$user_login = sanitize_text_field( $_GET['user_login'] );
if ( username_exists( $user_login ) || email_exists($user_login) ) { ?>
<!--Everything has been validated, proceed ....-->
<!DOCTYPE HTML>
<html lang="en-US">
<head>
<meta charset="UTF-8">
<title></title>
<script type="text/javascript">
function submit()
{
var f = document.getElementById('lostpasswordform');
f.onclick = function () { };
document.lostpasswordform.submit();
}
</script>
</head>
<body onload="submit()">
<form name="lostpasswordform" id="lostpasswordform" action="<?php echo esc_url( site_url( 'wp-login.php?action=lostpassword', 'login_post' ) ); ?>" method="post">
<input type="hidden" name="user_login" id="user_login" class="input" value="<?php echo ($user_login); ?>" />
<?php do_action('lost_password'); ?>
</form>
</body>
</html>
<?php
echo "SUCCESS";
exit();
} else {
echo "Entered Username or Email was incorrect, please try again!";
}
...一切似乎都正确,但是从应用程序调用时它不起作用,但是如果我手动访问
domain.com/forgot-password?user_login=username
,它会可以很好地发送重置密码电子邮件。#1 楼
因此,如果您要发送重置密码链接并且可以访问代码库,则可以使用以下代码段,然后可以对其进行进一步修改。实际上,这段代码是对wp-login.php
/**
* Handles sending password retrieval email to user.
*
* @uses $wpdb WordPress Database object
* @param string $user_login User Login or Email
* @return bool true on success false on error
*/
function retrieve_password($user_login) {
global $wpdb, $current_site;
if ( empty( $user_login) ) {
return false;
} else if ( strpos( $user_login, '@' ) ) {
$user_data = get_user_by( 'email', trim( $user_login ) );
if ( empty( $user_data ) )
return false;
} else {
$login = trim($user_login);
$user_data = get_user_by('login', $login);
}
do_action('lostpassword_post');
if ( !$user_data ) return false;
// redefining user_login ensures we return the right case in the email
$user_login = $user_data->user_login;
$user_email = $user_data->user_email;
do_action('retreive_password', $user_login); // Misspelled and deprecated
do_action('retrieve_password', $user_login);
$allow = apply_filters('allow_password_reset', true, $user_data->ID);
if ( ! $allow )
return false;
else if ( is_wp_error($allow) )
return false;
$key = $wpdb->get_var($wpdb->prepare("SELECT user_activation_key FROM $wpdb->users WHERE user_login = %s", $user_login));
if ( empty($key) ) {
// Generate something random for a key...
$key = wp_generate_password(20, false);
do_action('retrieve_password_key', $user_login, $key);
// Now insert the new md5 key into the db
$wpdb->update($wpdb->users, array('user_activation_key' => $key), array('user_login' => $user_login));
}
$message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
$message .= network_home_url( '/' ) . "\r\n\r\n";
$message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
$message .= __('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n\r\n";
$message .= __('To reset your password, visit the following address:') . "\r\n\r\n";
$message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . ">\r\n";
if ( is_multisite() )
$blogname = $GLOBALS['current_site']->site_name;
else
// The blogname option is escaped with esc_html on the way into the database in sanitize_option
// we want to reverse this for the plain text arena of emails.
$blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES);
$title = sprintf( __('[%s] Password Reset'), $blogname );
$title = apply_filters('retrieve_password_title', $title);
$message = apply_filters('retrieve_password_message', $message, $key);
if ( $message && !wp_mail($user_email, $title, $message) )
wp_die( __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function...') );
return true;
}
$user_login = sanitize_text_field( $_GET['user_login'] );
if (retrieve_password($user_login)) {
echo "SUCCESS";
} else {
echo "ERROR";
}
的略微修改。
评论
这对我来说并不正确。我已经将其输入到自定义插件中并将其放到我的网站上,但是这导致了一个问题,当我安装该插件然后单击“注销”时,它不会使我退出该网站。有什么想法吗?
– MxmastaMills
13-10-11在8:04
#2 楼
先前的答案对我不起作用(在wp登录页面上,该代码无效),可能是因为答案已使用1.5年,并且WP代码有所更改,所以我对此代码进行了一些更新(也来自wp-login.php),则为:function retrieve_password($user_login){
global $wpdb, $wp_hasher;
$user_login = sanitize_text_field($user_login);
if ( empty( $user_login) ) {
return false;
} else if ( strpos( $user_login, '@' ) ) {
$user_data = get_user_by( 'email', trim( $user_login ) );
if ( empty( $user_data ) )
return false;
} else {
$login = trim($user_login);
$user_data = get_user_by('login', $login);
}
do_action('lostpassword_post');
if ( !$user_data ) return false;
// redefining user_login ensures we return the right case in the email
$user_login = $user_data->user_login;
$user_email = $user_data->user_email;
do_action('retreive_password', $user_login); // Misspelled and deprecated
do_action('retrieve_password', $user_login);
$allow = apply_filters('allow_password_reset', true, $user_data->ID);
if ( ! $allow )
return false;
else if ( is_wp_error($allow) )
return false;
$key = wp_generate_password( 20, false );
do_action( 'retrieve_password_key', $user_login, $key );
if ( empty( $wp_hasher ) ) {
require_once ABSPATH . 'wp-includes/class-phpass.php';
$wp_hasher = new PasswordHash( 8, true );
}
$hashed = $wp_hasher->HashPassword( $key );
$wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user_login ) );
$message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
$message .= network_home_url( '/' ) . "\r\n\r\n";
$message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
$message .= __('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n\r\n";
$message .= __('To reset your password, visit the following address:') . "\r\n\r\n";
$message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . ">\r\n";
if ( is_multisite() )
$blogname = $GLOBALS['current_site']->site_name;
else
$blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES);
$title = sprintf( __('[%s] Password Reset'), $blogname );
$title = apply_filters('retrieve_password_title', $title);
$message = apply_filters('retrieve_password_message', $message, $key);
if ( $message && !wp_mail($user_email, $title, $message) )
wp_die( __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function...') );
echo '<p>Link for password reset has been emailed to you. Please check your email.</p>';;
}
评论
这为我解决了。接受的3.8.1答案无效,并以过期密钥结尾。具体来说,在$ key中处理和更新user_activation_key。
–罗里斯
2014年3月27日在21:27
这个答案也导致我的链接过期,无法正常工作。
–carbide20
17年5月5日在16:57
#3 楼
上面的答案都不适合我,因此我调查了wp-login.php的默认重置功能。他们使用了get_password_reset_key($ userData)函数。如果有人坚持上述答案,这是我的解决方案:- $userData = get_userdata($user_id);
$user_login = $userData->user_login;
$user_email = $userData->user_email;
$key = get_password_reset_key( $userData );
$message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
$message .= network_home_url( '/' ) . "\r\n\r\n";
$message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
$message .= __('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n\r\n";
$message .= __('To reset your password, visit the following address:') . "\r\n\r\n";
$message .= network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login');
评论
很好的答案,自2020年10月起生效。
– jla
20-10-21在5:40
这是真正的解决方案。
–mrwpress
20-10-24在1:38
#4 楼
我注意到将WordPress升级到版本4.3后,以上内容不再适用于我的自定义插件。它将始终报告密钥无效。更改:
$hashed = $wp_hasher->HashPassword( $key );
到
$hashed = time() . ':' . $wp_hasher->HashPassword( $key );
此问题已为我解决,希望对其他人有所帮助
#5 楼
WordPress 4.3.1function retrieve_password($user_login){
global $wpdb, $wp_hasher;
$user_login = sanitize_text_field($user_login);
if ( empty( $user_login) ) {
return false;
} else if ( strpos( $user_login, '@' ) ) {
$user_data = get_user_by( 'email', trim( $user_login ) );
if ( empty( $user_data ) )
return false;
} else {
$login = trim($user_login);
$user_data = get_user_by('login', $login);
}
do_action('lostpassword_post');
if ( !$user_data ) return false;
// redefining user_login ensures we return the right case in the email
$user_login = $user_data->user_login;
$user_email = $user_data->user_email;
do_action('retreive_password', $user_login); // Misspelled and deprecated
do_action('retrieve_password', $user_login);
$allow = apply_filters('allow_password_reset', true, $user_data->ID);
if ( ! $allow )
return false;
else if ( is_wp_error($allow) )
return false;
$key = wp_generate_password( 20, false );
do_action( 'retrieve_password_key', $user_login, $key );
if ( empty( $wp_hasher ) ) {
require_once ABSPATH . 'wp-includes/class-phpass.php';
$wp_hasher = new PasswordHash( 8, true );
}
$hashed = $wp_hasher->HashPassword( $key );
$wpdb->update( $wpdb->users, array( 'user_activation_key' => time().":".$hashed ), array( 'user_login' => $user_login ) );
$message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
$message .= network_home_url( '/' ) . "\r\n\r\n";
$message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
$message .= __('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n\r\n";
$message .= __('To reset your password, visit the following address:') . "\r\n\r\n";
$message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . ">\r\n";
if ( is_multisite() )
$blogname = $GLOBALS['current_site']->site_name;
else
$blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES);
$title = sprintf( __('[%s] Password Reset'), $blogname );
$title = apply_filters('retrieve_password_title', $title);
$message = apply_filters('retrieve_password_message', $message, $key);
if ( $message && !wp_mail($user_email, $title, $message) )
wp_die( __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function...') );
echo '<p>Link for password reset has been emailed to you. Please check your email.</p>';;
}
#6 楼
由于上述解决方案对我不起作用,因此我对bhavesh vala的代码进行了较小的更改。替换:
$key = wp_generate_password( 20, false );
这样做:
$key = get_password_reset_key( $user_data );
并且您不需要使用更新查询,因此删除以下查询:
$wpdb->update( $wpdb->users, array( 'user_activation_key' => time().":".$hashed ), array( 'user_login' => $user_login ) );
编码愉快!
#7 楼
试试这个$wpdb->update( $wpdb->users, array( 'user_activation_key' => $key ), array( 'user_login' => $user_login ) );
,而不是
$wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user_login ) );
它对我有用(wordpress 4.3.1)
#8 楼
组合示例步骤1:
前端表单
<form id="form-password-reset" action="<?php echo wp_lostpassword_url(); ?>" method="post">
<?php wp_nonce_field( 'ajax-resetpassword-nonce', 'security' ); ?>
<div class="text-align-center margin-bottom-32">
<h3 class="h3">Reset Your Password</h3>
</div>
<div class="row">
<div class="col-12 col-md-4">
<div class="form-group">
<label for="auth-password-reset-email">Email</label>
<div class="form-input-wrapper">
<input type="email" class="form-input" id="auth-password-reset-email" name="email" placeholder="eg. name@domain.com">
</div>
</div>
<button type="submit" class="btn-solid btn-primary btn-block">
Submit</button>
<p class="form__error margin-top-16">
// TODO you can show the message here
</p>
</div>
<div class="col-12 col-md-4"></div>
</div>
</form>
Js处理ajax提交
$(form).on('submit', function (event) {
event.preventDefault(event)
const email = $(`#auth-password-reset-email`).val()
const security = $(`#security`).val()
const action = 'authResetPassword'
var has_error = false;
if (email.length <= 0) {
// TODO
has_error = true;
}
if (security.length <= 0) {
// TODO
has_error = true;
}
if (has_error == true) {
// TODO
return false
}
$.ajax({
type: 'POST',
dataType: 'json',
url: ajax.ajaxurl,
data: { action, email, security },
success: function (data) {
if (data.status) {
// TODO
}
if (!data.status) {
// TODO
}
}
})
return false;
})
服务器端到生成重置链接并触发电子邮件
try {
check_ajax_referer('ajax-resetpassword-nonce', 'security');
$response = [
"status" => false,
"error" => true,
"data" => "",
];
extract($_POST);
$user_email = sanitize_text_field($email);
$user = get_user_by( 'email', $user_email );
if( isset($user) && !empty($user) ) {
$user_id = $user->ID;
$user_info = get_userdata($user_id);
$unique = get_password_reset_key( $user_info );
$unique_url = network_site_url("wp-login.php?action=rp&key=$unique&login=" . rawurlencode($user_info->user_login), 'login');
$subject = "Reset Password Link";
$message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
$message = "<p>Hi ".ucfirst( $user_info->first_name ).",</p>";
$message .= network_home_url( '/' ) . "\r\n\r\n";
$message .= sprintf(__('Username: %s'), $user_info->user_login) . "\r\n\r\n";
$message .= __('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n\r\n";
$message .= __('To reset your password, visit the following address:') . "\r\n\r\n";
$message .= $unique_url;
wp_mail( $user_email, $subject, $message ); // TODO
$response['data'] = [ "message" => __('Password reset link sent.'), 'reset_link' => $unique_url ];
wp_send_json($response);
}
$response['data'] = [ "message" => __('Email address not exists.') ];
wp_send_json($response);
} catch (Exception $e) {
wp_send_json([
"status" => false,
"error" => false,
"data" => ["message" => $e->getMessage() ]
]);
}
注意:显示您自己的自定义重置密码形式
add_action( 'login_form_lostpassword', 'redirect_to_custom_lostpassword' );
function redirect_to_custom_lostpassword() {
if ( 'GET' == $_SERVER['REQUEST_METHOD'] ) {
if ( is_user_logged_in() ) {
// TODO
exit;
}
wp_redirect( home_url( 'custom-password-lost' ) ); // TODO
exit;
}
}
评论
按应用程序,您的意思是插件不,应用-android
不起作用会发生什么?