: str_replace(): Passing null to parameter #2 ($replace) of type array|string is deprecated in
* @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
* @param string $key Hash to validate sending user's password.
* @param string $login The user login.
* @return WP_User|WP_Error WP_User object on success, WP_Error object for invalid or expired keys.
function check_password_reset_key( $key, $login ) {
$key = preg_replace( '/[^a-z0-9]/i', '', $key );
if ( empty( $key ) || ! is_string( $key ) ) {
return new WP_Error( 'invalid_key', __( 'Invalid key.' ) );
if ( empty( $login ) || ! is_string( $login ) ) {
return new WP_Error( 'invalid_key', __( 'Invalid key.' ) );
$user = get_user_by( 'login', $login );
return new WP_Error( 'invalid_key', __( 'Invalid key.' ) );
if ( empty( $wp_hasher ) ) {
require_once ABSPATH . WPINC . '/class-phpass.php';
$wp_hasher = new PasswordHash( 8, true );
* Filters the expiration time of password reset keys.
* @param int $expiration The expiration time in seconds.
$expiration_duration = apply_filters( 'password_reset_expiration', DAY_IN_SECONDS );
if ( str_contains( $user->user_activation_key, ':' ) ) {
list( $pass_request_time, $pass_key ) = explode( ':', $user->user_activation_key, 2 );
$expiration_time = $pass_request_time + $expiration_duration;
$pass_key = $user->user_activation_key;
$expiration_time = false;
return new WP_Error( 'invalid_key', __( 'Invalid key.' ) );
$hash_is_correct = $wp_hasher->CheckPassword( $key, $pass_key );
if ( $hash_is_correct && $expiration_time && time() < $expiration_time ) {
} elseif ( $hash_is_correct && $expiration_time ) {
// Key has an expiration time that's passed.
return new WP_Error( 'expired_key', __( 'Invalid key.' ) );
if ( hash_equals( $user->user_activation_key, $key ) || ( $hash_is_correct && ! $expiration_time ) ) {
$return = new WP_Error( 'expired_key', __( 'Invalid key.' ) );
* Filters the return value of check_password_reset_key() when an
* @since 3.7.0 Previously plain-text keys were stored in the database.
* @since 4.3.0 Previously key hashes were stored without an expiration time.
* @param WP_Error $return A WP_Error object denoting an expired key.
* Return a WP_User object to validate the key.
* @param int $user_id The matched user ID.
return apply_filters( 'password_reset_key_expired', $return, $user_id );
return new WP_Error( 'invalid_key', __( 'Invalid key.' ) );
* Handles sending a password retrieval email to a user.
* @since 5.7.0 Added `$user_login` parameter.
* @global wpdb $wpdb WordPress database abstraction object.
* @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
* @param string $user_login Optional. Username to send a password retrieval email for.
* Defaults to `$_POST['user_login']` if not set.
* @return true|WP_Error True when finished, WP_Error object on error.
function retrieve_password( $user_login = null ) {
$errors = new WP_Error();
// Use the passed $user_login if available, otherwise use $_POST['user_login'].
if ( ! $user_login && ! empty( $_POST['user_login'] ) ) {
$user_login = $_POST['user_login'];
$user_login = trim( wp_unslash( $user_login ) );
if ( empty( $user_login ) ) {
$errors->add( 'empty_username', __( '<strong>Error:</strong> Please enter a username or email address.' ) );
} elseif ( strpos( $user_login, '@' ) ) {
$user_data = get_user_by( 'email', $user_login );
if ( empty( $user_data ) ) {
$user_data = get_user_by( 'login', $user_login );
if ( empty( $user_data ) ) {
$errors->add( 'invalid_email', __( '<strong>Error:</strong> There is no account with that username or email address.' ) );
$user_data = get_user_by( 'login', $user_login );
* Filters the user data during a password reset request.
* Allows, for example, custom validation using data other than username or email address.
* @param WP_User|false $user_data WP_User object if found, false if the user does not exist.
* @param WP_Error $errors A WP_Error object containing any errors generated
* by using invalid credentials.
$user_data = apply_filters( 'lostpassword_user_data', $user_data, $errors );
* Fires before errors are returned from a password reset request.
* @since 4.4.0 Added the `$errors` parameter.
* @since 5.4.0 Added the `$user_data` parameter.
* @param WP_Error $errors A WP_Error object containing any errors generated
* by using invalid credentials.
* @param WP_User|false $user_data WP_User object if found, false if the user does not exist.
do_action( 'lostpassword_post', $errors, $user_data );
* Filters the errors encountered on a password reset request.
* The filtered WP_Error object may, for example, contain errors for an invalid
* username or email address. A WP_Error object should always be returned,
* but may or may not contain errors.
* If any errors are present in $errors, this will abort the password reset request.
* @param WP_Error $errors A WP_Error object containing any errors generated
* by using invalid credentials.
* @param WP_User|false $user_data WP_User object if found, false if the user does not exist.
$errors = apply_filters( 'lostpassword_errors', $errors, $user_data );
if ( $errors->has_errors() ) {
$errors->add( 'invalidcombo', __( '<strong>Error:</strong> There is no account with that username or email address.' ) );
* Filters whether to send the retrieve password email.
* Return false to disable sending the email.
* @param bool $send Whether to send the email.
* @param string $user_login The username for the user.
* @param WP_User $user_data WP_User object.
if ( ! apply_filters( 'send_retrieve_password_email', true, $user_login, $user_data ) ) {
// Redefining user_login ensures we return the right case in the email.
$user_login = $user_data->user_login;
$user_email = $user_data->user_email;
$key = get_password_reset_key( $user_data );
if ( is_wp_error( $key ) ) {
// Localize password reset message content for user.
$locale = get_user_locale( $user_data );
$switched_locale = switch_to_user_locale( $user_data->ID );
$site_name = get_network()->site_name;
* The blogname option is escaped with esc_html on the way into the database
* in sanitize_option. We want to reverse this for the plain text arena of emails.
$site_name = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );
$message = __( 'Someone has requested a password reset for the following account:' ) . "\r\n\r\n";
/* translators: %s: Site name. */
$message .= sprintf( __( 'Site Name: %s' ), $site_name ) . "\r\n\r\n";
/* translators: %s: User login. */
$message .= sprintf( __( 'Username: %s' ), $user_login ) . "\r\n\r\n";
$message .= __( 'If this was a mistake, ignore this email and nothing will happen.' ) . "\r\n\r\n";
$message .= __( 'To reset your password, visit the following address:' ) . "\r\n\r\n";
$message .= network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user_login ), 'login' ) . '&wp_lang=' . $locale . "\r\n\r\n";
if ( ! is_user_logged_in() ) {
$requester_ip = $_SERVER['REMOTE_ADDR'];
/* translators: %s: IP address of password reset requester. */
__( 'This password reset request originated from the IP address %s.' ),
/* translators: Password reset notification email subject. %s: Site title. */
$title = sprintf( __( '[%s] Password Reset' ), $site_name );
* Filters the subject of the password reset email.
* @since 4.4.0 Added the `$user_login` and `$user_data` parameters.
* @param string $title Email subject.
* @param string $user_login The username for the user.
* @param WP_User $user_data WP_User object.
$title = apply_filters( 'retrieve_password_title', $title, $user_login, $user_data );
* Filters the message body of the password reset mail.
* If the filtered message is empty, the password reset email will not be sent.
* @since 4.1.0 Added `$user_login` and `$user_data` parameters.
* @param string $message Email message.
* @param string $key The activation key.
* @param string $user_login The username for the user.
* @param WP_User $user_data WP_User object.
$message = apply_filters( 'retrieve_password_message', $message, $key, $user_login, $user_data );
// Short-circuit on falsey $message value for backwards compatibility.
* Wrap the single notification email arguments in an array
* to pass them to the retrieve_password_notification_email filter.
* Filters the contents of the reset password notification email sent to the user.
* @param array $defaults {
* The default notification email arguments. Used to build wp_mail().
* @type string $to The intended recipient - user email address.
* @type string $subject The subject of the email.
* @type string $message The body of the email.
* @type string $headers The headers of the email.
* @param string $key The activation key.
* @param string $user_login The username for the user.
* @param WP_User $user_data WP_User object.
$notification_email = apply_filters( 'retrieve_password_notification_email', $defaults, $key, $user_login, $user_data );
if ( $switched_locale ) {
restore_previous_locale();
if ( is_array( $notification_email ) ) {
// Force key order and merge defaults in case any value is missing in the filtered array.
$notification_email = array_merge( $defaults, $notification_email );
$notification_email = $defaults;
list( $to, $subject, $message, $headers ) = array_values( $notification_email );
$subject = wp_specialchars_decode( $subject );
if ( ! wp_mail( $to, $subject, $message, $headers ) ) {
'retrieve_password_email_failure',
/* translators: %s: Documentation URL. */
__( '<strong>Error:</strong> The email could not be sent. Your site may not be correctly configured to send emails. <a href="%s">Get support for resetting your password</a>.' ),
esc_url( __( 'https://wordpress.org/documentation/article/reset-your-password/' ) )
* Handles resetting the user's password.
* @param WP_User $user The user
* @param string $new_pass New password for the user in plaintext
function reset_password( $user, $new_pass ) {
* Fires before the user's password is reset.
* @param WP_User $user The user.
* @param string $new_pass New user password.
do_action( 'password_reset', $user, $new_pass );
wp_set_password( $new_pass, $user->ID );
update_user_meta( $user->ID, 'default_password_nag', false );
* Fires after the user's password is reset.
* @param WP_User $user The user.
* @param string $new_pass New user password.
do_action( 'after_password_reset', $user, $new_pass );
* Handles registering a new user.
* @param string $user_login User's username for logging in
* @param string $user_email User's email address to send password and add
* @return int|WP_Error Either user's ID or error on failure.
function register_new_user( $user_login, $user_email ) {
$errors = new WP_Error();
$sanitized_user_login = sanitize_user( $user_login );
* Filters the email address of a user being registered.
* @param string $user_email The email address of the new user.
$user_email = apply_filters( 'user_registration_email', $user_email );
if ( '' === $sanitized_user_login ) {
$errors->add( 'empty_username', __( '<strong>Error:</strong> Please enter a username.' ) );
} elseif ( ! validate_username( $user_login ) ) {
$errors->add( 'invalid_username', __( '<strong>Error:</strong> This username is invalid because it uses illegal characters. Please enter a valid username.' ) );
$sanitized_user_login = '';
} elseif ( username_exists( $sanitized_user_login ) ) {
$errors->add( 'username_exists', __( '<strong>Error:</strong> This username is already registered. Please choose another one.' ) );
/** This filter is documented in wp-includes/user.php */
$illegal_user_logins = (array) apply_filters( 'illegal_user_logins', array() );
if ( in_array( strtolower( $sanitized_user_login ), array_map( 'strtolower', $illegal_user_logins ), true ) ) {
$errors->add( 'invalid_username', __( '<strong>Error:</strong> Sorry, that username is not allowed.' ) );
// Check the email address.
if ( '' === $user_email ) {
$errors->add( 'empty_email', __( '<strong>Error:</strong> Please type your email address.' ) );
} elseif ( ! is_email( $user_email ) ) {
$errors->add( 'invalid_email', __( '<strong>Error:</strong> The email address is not correct.' ) );
} elseif ( email_exists( $user_email ) ) {
/* translators: %s: Link to the login page. */
__( '<strong>Error:</strong> This email address is already registered. <a href="%s">Log in</a> with this address or choose another one.' ),
* Fires when submitting registration form data, before the user is created.
* @param string $sanitized_user_login The submitted username after being sanitized.
* @param string $user_email The submitted email.
* @param WP_Error $errors Contains any errors with submitted username and email,
* e.g., an empty field, an invalid username or email,
* or an existing username or email.
do_action( 'register_post', $sanitized_user_login, $user_email, $errors );
* Filters the errors encountered when a new user is being registered.
* The filtered WP_Error object may, for example, contain errors for an invalid
* or existing username or email address. A WP_Error object should always be returned,
* but may or may not contain errors.
* If any errors are present in $errors, this will abort the user's registration.
* @param WP_Error $errors A WP_Error object containing any errors encountered
* @param string $sanitized_user_login User's username after it has been sanitized.
* @param string $user_email User's email.
$errors = apply_filters( 'registration_errors', $errors, $sanitized_user_login, $user_email );
if ( $errors->has_errors() ) {
$user_pass = wp_generate_password( 12, false );
$user_id = wp_create_user( $sanitized_user_login, $user_pass, $user_email );
if ( ! $user_id || is_wp_error( $user_id ) ) {
/* translators: %s: Admin email address. */
__( '<strong>Error:</strong> Could not register you… please contact the <a href="mailto:%s">site admin</a>!' ),
get_option( 'admin_email' )
update_user_meta( $user_id, 'default_password_nag', true ); // Set up the password change nag.
if ( ! empty( $_COOKIE['wp_lang'] ) ) {
$wp_lang = sanitize_text_field( $_COOKIE['wp_lang'] );
if ( in_array( $wp_lang, get_available_languages(), true ) ) {
update_user_meta( $user_id, 'locale', $wp_lang ); // Set user locale if defined on registration.
* Fires after a new user registration has been recorded.
* @param int $user_id ID of the newly registered user.
do_action( 'register_new_user', $user_id );
* Initiates email notifications related to the creation of new users.
* Notifications are sent both to the site admin and to the newly created user.
* @since 4.6.0 Converted the `$notify` parameter to accept 'user' for sending
* notifications only to the user created.
* @param int $user_id ID of the newly created user.
* @param string $notify Optional. Type of notification that should happen. Accepts 'admin'
* or an empty string (admin only), 'user', or 'both' (admin and user).
It is recommended that you Edit text format, this type of Fix handles quite a lot in one request
