Completely disabling password reset/recovery

I have a WordPress multisite. One of the sites has two users: me and the enduser.
There are multiple password reset attempts for the enduser, not initiated by him.

I block the IP in the firewall of the hosting server, but the attempts keep coming from different IP’s.

Every time this happens the endusers gets en e-mail, and he’s concerned about security.

So, I want to completely disable password recovery. Googling this returns a lot of howto’s, but for some reason, none of them work on my system.

What I tried:

• Installing (and activating network-wide) the plugin Disable Password Reset by H3llas. Result: nothing changed. Password reset still works.
• Installing Plainview Protect Passwords, blocking password reset for all users. Result: nothing changed. Password reset still works.
• Editing functions.php of the child-theme of the site of the end user with below code:

  function disable_password_reset() { 
                return false;
                }
  add_filter ( 'allow_password_reset', 'disable_password_reset' );
  
  function remove_lostpassword_text ( $text ) {
       if ($text == 'Lost your password?'){$text = '';} 
          return $text; 
       }
  add_filter( 'gettext', 'remove_lostpassword_text' );

  Result: nothing changed. Password reset still works.

• Editing functions.php with above code for the child-theme of the main site. Result: nothing changed. Password reset still works.

After each step I cleared the cache of WP Super Cache and my browser.

Any idea why non of these seem to work on my site?

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Since this is a multisite you’ll have to put the disable password filter in a mu-plugin. Create a file in wp-content/mu-plugins with:

<?php

add_filter( 'allow_password_reset', '__return_false' );

That should completely disable password recovery. It will affect all sites, not just that one customer’s: if that’s not what you intended you’ll have to add logic here to restrict it to that one user e.g. by name, or by checking for permissions / roles on that customer’s site, or by a flag in user meta.

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0