{"id":121369,"date":"2020-05-09T09:25:13","date_gmt":"2020-05-09T09:25:13","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/rest-api-password-reset-with-code\/"},"modified":"2025-06-05T15:06:42","modified_gmt":"2025-06-05T15:06:42","slug":"bdvs-password-reset","status":"publish","type":"plugin","link":"https:\/\/sr.wordpress.org\/plugins\/bdvs-password-reset\/","author":13640130,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"0.0.17","stable_tag":"0.0.17","tested":"6.8.5","requires":"4.6","requires_php":"5.4","requires_plugins":null,"header_name":"REST API Password Reset with Code","header_author":"Be Devious Web Development","header_description":"Allow users to reset their password using a random 4 digit code via the REST API","assets_banners_color":"edebe7","last_updated":"2025-06-05 15:06:42","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/www.bedevious.co.uk\/","header_author_uri":"https:\/\/www.bedevious.co.uk\/","rating":5,"author_block_rating":0,"active_installs":1000,"downloads":18219,"num_ratings":10,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","faq","changelog"],"tags":{"0.0.10":{"tag":"0.0.10","author":"dominic_ks","date":"2021-03-01 15:50:23"},"0.0.11":{"tag":"0.0.11","author":"dominic_ks","date":"2021-03-01 15:56:08"},"0.0.12":{"tag":"0.0.12","author":"dominic_ks","date":"2021-03-15 18:11:56"},"0.0.13":{"tag":"0.0.13","author":"dominic_ks","date":"2021-03-15 18:25:29"},"0.0.14":{"tag":"0.0.14","author":"dominic_ks","date":"2022-04-07 11:50:18"},"0.0.15":{"tag":"0.0.15","author":"dominic_ks","date":"2023-01-06 21:53:11"},"0.0.16":{"tag":"0.0.16","author":"dominic_ks","date":"2023-08-22 22:13:05"},"0.0.17":{"tag":"0.0.17","author":"dominic_ks","date":"2025-06-05 15:06:42"},"0.0.2":{"tag":"0.0.2","author":"dominic_ks","date":"2020-05-09 10:00:53"},"0.0.3":{"tag":"0.0.3","author":"dominic_ks","date":"2020-06-01 20:41:43"},"0.0.4":{"tag":"0.0.4","author":"dominic_ks","date":"2020-06-07 17:21:28"},"0.0.5":{"tag":"0.0.5","author":"dominic_ks","date":"2020-06-07 17:26:54"},"0.0.6":{"tag":"0.0.6","author":"dominic_ks","date":"2020-06-12 08:42:37"},"0.0.7":{"tag":"0.0.7","author":"dominic_ks","date":"2020-07-17 15:53:49"},"0.0.8":{"tag":"0.0.8","author":"dominic_ks","date":"2020-11-02 09:31:06"},"0.0.9":{"tag":"0.0.9","author":"dominic_ks","date":"2020-12-31 10:03:48"}},"upgrade_notice":{"0.0.17":"<ul>\n<li>switched to a cryptographically secure function to generate reset codes\n\n<ul>\n<li>updated compatibility to 6.8.1<\/li>\n<\/ul><\/li>\n<\/ul>","0.0.16":"<ul>\n<li>updated compatibility to 6.3\n\n<ul>\n<li>By default users with the administrator role are no longer able to reset their password using this plugin<\/li>\n<li>The default length of the code that is generated has been increased from 4 to 8 characters<\/li>\n<li>The default characters that are used to generate the code have been increased to include upper and lower case letters as well as special characters<\/li>\n<\/ul><\/li>\n<\/ul>","0.0.7":"<p>Security enhancements<\/p>"},"ratings":{"1":0,"2":0,"3":0,"4":0,"5":10},"assets_icons":{"icon-128x128.jpg":{"filename":"icon-128x128.jpg","revision":2301474,"resolution":"128x128","location":"assets","locale":""}},"assets_banners":{"banner-1544x500-rtl.jpg":{"filename":"banner-1544x500-rtl.jpg","revision":2301474,"resolution":"1544x500","location":"assets","locale":""},"banner-1544x500.jpg":{"filename":"banner-1544x500.jpg","revision":2301474,"resolution":"1544x500","location":"assets","locale":""},"banner-772x250-rtl.jpg":{"filename":"banner-772x250-rtl.jpg","revision":2301474,"resolution":"772x250","location":"assets","locale":""},"banner-772x250.jpg":{"filename":"banner-772x250.jpg","revision":2301474,"resolution":"772x250","location":"assets","locale":""}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["0.0.10","0.0.11","0.0.12","0.0.13","0.0.14","0.0.15","0.0.16","0.0.17","0.0.2","0.0.3","0.0.4","0.0.5","0.0.6","0.0.7","0.0.8","0.0.9"],"block_files":[],"assets_screenshots":[],"screenshots":[],"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[14860,2300],"plugin_category":[],"plugin_contributors":[185551,179649],"plugin_business_model":[],"class_list":["post-121369","plugin","type-plugin","status-publish","hentry","plugin_tags-password-reset","plugin_tags-wp-api","plugin_contributors-dominic_ks","plugin_contributors-wpamitkumar","plugin_committers-dominic_ks"],"banners":{"banner":"https:\/\/ps.w.org\/bdvs-password-reset\/assets\/banner-772x250.jpg?rev=2301474","banner_2x":"https:\/\/ps.w.org\/bdvs-password-reset\/assets\/banner-1544x500.jpg?rev=2301474","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/bdvs-password-reset\/assets\/icon-128x128.jpg?rev=2301474","icon_2x":false,"generated":false},"screenshots":[],"raw_content":"<!--section=description-->\n<p>A simple plugin that adds a password reset facility to the WordPress REST API using a code. The process is a two step process:<\/p>\n\n<ol>\n<li>User requests a password reset. A code is emailed to their registered email address<\/li>\n<li>The user enters the code when setting a new password, which is only set if the code is valid and has not expired<\/li>\n<\/ol>\n\n<p>It is also possible to check the validity of a code without resetting the password which enables the possibility of setting the password by other means, or having a two stage process for checking the code and resetting the password if desired.<\/p>\n\n<p>Default settings are to use an 8 digit code consisting of numbers, upper and lower case letters and special characters, which has a life span of 15 minutes, afterwhich a new code would need to be requested. By default a user can attempt to use or validate a code up to 3 times before automatically invalidating it.<\/p>\n\n<h3>Endpoints<\/h3>\n\n<p>The plugin adds two new endpoints to the REST API:<\/p>\n\n<ul>\n<li><p>Endpoint: <em>\/wp-json\/bdpwr\/v1\/reset-password<\/em>\n-- HTTP Verb: POST\n-- Parameters (<strong>all required<\/strong>):\n--- email<\/p><\/li>\n<li><p><em>\/wp-json\/bdpwr\/v1\/set-password<\/em>\n-- HTTP Verb: POST\n-- Parameters (<strong>all required<\/strong>):\n--- email\n--- password\n--- code<\/p><\/li>\n<li><p><em>\/wp-json\/bdpwr\/v1\/validate-code<\/em>\n-- HTTP Verb: POST\n-- Parameters (<strong>all required<\/strong>):\n--- email\n--- code<\/p><\/li>\n<\/ul>\n\n<h3>Example Requests (jQuery)<\/h3>\n\n<h3>Reset Password<\/h3>\n\n<pre><code>$.ajax({\n  url: '\/wp-json\/bdpwr\/v1\/reset-password',\n  method: 'POST',\n  data: {\n    email: 'example@example.com',\n  },\n  success: function( response ) {\n    console.log( response );\n  },\n  error: function( response ) {\n    console.log( response );\n  },\n});\n<\/code><\/pre>\n\n<h3>Set New Password<\/h3>\n\n<pre><code>$.ajax({\n  url: '\/wp-json\/bdpwr\/v1\/set-password',\n  method: 'POST',\n  data: {\n    email: 'example@example.com',\n    code: '1234',\n    password: 'Pa$$word1',\n  },\n  success: function( response ) {\n    console.log( response );\n  },\n  error: function( response ) {\n    console.log( response );\n  },\n});\n<\/code><\/pre>\n\n<h3>Validate Code<\/h3>\n\n<pre><code>$.ajax({\n  url: '\/wp-json\/bdpwr\/v1\/validate-code',\n  method: 'POST',\n  data: {\n    email: 'example@example.com',\n    code: '1234',\n  },\n  success: function( response ) {\n    console.log( response );\n  },\n  error: function( response ) {\n    console.log( response );\n  },\n});\n<\/code><\/pre>\n\n<h3>Example Success Responses (JSON)<\/h3>\n\n<h3>Reset Password<\/h3>\n\n<pre><code>{\n    \"data\": {\n        \"status\": 200\n    },\n    \"message\": \"A password reset email has been sent to your email address.\"\n}\n<\/code><\/pre>\n\n<h3>Set New Password<\/h3>\n\n<pre><code>{\n    \"data\": {\n        \"status\": 200\n    },\n    \"message\": \"Password reset successfully.\"\n}\n<\/code><\/pre>\n\n<h3>Validate Code<\/h3>\n\n<pre><code>{\n    \"data\": {\n        \"status\": 200\n    },\n    \"message\": \"The code supplied is valid.\"\n}\n<\/code><\/pre>\n\n<h3>Example Error Responses (JSON)<\/h3>\n\n<h3>Reset Password<\/h3>\n\n<pre><code>{\n    \"code\": \"bad_email\",\n    \"message\": \"No user found with this email address.\",\n    \"data\": {\n        \"status\": 500\n    }\n}\n<\/code><\/pre>\n\n<h3>Set New Password<\/h3>\n\n<pre><code>{\n    \"code\": \"bad_request\",\n    \"message\": \"You must request a password reset code before you try to set a new password.\",\n    \"data\": {\n        \"status\": 500\n    }\n}\n<\/code><\/pre>\n\n<h3>Validate Code<\/h3>\n\n<pre><code>{\n    \"code\": \"bad_request\",\n    \"message\": \"The reset code provided is not valid.\",\n    \"data\": {\n        \"status\": 500\n    }\n}\n<\/code><\/pre>\n\n<h3>Filters<\/h3>\n\n<p>A number of WordPress filters have been added to help customise the process, please feel free to request additional filters or submit a pull request with any that you required.<\/p>\n\n<h3>Filter the length of the code<\/h3>\n\n<pre><code>add_filter( 'bdpwr_code_length' , function( $length ) {\n  return 4;\n}, 10 , 1 );\n<\/code><\/pre>\n\n<h3>Filter Expiration Time<\/h3>\n\n<pre><code>add_filter( 'bdpwr_code_expiration_seconds' , function( $seconds ) {\n  return 900;\n}, 10 , 1 );\n<\/code><\/pre>\n\n<h3>Filter the date format used by the plugin to display expiration times<\/h3>\n\n<pre><code>add_filter( 'bdpwd_date_format' , function( $format ) {\n  return 'H:i';\n}, 10 , 1 );\n<\/code><\/pre>\n\n<h3>Filter the reset email subject<\/h3>\n\n<pre><code>add_filter( 'bdpwr_code_email_subject' , function( $subject ) {\n  return 'Password Reset';\n}, 10 , 1 );\n<\/code><\/pre>\n\n<h3>Filter the email content<\/h3>\n\n<pre><code>add_filter( 'bdpwr_code_email_text' , function( $text , $email , $code , $expiry ) {\n  return $text;\n}, 10 , 4 );\n<\/code><\/pre>\n\n<h3>Filter maximum attempts allowed to use a reset code, default is 3, -1 for unlimmited<\/h3>\n\n<pre><code>add_filter( 'bdpwr_max_attempts' , function( $attempts ) {\n  return 3;\n}, 10 , 4 );\n<\/code><\/pre>\n\n<h3>Filter whether to include upper and lowercase letters in the code as well as numbers, default is false<\/h3>\n\n<pre><code>add_filter( 'bdpwr_include_letters' , function( $include ) {\n  return false;\n}, 10 , 4 );\n<\/code><\/pre>\n\n<h3>Filter the characters to be used when generating a code, you can use any string you want, default is 0123456789<\/h3>\n\n<pre><code>add_filter( 'bdpwr_selection_string' , function( $string ) {\n  return '0123456789';\n}, 10 , 4 );\n<\/code><\/pre>\n\n<h3>Filter the WP roles allowed to reset their password with this plugin, default is any, example below shows removing administrators<\/h3>\n\n<pre><code>add_filter( 'bdpwr_allowed_roles' , function( $roles ) {\n\n  $key = array_search( 'administrator' , $roles );\n\n  if( $key !== false ) {\n    unset( $roles[ $key ] );\n  }\n\n  return $roles;\n\n}, 10 , 1 );\n<\/code><\/pre>\n\n<h3>Filter to add custom namespace for REST API<\/h3>\n\n<pre><code>add_filter( 'bdpwr_route_namespace' , function( $route_namespace ) {\n  return 'xyz\/v1';\n}, 10 , 1 );\n<\/code><\/pre>\n\n<h3>Credits<\/h3>\n\n<ul>\n<li>Plugin icon \/ banner image by <a href=\"https:\/\/unsplash.com\/photos\/CWL6tTDN31w\">Sincerely Media<\/a><\/li>\n<\/ul>\n\n<!--section=faq-->\n<dl>\n<dt id='where%20do%20i%20report%20security%20bugs%20found%20in%20this%20plugin%3F'><h3>Where do I report security bugs found in this plugin?<\/h3><\/dt>\n<dd><p>Please report security bugs found in the source code of the bdvs-password-reset plugin through the Patchstack Vulnerability Disclosure Program. The Patchstack team will assist you with verification, CVE assignment, and notify the developers of this plugin.\n<a href=\"https:\/\/patchstack.com\/database\/vdp\/bdvs-password-reset\">Report a security vulnerability.<\/a><\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>0.0.17<\/h4>\n\n<ul>\n<li>switched to a cryptographically secure function to generate reset codes<\/li>\n<li>updated compatibility to 6.5<\/li>\n<\/ul>\n\n<h4>0.0.16<\/h4>\n\n<ul>\n<li>updated compatibility to 6.3<\/li>\n<li>By default users with the administrator role are no longer able to reset their password using this plugin<\/li>\n<li>The default length of the code that is generated has been increased from 4 to 8 characters<\/li>\n<li>The default characters that are used to generate the code have been increased to include upper and lower case letters as well as special characters<\/li>\n<\/ul>\n\n<h4>0.0.15<\/h4>\n\n<ul>\n<li>updated compatibility to 6.1.1<\/li>\n<\/ul>\n\n<h4>0.0.14<\/h4>\n\n<ul>\n<li>updated compatibility to 5.9.3<\/li>\n<\/ul>\n\n<h4>0.0.13<\/h4>\n\n<ul>\n<li>updated to min version 4.6 to allow translations<\/li>\n<\/ul>\n\n<h4>0.0.12<\/h4>\n\n<ul>\n<li>resolved file include errors<\/li>\n<\/ul>\n\n<h4>0.0.11<\/h4>\n\n<ul>\n<li>resolved php warnings<\/li>\n<\/ul>\n\n<h4>0.0.10<\/h4>\n\n<ul>\n<li>relocated email send function<\/li>\n<li>added translation functions, should be translation ready! get in contact to get involved!<\/li>\n<\/ul>\n\n<h4>0.0.9<\/h4>\n\n<ul>\n<li>fixed invalid plugin header issue<\/li>\n<\/ul>\n\n<h4>0.0.8<\/h4>\n\n<ul>\n<li>fixed minor typos in docs<\/li>\n<li>added filter to use custom namespace<\/li>\n<li>fixed bug with time format filter<\/li>\n<\/ul>\n\n<h4>0.0.7<\/h4>\n\n<ul>\n<li>PLEASE READ: SOME DEFAULT BEHAVIOUR HAS CHANGED:<\/li>\n<li>Added maximum allowed failed attempts to validate a code before automatically expiring it, default has been set to 3<\/li>\n<li>Added filters to include letters and well as numbers in the reset code as well as allowing you to specify your own string<\/li>\n<li>Added filters to allow the exclusion of certain roles from being able to reset their password, e.g. if you want to exclude Administrators<\/li>\n<\/ul>\n\n<h4>0.0.6<\/h4>\n\n<ul>\n<li>Added support for WP versions earlier than 5.2.0 due to timezone function availability<\/li>\n<\/ul>\n\n<h4>0.0.5<\/h4>\n\n<ul>\n<li>Replaced missing api file<\/li>\n<\/ul>\n\n<h4>0.0.4<\/h4>\n\n<ul>\n<li>Added \/validate-code to allow checking a code's validity without actually resetting the password<\/li>\n<\/ul>\n\n<h4>0.0.3<\/h4>\n\n<ul>\n<li>Fixed bug causing 500 error where WordPress TimeZone was set to a manual UTC offsite<\/li>\n<\/ul>","raw_excerpt":"A simple plugin that adds a password reset facility to the WordPress REST API using a code. The process is a two step process:","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/sr.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/121369","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sr.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/sr.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/sr.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=121369"}],"author":[{"embeddable":true,"href":"https:\/\/sr.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/dominic_ks"}],"wp:attachment":[{"href":"https:\/\/sr.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=121369"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/sr.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=121369"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/sr.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=121369"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/sr.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=121369"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/sr.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=121369"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/sr.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=121369"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}