WordPress has changed the way it manages user passwords and by default WordPress now recommends strong passwords whenever you forget your password, create a new user or simply want to reset your password. To help create strong passwords, WordPress provides a generator in the Users > All Users dashboard, under Account Management. Also, WordPress removed the default behaviour of emailing passwords to users directly either from initial set up or through a password reset request.

Now when a registered user requests a password reset they are emailed a link that allows them to set a new password in WordPress and the password reset links automatically expire after 24 hours. Also, when updating an email address or password from the user dashboard, a notification is sent to the original user email address notifying them of the change.

While these changes to WordPress password security are a welcomed addition, there is still a risk associated with your email account. If your email account was to become compromised, then the attackers could visit the WordPress login screen and just request a password reset. Now WordPress would then just send a password reset email to your compromised email account and the attacker could gain entry.

In this guide, we will show you how you can remove the Lost Password link from your WordPress login page and completely disable the Password Reset option in WordPress to prevent people from visiting the URL directly using the WordPress functions.php file. We will also show you how to hide any login error messages using CSS in the style.css file or change the error message displayed using the functions.php file.

In addition to implementing these preventative measures for WordPress security we would highly recommend that you implement Two-Factor Authentication as an addition layer of security for your WordPress logins and users.

You can easily implement Two-Factor Authentication with the plugin Two-Factor, which is available for free on the WordPress repository.

The plugin offers a variety of Two-Factor Authentication methods such as Email Authentication codes, Time Based One-Time Passwords (TOTP), FIDO Universal 2nd Factor (U2F) and Backup Codes. All the options are managed in Users > All Users > User Name dashboard, under Account Management.

How to Remove the Lost Password Link

To remove the Lost Password link from your WordPress login page, simply copy and paste the following code into your functions.php file. You can edit the functions.php file directly in the WordPress dashboard under Appearance > Theme Editor > Theme Functions or edit the file offline and upload using your favourite FTP program.

// Remove Lost Password Link
function vpsb_remove_lostpassword_text ( $text ) {
         if ($text == 'Lost your password?'){$text = '';}
                return $text;
         }
add_filter( 'gettext', 'vpsb_remove_lostpassword_text' );

Now when you access your WordPress login page you will notice that the Lost Password link is no longer displayed.

How to Disable Lost Password URL

Although we have removed the Lost Password text from the WordPress login screen, the Password Reset page is still accessible using /wp-login.php?action=lostpassword.

To disable the Password Reset URL and redirect back to the WordPress login screen, simply copy and paste the following code into your functions.php file:

// Disable Password Reset URL & Redirect
function vpsb_disable_lost_password() {
    if (isset( $_GET['action'] )){
        if ( in_array( $_GET['action'], array('lostpassword', 'retrievepassword') ) ) {
            wp_redirect( wp_login_url(), 301 );
            exit;
        }
    }
}
add_action( "login_init", "vpsb_disable_lost_password" );

That’s it. You have now successfully removed the Lost Password text from the login page and disabled direct access to the Lost Password and Retrieve Password URLs. In the next section we will show you some further best practise advice by hiding or changing the default WordPress login error messages.

How to Hide Login Error Messages

When someone entered an incorrect Username or Password into the WordPress login screen, by default WordPress will display an error message such as Unknown username. Check again or try your email address.

If you want to hide these Login Error Messages, you can simply copy and paste this code into your style.css file:

#login_error {display: none;}

Now if you enter an incorrect Username or Password, there will be no WordPress Login Error Message displayed on the login screen.

However, while this is useful to prevent the WordPress Login Error Message from being displayed, it’s not very user friendly is you operate a multi-user WordPress site. Therefore, we would recommend that you use the code below to Change WordPress Login Error Message.

Change WordPress Login Error Messages

You can also change the default WordPress Login Error Message to anything you want using the WordPress functions.php file. So, if someone entered an incorrect Username, Email Address or Password you could display a Something went wrong! message. To change the login error message, simply copy and paste this code into your functions.php file:

// Change WordPress Error Messages
function vpsb_change_wordpress_errors(){
  return 'The username or password is incorrect. Please consult your system administrator.’;
}
add_filter( 'login_errors', 'vpsb_change_wordpress_errors' );

Now when someone incorrectly enters a Username, Email Address or Password, you will receive the message The username or password is incorrect. Please consult your system administrator.

That’s it. You have now successfully removed the Lost Password Link from the WordPress login page, disabled the Lost Password URL and redirected back to the WordPress login screen and either hidden or changed the WordPress Login Error Message.