Open in app

Sign in

Write

Sign in

Disabling Password Change for Non-Administrators in WordPress

In some scenarios, you might want to restrict certain user roles from changing their passwords. This could be for security reasons or to maintain control over user credentials. Below, we’ll describe a function that disables password changes and resets for all users except administrators, followed by a step-by-step guide on how to implement it in your WordPress site.

If you enjoy my work and want to support me, you can buy me a coffee! Your support helps me keep going. Thank you! Buy Me a Coffee

Function Description and Usage Scenario

Function Description:

The provided code consists of three main functions:

disable_password_change:

  • This function checks if the current user is not an administrator. If true, it removes the action that authenticates the user with a username and password and hides the password fields in the user profile.

disable_password_reset:

  • This function checks if the user attempting to reset their password is not an administrator. If true, it disallows the password reset.

disable_password_change_notices:

  • This function displays a notice in the admin area informing users that the password change is disabled for non-administrators.

Usage Scenario:

This setup is useful in scenarios where you want to ensure that only administrators have control over user credentials. For example:

  • In a corporate environment where IT administrators manage user accounts.
  • In membership sites where you want to enforce strong password policies centrally.
  • In educational institutions where student accounts are managed by administrators.

Installation

Follow these steps to implement the functionality on your WordPress site:

Open the functions.php file:

  • Navigate to your WordPress theme directory (usually found in wp-content/themes/your-theme-name/).
  • Open the functions.php file in a text editor or through the WordPress admin dashboard under Appearance > Theme Editor.

Insert the code:

  • Copy and paste the following code at the end of the functions.php file:
<?php
// Function to disable password change for all users except administrators
function disable_password_change() {
    // Check if the current user is not an administrator
    if ( !current_user_can('administrator') ) {
        // Remove the action that authenticates the user with username and password
        remove_action('wp_authenticate_user', 'wp_authenticate_username_password', 20);
        // Hide the password fields in the user profile
        add_filter('show_password_fields', '__return_false');
    }
}

// Hook the function to the admin_init action to affect the admin area
add_action('admin_init', 'disable_password_change');
// Hook the function to the init action to affect the frontend
add_action('init', 'disable_password_change');

// Function to disable password reset for all users except administrators
function disable_password_reset($allow, $user_id) {
    // Check if the user is not an administrator
    if ( !user_can($user_id, 'administrator') ) {
        // Disallow password reset
        return false;
    }
    // Allow password reset for administrators
    return $allow;
}

// Filter to disable password reset
add_filter('allow_password_reset', 'disable_password_reset', 10, 2);

// Function to display a notice in the admin area that password change is disabled
function disable_password_change_notices() {
    // Check if the current user is not an administrator
    if ( !current_user_can('administrator') ) {
        // Display the notice
        echo '<div class="notice notice-error"><p>Password change is disabled.</p></div>';
    }
}

// Hook the function to display the notice in the admin area
add_action('admin_notices', 'disable_password_change_notices');
?>

Save the changes:

  • After inserting the code, save the functions.php file.
  • If using the Theme Editor, click the Update File button.

Test the functionality:

  • Log in to your WordPress site with a non-administrator account and navigate to the user profile page. You should no longer see the password fields.
  • Try resetting the password from the login page as a non-administrator. The password reset should be disallowed.
  • Log in as an administrator to ensure administrators can still change passwords and reset them if needed.

By following these steps, you will successfully restrict password changes and resets to administrators only, enhancing the security and control over user accounts on your WordPress site.

WordPress
PHP
CMS
User Experience

--

--

π–’π–†π–ˆπ–π–Žπ–“π–Š π–ˆπ–”π–‰π–Š

Written by π–’π–†π–ˆπ–π–Žπ–“π–Š π–ˆπ–”π–‰π–Š

0 Followers

I'm an independent developer, passionately crafting digital solutions. https://buymeacoffee.com/mchncd

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams