Guide for Site Administrators
This guide explains the password reset functionality included in the Members Only plugin, from the perspective of a site administrator using this plugin.
How Password Reset Works for Your Members
When your site members forget their password, they can use the built-in password reset system to securely regain access to their accounts. Here’s a typical flow:
- Initiation:
- On your site’s login forms (provided by the Login Form block and the Stripe Checkout block), members will find a “Forgot Password?” link.
- If they have an existing account, the option to reset their password will appear after they enter their email address.
- Email Verification & Code Delivery:
- The member enters their email address.
- The system sends a 6-digit, time-sensitive (expires in 30 minutes) reset code to their email address.
- Security Note: To prevent malicious users from discovering who has an account on your site (user enumeration), the on-screen message is the same whether the member’s email exists in the system or not. A code is only sent if the email matches an existing account.
- Code Entry & New Password Creation:
- The member retrieves the code from their email.
- They enter the 6-digit code into your site and the system validates the code.
- The member enters their new password.
- The system has built-in password complexity rules (requiring a minimum length, and a mix of character types like uppercase, lowercase, numbers, and special characters) to encourage strong passwords.
- Access Restored:
- If the code is correct and the new password meets complexity requirements, the member’s password is updated, and they are automatically logged into their account.
Key Features & Security Measures (What You Should Know)
The password reset system is designed with security and reliability in mind:
- Secure Codes: Reset codes are cryptographically random and expire after 30 minutes. Requesting a new code will invalidate any previously issued active code for that member.
- Attempt Limits: There are limits on how many times a member can try to enter a reset code (5 attempts per code) before that specific code is invalidated.
- Rate Limiting: To prevent abuse and brute-force attacks:
- Requesting New Codes: Members cannot repeatedly request new codes. There’s a progressive cooldown period (starting at 1 minute, then 5 minutes, then 15 minutes) if they try to request codes too frequently. This user-specific limit resets after 24 hours of no attempts, or when they successfully reset their password or log in.
- General API Access: The underlying API used for password resets has broader IP-based rate limiting to protect against automated attacks targeting the reset functionality.
- User Enumeration Protection: As mentioned, the system does not reveal whether an email address is registered on your site during the initial step of a password reset request.
- Password Complexity: Your members are guided to create strong passwords.
- Automatic Login: After a successful password reset, members are automatically logged in for a seamless experience.
Configuration & Customization
- Email Appearance: The password reset emails use your site’s name (from WordPress General Settings) and the admin email (also from General Settings) in the “From” header. The email content itself is a standard template designed for clarity.
- Functionality: The core password reset logic is built-in and operates automatically. There are generally no specific settings you need to configure for the password reset flow itself to function.
- Troubleshooting (for your members): If your members report issues:
- Advise them to check their spam/junk mail folders for the reset email.
- Remind them that codes expire in 30 minutes.
- Ensure they are using the correct email address associated with their account on your site.
This password reset system aims to provide a secure and user-friendly experience for your site members, requiring minimal intervention from site administrators.