Fixing WooCommerce password reset problems

There’s a mind-boggling number of ways for the "lost your password" feature of WooCommerce to break, so I compiled a list of fixes. There’s several steps in the reset process, so just skip to the one that’s causing problems:



Recognizing other plugins overriding the login URL

If the page says "Lost your password?" at the top, it’s probably the WooCommerce version. If it doesn’t, another plugin might be overriding WooCommerce. That’s not necessarily a bad thing, but if anything breaks later in the password reset process, it’s worth checking two things that might be preventing WooCommerce’s login page from coming up:

1) Is WooCommerce’s password reset page disabled?

Check that you’re on the default WooCommerce settings to make sure WooCommerce isn’t disabling its special account management page in favor of the version provided by WordPress or another plugin.

2) Is another plugin overriding the lost password URL setting?

It’s easiest to identify the offending plugin if you’re comfortable with PHP: on a default install, a var_dump($wp_filter['lostpassword_url']); will have wc_lostpassword_url as the only hook. If you’re not comfortable with PHP, try temporarily disabling the plugins/services in the common-conflicts section to see if the WooCommerce login page is restored.

Page can’t be found (404) error

To fix this, first look at the URL that the browser is trying to bring up:

Is the URL something other than www.yourstore.com/my-account/lost-password?

If so, the lost password page has probably been changed from WooCommerce’s default. To find the source of the change:

  1. Does the URL contain the word "trashed"? This suggests that your My account page (or a custom page that WooCommerce is set to use) has been thrown in the trash. You can try restoring it from the WordPress admin Pages area under the Trash link. If you don’t see the link, or the page doesn’t show up in the list, you can follow the steps in the ensuring the My Account page section.
  2. Does the URL contain a page_id parameter (when your normal pages don’t)? Similar to point #1 above, WooCommerce may be configured to use a page for its My account page setting that isn’t published yet. Editing the page and hitting Publish will probably solve this problem.
  3. Does the URL start with a valid page URL for your site? Similar to the above points, the page at that URL may be set to private or password-protected. Changing the page visibility will probably fix this issue.
  4. Is the URL missing the my-account part (e.g. www.yourstore.com/lost-password)? This is usually due to the WooCommerce my account page being completely deleted. Just follow the last step in the ensuring the My Account page section to recreate it.
  5. Is the domain name (www.yourstore.com part of the URL) incorrect? That’s often a sign there’s a hard-coded link somewhere. To find and fix this, check the contents of the page/menu the link is on, or in the settings for your theme or any plugins that customize URLs.
  6. Is the /my-account/lost-password part of the URL translated into another language? Check for translation/localization plugins that might be localizing URLs. It’s also possible a caching plugin or service is incorrectly caching localized pages for all users. To troubleshoot that, see the caching section.
  7. Otherwise: check the above section to see if another plugin might be changing the password reset URL, and the WooCommerce settings section to see if the default URL has been changed.

If the URL in the browser looks correct:

Check for plugins and services in the common-conflicts section that might be interfering with the page loading, particularly login customizers, translation/localization (especially WooCommerce Multilingual) plugins, caching plugins/services, and URL-rewriters.

A login page comes up instead of the reset form

Check for security/anti-spam/CAPTCHA plugins that might be erroneously trying to protect the page, and try disabling them or altering the settings until the reset form is fixed. WPBruiser is one example that has caused this problem.


Problems on step #2, the page for entering the username/email:


Blank/empty password reset page

The most common cause of this problem is the WooCommerce My account page setting being set to a page that doesn’t have the correct shortcode. See the ensuring a valid My Account page section for details on fixing that.

If the URL for the page is something other than www.yourstore.com/my-account/lost-password, check this section to see if another plugin might be incorrectly providing its own page content.

If the URL looks correct, you may want to check for plugin conflicts:

  • iThemes Security: it’s worth trying to turn off these filter options in System Tweaks to see if the problem is fixed:
    • Suspicious Query Strings
    • Non-English Characters
    • Long URL Strings
  • Security plugins in general (such as iThemes Security or WordFence) may be worth disabling entirely for a moment to see if the problem is fixed.
  • Caching plugins or caching services can be temporarily disabled to see if the problem is fixed. If they are the source of the problem, setting them to exclude URLs starting with /my-account/ from caching should fix the problem. See the caching section for more details.
  • If none of these help, trying to temporarily disable all the plugin types in the commonly-conflicting plugins list may reveal the cause of the problem.

Page looping/reloading when submitted

If the page just reloads without any messages when submitted, it’s very likely that some kind of caching plugin/service is causing the problem. So the first step is to review the caching section.

If that doesn’t work, I’d suggest looking into security plugins and services next, ensuring they’re set to exclude the /my-account/ path from any protection that might interfere with forms being submitted to your site, or user accounts being changed.

After that, I’d suggest temporarily disabling any login-customizing or CAPTCHA plugins to see if they’re the source of the problem. They may be overriding or trying to protect the WooCommerce account management pages.

If you find specific plugin/service settings that fix this problem for you, please let me know in the comments so I can add them to the page.

“Invalid username or email” error message

First, the obvious: is the username or e-mail correct (no unusual characters/whitespace, accidental character substitutions, etc.)? Is it a login to a different site, or to an account on WordPress.org or WordPress.com instead of your site?

Second, do you have security plugins like iThemes Security or WordFence enabled? They may be trying to intercept password resets perceived as invalid.

Third, are you running Multisite, and using a username/email that’s not local to this site? That can cause this error message.

“Password reset is not allowed for this user” error message

This error can have several causes:

1) Are you using Multisite?

If Multisite has labeled the user as spammy, they’ll get this error. I’m not sure if there’s a GUI or plugin way to see if the user is considered spammy, but if you have access to your database (through phpMyAdmin or similar), see if the spam column on wp_users is set to something other than 0 for the user you’re testing with.

2) Do you use the Manage Notification Emails plugin?

Under the WordPress admin, open Settings > Notification emails, make sure the Password forgotten e-mail to user check box is checked. You probably also want the Password change notification to user and Password forgotten e-mail to administrator check boxes checked.

3) Do you use No CAPTCHA reCAPTCHA for WooCommerce?

If you’re on version 1.2.4 or older, try updating to the latest version. If that doesn’t work, it still might be worth temporarily disabling the plugin to see if the problem goes away.

4) Other causes

If you’re comfortable with PHP, a var_dump($wp_filter['allow_password_reset']); may reveal a hook for a plugin that’s denying access to reset the password. With a plain WooCommerce-only install, there shouldn’t be any hooks on this.

If you’re not comfortable with PHP, try disabling plugins one by one to see if any of them are the culprit, particularly security, single sign-on, and login customization plugins.

“The e-mail could not be sent. Possible reason: your host may have disabled the mail() function” error message

This is a problem that can usually be fixed on your host’s end, but I’d suggest switching to a dedicated SMTP provider as mentioned in WooCommerce support. This will usually help the delivery of all your store’s email, including reducing how often it ends up in people’s junk/spam folders.

However, if you’d just like to fix the error message, here’s a few suggestions. You can either apply these yourself if you have access, or send them to your host if they’re initially unable to solve the problem for you:

  • On any platform:
    • Check that php.ini doesn’t include mail in disable_function.
    • Check that a mail program is specified in php.ini’s sendmail_path, and is installed and configured correctly.
    • Make sure there isn’t an entry in the hosts file that’s directing mail for the domain to the local server instead of doing an actual DNS lookup for the MX records, and that the mail server is configured for "remote" delivery.
    • Check that the SMTP port isn’t blocked on the server’s firewall or the host’s network.
  • On cPanel: try adding the sender email address to Trusted mail users.
  • On SELinux: try running setsebool -P httpd_can_sendmail=1

Problems on step #3, the reset email:


Reset email not sending

First, double-check that the mail isn’t turned off in the WooCommerce settings: in the WordPress admin, open WooCommerce, Settings, Emails, and click Manage next to Reset password. Make sure Enable this email notification is checked.

Second, it’s worth identifying where in the chain the mail-sending failed:

  1. Did the password reset page display its success message ("Password reset email has been sent")? If it just shows the initial form again, check the section about the page looping.
  2. Did WordPress successfully pass off the email for delivery? You can check this with the WP Mail Logging plugin. If it doesn’t show any mail in its log after you trigger a password reset, check the commonly-conflicting plugins section for things that might be interfering, particularly security and login-customization plugins.
  3. Is any email (user registration, contact forms, etc.) from your site being sent? If not, you may need to contact the host to see if they’ve disabled outgoing mail or are firewalling it.
  4. If none of the above steps seem to apply in your case, the mail might be being blocked as junk/spam even if it doesn’t end up in the recipients junk/spam folder. To troubleshoot that, continue reading the next section.

Reset email in junk/spam folder

You can try creating a test account on your store using an address provided by the Mail Tester site. It will tell you of problems it finds with mail sent to it, including specific suggestions for keeping your mail out of junk/spam folders.

If you get a low score with Mail Tester, and you haven’t specifically configured an SMTP service in your WordPress install, doing so will usually help a lot. You can either use a dedicated SMTP provider (usually free if you don’t send a lot of email), or use an SMTP plugin like WP Mail SMTP to connect your site to an existing mail server (like Gmail). In either case, make sure the mail provider is configured under the same domain name you have set for the email on WooCommerce, Settings, Emails, "From" address.

You can also manually check common spam blocklists to see if your mail server is on them and contest any entries if so.

There are some additional steps to optimizing email deliverability that I’ll write about in the future.

Incorrect text/formatting

To fix the text or formatting of the reset email, I’d suggest checking three common sources of problems:

  1. Make sure there’s no mail-customizing plugins you’ve forgotten about that might be interfering.
  2. Make sure there’s no localization/translation plugins that might be interfering.
  3. Check whether there’s been any customizations of the email template files. If you find customizations, open the customized files and check whether they’re the source of the incorrect text or formatting.


Page can’t be found (404) error

Does the URL in the email look like WooCommerce’s default yourstore.com/my-account/lost-password/?key=SomeRandomAlphanumericCharacters&id=123 format? If not:

  • Are there any email-customizing plugins installed? You may want to check their settings or temporarily disable them to see if they’re altering the link.
  • Have the WooCommerce emails been customized? You can check the email overrides section, and if the password reset file has been customized, check whether the URL has been properly constructed and escaped.

Even if the URL looks like it’s in the correct format, try temporarily disabling security and caching plugins/services to see if they’re protecting or misinterpreting the password recovery page.

“This key is invalid or has already been used” error message

  1. Plugin bugs: check for outdated versions of WP User Frontend (pre v3.1.1) and No CAPTCHA reCAPTCHA (pre v1.2.2) and update them to the latest version.
  2. Outdated/duplicate email: is the email old or sent multiple times? This error can be caused by opening a link from an email after there’s been a more-recent reset attempt, or if the email has expired. That expiration is 24 hours by default, but it might be changed to a lower setting by other plugins. If you’re comfortable with PHP, you can check for plugins changing the expiration by doing a var_dump on password_reset_expiration.
  3. Broken link formatting: if the URL in the email includes an & instead of an &, check the above section for email customizations.

This is a default error provided by the WordPress reset system rather than the WooCommerce one. It suggests that the WooCommerce lost-password system isn’t being used. If that’s not an intentional choice on your part, see the first section. If it is an intentional choice, check for login-customizing plugins (particularly Theme My Login), CAPTCHA plugins, and caching plugins/services. Temporarily disabling those may reveal the source of the problem.

This is another default error provided by the WordPress reset system rather than the WooCommerce one. It suggests that the WooCommerce lost-password system isn’t being used. If that’s not an intentional choice on your part, see the first section. If it is an intentional choice, and you’re comfortable with PHP, try doing a var_dump($wp_filter['password_reset_expiration']); to check for plugins that are changing the reset expiration to too short a time.

Stuck in a loop: the lost password reset page just shows back up

Fixing this usually involves one of three causes:

1. Caching: this problem is most commonly caused by caching plugins/services, so see the caching section if you’re using any.

2. Cookies: this problem can also occur if cookies aren’t provided, specifically one starting with wp-resetpass. That can inadvertently happen if a caching service (including the one used with WP Engine) is caching the same page without regarding that cookie, so it’s worth reviewing the caching section first. After that, check whether any security software or plugins might be blocking that cookie or protecting the reset page. Finally, check whether the browser settings, browser add-ons, or desktop security/privacy software might be blocking cookies for your site.

3. Broken URLs: in the URL in the email, the end should look similar to key=iBj6pgVn7Rj48Xtv6MO6&id=123. The key should only have alphanumeric characters, no special characters or spaces. The "&" should be just that, not "&". The id should be numeric. If any of those things are not true, check if there’s been any customizations to the WooCommerce email templates, plugins that might modify the login process (like security or login-changing plugins), or the use of SendGrid’s click-tracking (this can be turned off in your SendGrid account under Settings, Tracking, Click Tracking).

The “My Account” page comes up in place of the reset page

This is probably due to you already being logged into an account when the reset link is opened. Try doing the reset process in an incognito/private-browsing window so that the site will treat you as a “new” visitor who isn’t logged in.

General troubleshooting:


Commonly-conflicting plugins/services

These types of plugins/services commonly conflict with WooCommerce’s account management:

  • Login customizers (LoginPress, Theme My Login, Login With Ajax, Custom Login Page Customizer, etc.)
  • Login-securing/CAPTCHA plugins (Loginizer, Login No Captcha reCAPTCHA, etc.)
  • WooCommerce My Account page customizers (YITH Customize My Account Page, Custom My Account, etc.)
  • General security plugins (Wordfence, iThemes Security, etc.)
  • Caching plugins (WP Super Cache, W3 Total Cache, etc.)
  • Caching services on your host (Varnish, Squid, etc.)
  • External caching/CDN services (Cloudflare, CloudFront, etc.)
  • Localization/text-customizing plugins (Loco Translate, WooCommerce Multilingual, WPML, etc.)
  • URL rewriting/redirecting plugins (Redirection, Simple 301 Redirects, etc.)
  • URL rewriting in your web server (Apache .htaccess RewriteRules, NGINX return/rewrite directives, etc.)

If you find a plugin/service at fault, they’ll often have a setting you can disable for more compatibility with WooCommerce, such as excluding URLs that start with /my-account/. They may also have updates available to fix WooCommerce compatibility if you’re not on the latest version. If they don’t, you may have to contact their support.

Don’t let caching break your store

The most frequent cause of password reset problems (and a lot of other WooCommerce problems!) are caching plugins and services that aren’t aware of the way WooCommerce needs its pages handled.

To troubleshoot this, I’d suggest two steps:

Step 1) Identify which caching plugin/service is causing problems

I’d suggest temporarily disabling all of the following, and if the problem goes away, enable them one-by-one until the problem returns:

  • Caching plugins (WP Super Cache, W3 Total Cache, etc.)
  • Caching services on your host (hosts like Flywheel, Cloudways, SiteGround, and WP Engine provide a caching layer, often powered behind the scenes by Varnish, NGINX, or Squid)
  • External caching/CDN/security services (Cloudflare, CloudFront, MaxCDN, Fastly, Akamai, Sucuri, etc.)

Step 2) Configuring the offending plugin/service to avoid caching

The goal is to exclude URLs that start with the following paths (I’m including ones that are useful to exclude for other WooCommerce features):

  • /my-account/
  • /cart
  • /checkout
  • /addons
  • /?add-to-cart
  • /?wc-api

Doing so will vary based on the plugin/service being used, but here’s a few links for specific plugins/services:

  • WP Total Cache
  • Varnish
  • WP Engine (the writeup doesn’t currently describe all of the necessary exclusions to fix password-reset problems, but it’s a good starting point before contacting their support with the list of URLs above)
  • Cloudflare’s cache exclusions are done using their page rules, but be aware the free plan only allows 3 rules.

The default WooCommerce account management settings

To make sure WooCommerce’s account management settings haven’t been accidentally changed, open the WordPress admin and click WooCommerce, Settings, Advanced. Check both of the following settings, either one can cause a different lost password page to appear:

  1. Under Page setup, make sure the My account page drop down has a page selected. By default it’s set to the WooCommerce My account page. If it’s set to a custom page (or if you’ve customized the default page), make sure everything in the next section is correct.
  2. Under Account endpoints, make sure the Lost password field has a value (the default is lost-password). If it’s blank, the default WordPress password reset (or one provided by another plugin) will be used.

Ensuring a valid My Account page

In the WordPress admin, the page under WooCommerce, Settings, Advanced, My account page needs to meet several criteria to work properly:

  1. It needs to exist. If the drop down just says "Select a page…", it needs to be set to a page. Either select the default My account page, or recreate it (see #3 below)
  2. It needs to be public, not scheduled for the future, and not in the trash. From the WordPress admin, select the Pages section. The My account page (or your custom version) needs to be in the Published section, not in the Scheduled or Trash section. If it’s scheduled, change the date to a date in the past, and if it’s in the trash, click the Restore button underneath it.
  3. It needs to include the [woocommerce_my_account] shortcode in the page content. You can either enter that directly in a non-Gutenberg post, or in a Shortcode block in a Gutenberg post. If you’ve created a fresh page to do that, make sure to assign it to the My account page in the WooCommerce settings. You can also have WooCommerce recreate its default pages by going to the WordPress admin and clicking WooCommerce > Status > Tools > Create default WooCommerce pages.

Email override gotchas

To check whether the WooCommerce’s emails have been overridden, go to the WordPress admin, WooCommerce, Status, and scroll down to Templates, and look at the Overrides field. If it’s empty, nothing’s been changed/overridden. But if customer-reset-password.php is in the list, the reset password email template has been overridden, possibly with contents that are causing your problem. You can either edit that file to fix the problem, or if it’s listed as "out of date", you can try updating it.

You’ve somehow miraculously read all the way to the end!

As a reward, here are 3 randomly-generated emojis that will surely tell a compelling story:

Leave a Comment

Your email address will not be published. Required fields are marked *