Is it possible to block subscriber users to changing its password?

The question:

I want to disable changing password option for all my subscriber users.

Is it possible by doing any code tweak or something using any plugin?

Disable password changing option for subscriber users

If someone has any idea or plugin knowledge to do this then appreciated.

The Solutions:

Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.

Method 1

You can try

if( current_user_can( 'subscriber' ) ) {
    add_filter( 'show_password_fields', '__return_false' );
}

see also
http://wpengineer.com/2285/disable-password-fields-for-non-admins/

http://adambrown.info/p/wp_hooks/hook/show_password_fields

Method 2

If you want to hide the passwords fields on the profile page, you can use the show_password_fields filter

add_filter('show_password_fields','hide_password_wpse_94968');
function hide_password_wpse_94968() {
    if(!current_user_can('edit_posts')){
        // hide only for subscribers
        return false;
    }
    return true; // for all other users that can edit posts
}

where we hide it for all users that can’t edit posts (subscribers).

The subscribers will still be able to retrieve new passwords via wp-login.php?action=lostpassword.


Before hiding the passwords fields:

Before hiding


After hiding the passwords fields:

enter image description here

Method 3

This may be a different approach to achieve a similar outcome

I wanted to be able to prevent anyone from changing the Admin passwords via a forgot password link – I wanted to keep the forgot password link for subscribers

Be aware that you will need to have an alternative means of resetting the password for administrators (e.g. direct database access) should you be unlucky enough to forget your admin password.

You can change the “administrator” in this code to whatever user you want to restrict “subscriber” for example.

If an Administrator tries to reset a password (or rather if your Administrator email has been hacked and a hacker is trying to get hold of a reset link) they shouldn’t be able to.

They should be blocked with the standard message:

Password reset is not allowed for this user

Put this code at the end of your functions.php in your child theme.

// Block Admin Accounts from external Password Reset

function disable_password_reset() {
  return false; 
}

add_action( 'retrieve_password', 'log_password_requests' );

function log_password_requests( $user_name_or_email ) {
$user = get_user_by( 'login', $user_name_or_email );

if (in_array( "administrator", $user->roles )){
   add_filter ( 'allow_password_reset', 'disable_password_reset' );
   }else{
   remove_filter ( 'allow_password_reset', 'disable_password_reset' );
}
}

CREDITS – thanks to:

You get the role using code like this:

Getting a user role from the user login name

This was the source of my bit of blocking code:

https://www.isitwp.com/disable-the-allow_password_reset-feature/

You can extend the number of options you want to block or perhaps use a ! to select those which are not in the users->roles array should you want that. Thanks to:

https://stackoverflow.com/questions/2440506/how-to-check-if-an-array-value-exists

also on
https://www.geeksforgeeks.org/php-in_array-function/

This was where I got the code – originally for logging who attempted to change a password – which I used to wrap and trigger the password reset blocking function. It provides the hook to detect when a password reset request was being made and grabs the user who was making it. You could also add a line for logging the user, as this post suggests.

How can I tell who changed the password?

This answer gives some useful ideas on how to make a log file separately from the PHP error log:
https://stackoverflow.com/questions/4660692/is-it-possible-to-print-a-log-of-all-database-queries-for-a-page-request-in-word/4660903#4660903

I couldn’t find this exact functionality anywhere else so hope it might help somebody.

Apologies if my code is not entirely WordPress perfect but it has worked on six sites so far and performs as expected. It uses the functionality of the standard wp-login.php template – sorry to those who want more personalised stuff but there is other code here for that.


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Comment