Home Blog WordPress Management WordPress Password Reset Not Sending/Working [SOLVED]

How to fix WordPress password reset not sending or working

WordPress Password Reset Not Sending/Working [SOLVED]

Are you having trouble with WordPress not sending password reset mail? There are many reasons why WordPress password reset might not send the reset email or otherwise work. This article explores all of the available troubleshooting options to help you identify and resolve the issue.

There are plenty of reasons why someone might want to change their WordPress website account password. The most common reason is usually that they lost or forgot their password.

Other reasons include updating the password after a security breach or revoking access of an employee who is leaving your organization.

WordPress provides multiple methods for you to reset your password. If you are logged out of your account, the easiest one among them all is asking WordPress to send a password reset email.

You can request a password reset email by clicking on the Lost your password? button on the WordPress login page. This will take you to a new page where WordPress prompts you to enter your account username or email address.

Lost your password?

This password reset email is sent to the email address associated with your user account. The email contains a link that you can click to reset your password.

Unfortunately, you might not always receive a WordPress password reset email in your inbox. In this article, we will discuss several reasons why a WordPress website might not be sending password reset emails and some possible fixes for this issue.

Reasons and fixes for WordPress not sending password reset emails

Many issues can cause a WordPress website to not send password reset emails to users when requested. Fixing these issues should help you improve your WordPress website’s email deliverability.

Make sure emails are not going to the spam folder

Before we start discussing any potential fixes for WordPress not sending password reset mail, you should first confirm that you or your users are definitely not receiving the password reset emails. Sometimes, the emails that your website sends end up in the spam folder of your email client.

If one of your users is saying that they haven’t received any WordPress password reset emails, ask them to check their spam folder once. Legitimate WordPress emails can get marked as spam for a variety of reasons.

For instance, the email your website is sending could have misconfigured email headers, or the email content could trigger the spam filters of the recipient’s email client. A less common reason could be a bad server reputation or a bad IP address reputation.

Check the administration email address

WordPress websites have an administration email address that is used for administrative purposes. Many plugins send important information related to your website to the administration email address. This could include information related to the website backups, or security alerts.

By default, the same administration email address is used by many plugins as the “from address” when sending emails.

The problem arises when the domain name of the administration email address does not match the website’s domain name.

This mismatch causes the SMTP server to think that the WordPress website sending password reset emails is sending spam.

Luckily, this problem is easy to fix. Start by logging in to the admin dashboard of your WordPress site.

Next, navigate to Settings > General from the main menu in the admin dashboard. You should see some input fields to configure the general settings of your website.

Administration Email Address

One of the input fields is for the Administration Email Address. You should make sure that the domain of the email address matches the domain or the website.

Check or set the SPF and DKIM records for your domain

Bad actors can trick unsuspecting users into clicking harmful links in a spam email. They usually try to disguise the emails in such a way that they appear to be coming from a legitimate source.

There are two records that you can add to your DNS (Domain Name System) to authenticate that the emails you are sending are coming from an authorized source and their content was not tampered with.

Let’s see how they can validate the authenticity of an email.

Importance of SPF and DKIM records in email authentication

Let’s start with SPF which stands for Sender Policy Framework.

The recipient’s email server will check the SPF record of the sender’s domain to verify that the mail server that sent the email is authorized to do so.

This allows the recipient’s email server to check if the email came from a legitimate source.

The second record, DKIM, stands for DomainKeys Identified Mail. This record gives the sender a way to digitally sign their emails.

This digital signature is a cryptographic value generated using a private key associated with the legitimate domain name. The same signature is added to the header of every email that is sent.

The recipient’s email server can now use a public key from your domain’s DNS records to decrypt the signature.
Adding these two records to your DNS will help you make your WordPress website emails more secure. This ensures that your outgoing WordPress emails are considered legitimate by the recipient’s email server.

Get the SPF and DKIM values from the cPanel dashboard

If your hosting provider uses cPanel to let you manage your website, you can easily find the values for these records to add them to your domain.

Email Deliverability

Under the Email section on your cPanel dashboard homepage, navigate to Email Deliverability. This will show you a list of domains. Click on the domain whose records you want to check or set.

Manage the domain

This will open a new page where you can check whether the SPF and DKIM records are set properly. This page also lists the values of these records for you to copy and update your DNS records.

If your hosting provider doesn’t use cPanel, contact their support for more information on how to get your SPF and DKIM values.

Once you have the values for SPF and DKIM records, you have to add them to your DNS records. Typically this can be done via your domain registrar, the company or service that you used to register your domain, like Namecheap or Cloudflare. However, this is not always the case. Some businesses have dedicated DNS service.

Configure SMTP on WordPress

WordPress uses a function called wp_mail() to send emails. This function relies on the mail() function in PHP to send emails if you haven’t configured SMTP on your WordPress website.

If you are facing issues sending emails, it might be that the web host has blocked this function to reduce spam. Another possibility is that the web host disabled email functionality on cheaper hosting plans.

In this case, you can configure your WordPress website to send emails via an SMTP server. There are many options for you to choose from such as Sendgrid, MailGun, and SMTP.com if your own host doesn’t offer this functionality. The SMTP server will send emails on your behalf using the SMTP protocol.

The term SMTP stands for Simple Mail Transfer Protocol. Configuring SMTP for your WordPress website can significantly increase the chances of successfully delivering password reset emails.

There are two ways to configure SMTP on your website. We will briefly discuss them both here.

Configure SMTP by adding code

Configuring SMTP with code requires you to add some code to the WordPress wp-config.php file and the functions.php file for your WordPress theme.
Add the following code to your wp-config.php file:

define( 'SMTP_HOST', 'smtpserver.com' ); // Replace with your SMTP server address
define( 'SMTP_PORT', '587 ); // Replace with your SMTP server port
define( 'SMTP_SECURE', 'tls' ); // Options: 'ssl', 'tls', or ''
define( 'SMTP_AUTH', true ); // Set to true if your SMTP server requires authentication
define( 'SMTP_USER', 'smtp_username' ); // Replace with your SMTP username
define( 'SMTP_PASSWORD', 'smtp_password' ); // Replace with your SMTP password
define( 'SMTP_FROM', 'smtp_from_email' ); // Replace with your FROM email
define( 'SMTP_FROMNAME', 'smtp_from_name' ); // Replace with your FROM name

The above code defines some constants that we will use later inside our theme’s function.php file.

Add the following code to the functions.php file of your active WordPress theme:

add_action( 'phpmailer_init', 'send_smtp_email' );
function send_smtp_email( $phpmailer ) {
 $phpmailer->isSMTP();
 $phpmailer->Host = SMTP_HOST;
 $phpmailer->Port = SMTP_PORT;
 $phpmailer->SMTPSecure = SMTP_SECURE;
 $phpmailer->SMTPAuth = SMTP_AUTH;
 $phpmailer->Username = SMTP_USER;
 $phpmailer->Password = SMTP_PASSWORD;
 $phpmailer->From = SMTP_FROM;
 $phpmailer->FromName = SMTP_FROMNAME;
}

The above snippet helps us execute the code inside the send_smtp_email() function during the initialization of the PHPMailer library in WordPress. This function configures PHPMailer to use SMTP for sending WordPress emails.

Save both the wp-config.php file and the functions.php file. Now, upload them back to your server.

SMTP is now properly configured on your website to send password reset emails.

Configure SMTP using a plugin

You also have the option to configure SMTP on your WordPress website using a plugin. There are plenty of plugins that you can use, like WP Mail SMTP, POST SMTP, Easy WP SMTP, FluentSMTP, etc.

Configure SMTP using a plugin

You might also want to read our guide on improving WordPress email deliverability where we discuss how to use the WP Mail SMTP plugin to configure SMTP on a WordPress website.

Consult your web host

Updating your website’s administration email address, adding SPF and DKIM records to your domain’s DNS zone, and configuring SMTP will most likely fix any email delivery issues on your website.

If you are still having trouble getting your site to send a reset password email, you should consider contacting your web host. They will have more information about your website as well as the server setup. They should also have access to email logs that they can check to figure out the exact problem.

Once you have configured your website to send emails, users will be able to request and receive an email that contains a password reset link.

WordPress password reset email link not working

In some situations, clicking the password reset link won’t help you reset your account password. Let’s go over some of the reasons why this might happen.

The password reset link that you receive in the password reset email is only valid for a limited amount of time.

This time is set to 24 hours by default. This means that you will get a message about an expired password reset link if you try to reset your password more than 24 hours after requesting the link.

In such situations, you can simply request a new password reset link via email.

The expiration of the password reset link is a security feature as it prevents any attackers from changing the URL of a WordPress account if they happen to find an old password reset link.

You can use the Melapress Login Security plugin to change the duration, after which the link expires. The plugin allows you to increase as well as decrease this duration.

Any WordPress password reset link that you receive in your email can only be used to change your account password just once.

When you successfully reset your password using a link, WordPress removes the corresponding password reset key from its database.

Invalid password reset link

You will now have to request a new password reset email which will also have a new key to reset the password.

The password reset link that you receive in your password reset email has several components. It contains a key as well as the username of the account which requested the link.

You might want to make sure that the URL you visit in the browser exactly matches the URL you received in the password reset email.

Plugin or Theme Conflict

A WordPress website usually has multiple plugins and themes installed. In some circumstances, they might interfere with the password reset process.

You might want to temporarily deactivate all plugins and switch to a default WordPress theme to see if the password reset links start working again.

As we mentioned at the beginning of this post, using a password reset link is only one of the ways that you have to reset the password of your WordPress account.

There are many other methods that you can use to change or reset your account password on a WordPress site. (Link to the post when published).

Here is a list that briefly summarizes how some of them work:

  • Reset WordPress password using FTP: This method requires you to make changes to the functions.php file of your active WordPress theme. You should be at least a little bit comfortable with writing code if you decide to use this method. You can use this method to change the password of any WordPress account.
  • Reset WordPress password using phpMyAdmin: This method requires you to make changes to the WordPress database through phpMyAdmin directly. It also works for changing the password of any account.
    You will be directly changing the information stored in the WordPress database with this method. Therefore, it is essential to be careful and create a backup of your WordPress site.
  • Reset WordPress password using cPanel: If you are using a web host that installs cPanel, you can also change your account password using the WP Toolkit in the cPanel dashboard. This method is only helpful if you want to change the password of an admin account.
  • Emergency password reset script: This method requires you to upload an emergency password reset script on your website and fill out a form. This method only works for changing the password of the administrator account. It also requires you to know the admin username.

Make sure WordPress can send password reset emails

We would like to stress that these methods are not intended to be a replacement for the password reset emails that WordPress sends. The password reset email will let any user who forgets their password reset it by requesting a link.

These methods are only suitable for situations where you need to quickly gain access to your account and can’t get WordPress to deliver a password reset email.

A WordPress website relies on the successful delivery of email for many things, such as giving you information about order deliveries, security alerts, or newsletter emails. As such, fixing WordPress email deliverability issues should be a priority.

You might be tempted to use a simple and easy-to-remember password if you find yourself regularly resetting passwords. You should not do that. Bad actors might be able to crack simple passwords using brute-force attacks.

Alternatively, you should consider using a password manager and be able to login without compromising security.

Improving the login security of your WordPress site

As we just mentioned, using strong passwords for your WordPress account is an important security measure. However, not every user on your website might use a strong password even if you do.

In such cases, you can get help from our excellent plugins to improve the login security of your WordPress site.

Strong login policies using Melapress Login Security

The Melapress Login Security plugin is a great choice if you want to enforce strong login and password policies for all users on your site.

Here are some of its features that you will find helpful:

  • You can use this plugin to enforce strong password policies either site-wide or on a role-by-role basis.
  • You can also change the default WordPress login URL to some other random URL. This will help fight automated brute-force attacks.
  • Attackers will usually keep trying different commonly used passwords (dictionary attacks) to gain access to an account. Melapress Login Security allows you to block users with too many failed login attempts automatically.
  • The one-click password reset feature for all accounts can help you quickly terminate all active user sessions. It also sends instructions to all your users to reset their passwords. This can be very helpful in case of a security breach.
  • Inactive users on a site are potential targets for bad actors. Melapress Login Security will automatically identify such users and lock their accounts to protect your website

MelaPress Login Security offers many more features that make it an incredibly useful plugin to step up the login security of your WordPress site.

Two-factor authentication using WP 2FA

Using strong passwords to protect user accounts from brute-force attacks is a good practice. However, there are other ways in which bad actors might gain unauthorized access to an account. For instance, they could exploit a vulnerability in the system to steal credentials instead of guessing them.

The WP 2FA plugin from Melapress can help you secure your website against cracked or stolen credentials. You can use this plugin to add an extra layer of security to your website’s authentication process.

Here are some of the features that make WP 2FA a great choice for implementing two-factor authentication on your website:

  • The plugin offers several 2FA methods and gives users the option to choose a method that is most convenient for them.
  • The 2FA policies in WP 2FA are fully configurable. You can make 2FA compulsory, give users a grace period, and configure different 2FA policies for different user roles.
  • WP 2FA allows users to add any devices they want as trusted devices. This way, they can log in from a device that they use regularly without entering a 2FA code.
  • The plugin supports custom login pages and requires no dashboard access for users to set up 2FA.
  • Your users won’t have to download and learn how to use any new apps. WP 2FA supports any 2FA app.

The WP 2FA plugin also supports white labeling. This means that you can fully customize the 2FA pages, emails, and text to make them blend in with the rest of your website.

Conclusion

WordPress allows users to request an email to reset their account password by clicking on the Lost Password link on the WordPress login page. However, the successful delivery of the password reset email depends on multiple factors that we discussed in this tutorial.

The password reset emails from WordPress contain a link to reset passwords. However, these links are meant to be used only once and within a limited time. You should consider requesting a new link from WordPress if your password reset links are not working. As a site admin, you might also want to ensure that any installed plugins aren’t interfering with the password reset process.

Frequently Asked Questions (FAQs)

Why am I not getting emails for WordPress password reset?

If you can’t find the password reset email in your inbox, make sure that you check your spam folder first.

If the email isn’t present in the spam folder, the website is most likely having email deliverability issues due to misconfiguration of some settings. This includes a mismatch in the domain of the website’s administration email and the actual website domain, incorrect SPF and DKIM records, and SMTP configuration.

Why is the reset password link not working?

The password reset link that WordPress sends in emails is valid for a single use and for a limited time. You should try requesting another password reset email if the current one isn’t working for you.
It is also possible that the password reset link wasn’t properly copied into the address bar and got corrupted. Any conflict among plugins installed on the WordPress site could also prevent the password reset link from working.

Posted inWordPress Management
Nitish Kumar
Nitish Kumar

Nitish is a freelance web developer and technical writer with experience in various web development technologies, including WordPress. He specializes in developing eCommerce websites and likes to spend his free time working on personal projects or going out with friends.


Leave a Reply

Your email address will not be published. Required fields are marked *

Stay in the loop

Subscribe to the Melapress newsletter and receive curated WordPress management and security tips and content.

Newsletter icon

It’s free and you can unsubscribe whenever you want. Check our blog for a taste.

Envelope icon

Take the Melapress Security Survey 2024

Share your perspective
and WIN