WordPress: Reset password always invalid key

Question

I've got a huge problem and can't find the solution. I've installed the Ultimate Member Plugin and activated it. ^

When I reset now the password for a user I'm getting an email from my page with a reset link generated in the class-password.php file of the plugin triggered by the UM function call um_user( 'password_reset_link' ) which triggers this function :

/**
 * Get Reset URL
 *
 * @return bool|string
 */
function reset_url() {
    $user_id = um_user( 'ID' );
    delete_option( "um_cache_userdata_{$user_id}" );
    //new reset password key via WP native field
    $user_data = get_userdata( $user_id );
    $key = get_password_reset_key( $user_data );
    $url =  add_query_arg( array( 'act' => 'reset_password', 'hash' => $key, 'user_id' => $user_id ), um_get_core_page( 'password-reset' ) );
    return $url;
}

To check the hash I've added an error_log in the function get_password_reset_key located in the users.php file from WordPress to log the generated hashes by the key:

error_log( $hashed );

I've also added the same hasher into the email template from Ultimate Member and this was the result:

[23-Dec-2018 15:57:41 UTC] 1545580661:$P$BiLzjLuPDHwVtUlnLmEQE19D4UpgJf0
[23-Dec-2018 15:57:41 UTC] 1545580661:$P$BCAl/MTbiuCyqiix7310EOEn.eJlQz1
[23-Dec-2018 15:57:41 UTC] 1545580661:$P$BH0W.btK4hYFNDidKh.DA46KZhp5Ay.
[23-Dec-2018 15:57:41 UTC] Hash from mail: 1545580661:$P$BOzHQ9mIasqhbdYnkK0n.EXhGXBFyD0
[23-Dec-2018 15:57:41 UTC] 1545580661:$P$BGRg8guQBbhuNKdMCIDSweNUDKLG1v/

So as you can see there are 4 hashes generated by WordPress and the one generated from the returned key directly in the email.

When I save now the generated hash in the email into the users table value for the field user_activation_key and press the reset button, I'm able to change the password.

So why is the hash generated not correctly and how can I fix this? I mean I can change the function and generate a new hash and write it again into the database but this can't be the solution.

The activation key don't get's updated correctly. Don't know why. I'm doing further researches. — Mr. Jo, Dec 23 '18 at 22:55
Yeah - same as described. It's not generating the email correctly - despite having html email selected. I'm limiting password resets. The reset link always leads to invalid key. — itsdanprice, Jul 07 '19 at 15:08
Are you using UltimateMember too? If yes, how did you get the reset link in your email for resetting the password? — Mr. Jo, Jul 07 '19 at 19:36
@Mr.Jo If you solved it could please post your answer rather than being defensive. — Burgi, Nov 13 '19 at 09:50

score 4 · Answer 1 · answered Aug 04 '20 at 21:35

4

What fixed my issue with UM Password Reset stating "Invalid Key" was disabling any caching on my /password-reset page. Not sure if this would fix your issue, but in case any one else comes here.

answered Aug 04 '20 at 21:35

Corey

2,453
4
35
63

We had the same problem with the set up: Wordpress, WooCommerce, Woocommerce Memberships, WPS Hide Login and the Sucuri Firewall/WAF. Disabeling the cache on the firewall for the custom login page solved the problem. Thanks! – GerritElbrink Mar 24 '21 at 14:40

score 2 · Answer 2 · edited Apr 14 '20 at 14:41

2

If anyone staill has this problem with or without the plugin, check the reset link in email. In my example link was

<https://mywebsite.com/wp-login.php?action=rp&key=XXsomehashXX&login=username>

the url was generated with the character > at the end and in a browser it looked like this

https://mywebsite.com/wp-login.php?action=rp&key=XXsomehashXX&login=username%3E

All it took to fix this was delete the %3E at the end of url and password reset form was functioning!

edited Apr 14 '20 at 14:41

Boken

4,825
10
32
42

answered Apr 14 '20 at 10:10

chromas

23
4

You are amazing! – Jarvic Oct 14 '21 at 13:01

WordPress: Reset password always invalid key

2 Answers2

Linked