Using WordPress ‘lostpassword_user_data’ PHP filter

The lostpassword_user_data WordPress PHP Filter allows you to apply custom validation or modify user data during a password reset request, using data other than the username or email address.

Usage

add_filter('lostpassword_user_data', 'my_lostpassword_user_data', 10, 2);

function my_lostpassword_user_data($user_data, $errors) {
    // your custom code here
    return $user_data;
}

Parameters

  • $user_data (WP_User|false): WP_User object if found, false if the user does not exist.
  • $errors (WP_Error): A WP_Error object containing any errors generated by using invalid credentials.

More information

See WordPress Developer Resources: lostpassword_user_data

Examples

Validate user by custom field

add_filter('lostpassword_user_data', 'validate_user_by_custom_field', 10, 2);

function validate_user_by_custom_field($user_data, $errors) {
    // Check if user has a custom field 'account_status' set to 'active'
    if ($user_data && get_user_meta($user_data->ID, 'account_status', true) !== 'active') {
        $errors->add('inactive_account', __('Your account is not active.'));
        return false;
    }
    return $user_data;
}

Log password reset attempts

add_filter('lostpassword_user_data', 'log_password_reset_attempts', 10, 2);

function log_password_reset_attempts($user_data, $errors) {
    // Log password reset attempt, whether successful or not
    if ($user_data) {
        update_user_meta($user_data->ID, 'last_password_reset_attempt', current_time('mysql'));
    }
    return $user_data;
}

Add custom error for non-existent user

add_filter('lostpassword_user_data', 'custom_error_for_non_existent_user', 10, 2);

function custom_error_for_non_existent_user($user_data, $errors) {
    // Add custom error message for non-existent users
    if (!$user_data) {
        $errors->add('user_not_found', __('We could not find a user with that email address.'));
    }
    return $user_data;
}

Restrict password reset for specific roles

add_filter('lostpassword_user_data', 'restrict_password_reset_for_roles', 10, 2);

function restrict_password_reset_for_roles($user_data, $errors) {
    // Restrict password reset for users with the 'administrator' role
    if ($user_data && in_array('administrator', $user_data->roles)) {
        $errors->add('admin_reset_not_allowed', __('Password reset is not allowed for administrators.'));
        return false;
    }
    return $user_data;
}

Notify admin about successful password reset attempts

add_filter('lostpassword_user_data', 'notify_admin_about_password_reset', 10, 2);
function notify_admin_about_password_reset($user_data, $errors) {
    // Send notification to the admin about successful password reset requests
    if ($user_data) {
        $admin_email = get_option('admin_email');
        $subject = 'User Password Reset';
        $message = 'A password reset request has been made for user: ' . $user_data->user_login;
        wp_mail($admin_email, $subject, $message);
    }
    return $user_data;
}