WordPress update Causing Password Reset Emails

Notice of “password change email” every time user profile updated ( wp admin ). As we all know with the latest 4.3 WordPress update there has been work done to improve security and how WordPress deals with new Passwords and Password resets.  If your viewing a user profile from the admin panel you used to see something similar to this :

Password

In the image above if you had a password stored in your browser then you would see the dots for auto-complete, even though auto-complete was “off” in the input code for some browsers its completely ignored. This was generally overlooked as a problem because you could actually see the forms, you could see the dots and you would remove them before updating someone’s profile.

In WordPress 4.3 however they have added a strong password generator………hidden by a button like below :

gen1

Once the “generate password” is clicked you are instantly presented with a new “long” secure password :

gen2

The problem with this is, even if you do not click the “generate password” button your browser “auto-complete” password is still hiding behind, it’s entered into the password field exactly like it used to be.  This results in the updated profile’s password being reset whenever the “Update User” button is clicked and sending them a “Notice of password Change” email. Of course they then try and login and cant because the password has been reset.  If you run a busy membership site with user roles this becomes a real big problem rather fast.

The Solution / Fix

We’ve come up with a quick fix and we’ll explain why it works,   most browsers look to insert an auto-complete password into the first available input field of its kind and leave any remaining password fields free. So what we’ve done is hooked into a part of the profile above the current password blocks on the profile page and inserted a blank/hidden password input field.

This effectively is catching the auto-complete,  allowing the real password field to function normally . Simply paste the below code into your themes functions.php and it should resolve the problem.

//add field to contact info
function modify_contact_methods($profile_fields) {
?>

After adding the code above you should see a bigger than normal gap below the content info as seen below and your problem should be solved.

hidden

Its not the tidiest or indeed a long term solution but when you have a membership site churning out 300 password resets in the space of a couple of hours, finding a "quick fix" which doesn't cause any other conflicts is certainly a relief,  hopefully this helps someone else as it did us.