_user_can('edit_posts')){
// hide only for subscribers
return false;
}
return true; // for all other users that can edit posts
}
where we hide it for all users that can't edit posts (subscribers).
The subscribers will still be able to retrieve new passwords via wp-login.php?action=lostpassword.
Before hiding the passwords fields:
After hiding the passwords fields:
This may be a different approach to achieve a similar outcome
I wanted to be able to prevent anyone from changing the Admin passwords via a forgot password link - I wanted to keep the forgot password link for subscribers
Be aware that you will need to have an alternative means of resetting the password for administrators (e.g. direct database access) should you be unlucky enough to forget your admin password.
You can change the "administrator" in this code to whatever user you want to restrict "subscriber" for example.
If an Administrator tries to reset a password (or rather if your Administrator email has been hacked and a hacker is trying to get hold of a reset link) they shouldn't be able to.
They should be blocked with the standard message:
Password reset is not allowed for this user
Put this code at the end of your functions.php in your child theme.
// Block Admin Accounts from external Password Reset
function disable_password_reset() {
return false;
}
add_action( 'retrieve_password', 'log_password_requests' );
function log_password_requests( $user_name_or_email ) {
$user = get_user_by( 'login', $user_name_or_email );
if (in_array( "administrator", $user->roles )){
add_filter ( 'allow_password_reset', 'disable_password_reset' );
}else{
remove_filter ( 'allow_password_reset', 'disable_password_reset' );
}
}
CREDITS - thanks to:
You get the role using code like this:
Getting a user role from the user login name
This was the source of my bit of blocking code:
https://www.isitwp/disable-the-allow_password_reset-feature/
You can extend the number of options you want to block or perhaps use a ! to select those which are not in the users->roles array should you want that. Thanks to:
https://stackoverflow/questions/2440506/how-to-check-if-an-array-value-exists
also on https://www.geeksforgeeks/php-in_array-function/
This was where I got the code - originally for logging who attempted to change a password - which I used to wrap and trigger the password reset blocking function. It provides the hook to detect when a password reset request was being made and grabs the user who was making it. You could also add a line for logging the user, as this post suggests.
How can I tell who changed the password?
This answer gives some useful ideas on how to make a log file separately from the PHP error log: https://stackoverflow/questions/4660692/is-it-possible-to-print-a-log-of-all-database-queries-for-a-page-request-in-word/4660903#4660903
I couldn't find this exact functionality anywhere else so hope it might help somebody.
Apologies if my code is not entirely WordPress perfect but it has worked on six sites so far and performs as expected. It uses the functionality of the standard wp-login.php template - sorry to those who want more personalised stuff but there is other code here for that.