Passwords and resets

MemberMode adds a member-friendly password-reset flow that doesn’t dump people into /wp-login.php?action=lostpassword. Members trigger a reset from the front-end login form and reset their password on a normal page on your site.

The flow

A member clicks Forgot password? on the MemberMode login page (/login/).
They enter their email or username on /password-reset/.
MemberMode generates a secure single-use token, stores it server-side with a short expiry, and emails a reset link to the address on file.
The member clicks the link, lands on /password-reset/?token=…, picks a new password, and is signed in.

Two of those URLs (/login/, /password-reset/) are auto-created by MemberMode on activation. If you delete one, MemberMode won’t silently recreate it; create a new page and add the matching shortcode (


	
		

		
					
				
					Username or email
					
				

				
					Password
					
				

				
					
					Stay signed in
				

				
				

							
		
		
		
							
					Forgot password?				
															•
								
					Create an account



	
		Enter your email and we'll send you a reset link.

		

		
			
				Email
				
			

			
		

		
			
				Back to login

The email that goes out

If the Email Branding module is on, the reset email is sent through the same branded HTML template as your other transactional emails — with your logo, primary colour, and a single CTA button.

If Email Branding is off, the reset email falls back to the WordPress core plain-text version. Members still get the link; it just looks like every other generic WP reset email.

Token expiry

Reset tokens are single-use and expire after a short window (defaults to 60 minutes). After expiry the link returns “This password reset link has expired” and the member starts again. Tokens are also invalidated automatically the moment a new one is requested for the same account.

What gets logged

Successful resets are logged to the WP user record (last_password_change), so you can spot recent changes from wp-admin → Users.
Failed reset attempts are silently ignored from the member’s view (no “user not found” leak), but the request is rate-limited to discourage enumeration.

Manually resetting from wp-admin

For accounts where the member has lost both password and email access, an admin can:

Edit the user from wp-admin → Users → Edit user.
Click Send password reset link at the bottom of the profile.

This sends the same branded reset email to the address on file.

Pro

Free covers the standard reset flow, branded email, and token expiry. MemberMode Pro adds a password-strength meter on the reset form, a show/hide-password toggle, and an email-change confirmation step (changing your account email requires confirming both the old and new address).