There’s a mind-boggling number of ways for the "lost your password" feature of WooCommerce to break, so I compiled a list of fixes. There’s several steps in the reset process, so just skip to the one that’s causing problems:
Problems on step #1, opening the “lost your password” link
Recognizing other plugins overriding the login URL
If the page says "Lost your password?" at the top, it’s probably the WooCommerce version. If it doesn’t, another plugin might be overriding WooCommerce. That’s not necessarily a bad thing, but if anything breaks later in the password reset process, it’s worth checking two things that might be preventing WooCommerce’s login page from coming up:
1) Is WooCommerce’s password reset page disabled?
Check that you’re on the default WooCommerce settings to make sure WooCommerce isn’t disabling its special account management page in favor of the version provided by WordPress or another plugin.
2) Is another plugin overriding the lost password URL setting?
It’s easiest to identify the offending plugin if you’re comfortable with PHP: on a default install, a
var_dump($wp_filter['lostpassword_url']); will have
wc_lostpassword_url as the only hook. If you’re not comfortable with PHP, try temporarily disabling the plugins/services in the common-conflicts section to see if the WooCommerce login page is restored.
Page can’t be found (404) error
To fix this, first look at the URL that the browser is trying to bring up:
Is the URL something other than
If so, the lost password page has probably been changed from WooCommerce’s default. To find the source of the change:
- Does the URL contain the word "trashed"? This suggests that your My account page (or a custom page that WooCommerce is set to use) has been thrown in the trash. You can try restoring it from the WordPress admin
Pagesarea under the
Trashlink. If you don’t see the link, or the page doesn’t show up in the list, you can follow the steps in the ensuring the My Account page section.
- Does the URL contain a
page_idparameter (when your normal pages don’t)? Similar to point #1 above, WooCommerce may be configured to use a page for its
My account pagesetting that isn’t published yet. Editing the page and hitting
Publishwill probably solve this problem.
- Does the URL start with a valid page URL for your site? Similar to the above points, the page at that URL may be set to private or password-protected. Changing the page visibility will probably fix this issue.
- Is the URL missing the
www.yourstore.com/lost-password)? This is usually due to the WooCommerce my account page being completely deleted. Just follow the last step in the ensuring the My Account page section to recreate it.
- Is the domain name (
www.yourstore.compart of the URL) incorrect? That’s often a sign there’s a hard-coded link somewhere. To find and fix this, check the contents of the page/menu the link is on, or in the settings for your theme or any plugins that customize URLs.
- Is the
/my-account/lost-passwordpart of the URL translated into another language? Check for translation/localization plugins that might be localizing URLs. It’s also possible a caching plugin or service is incorrectly caching localized pages for all users. To troubleshoot that, see the caching section.
- Otherwise: check the above section to see if another plugin might be changing the password reset URL, and the WooCommerce settings section to see if the default URL has been changed.
If the URL in the browser looks correct:
Check for plugins and services in the common-conflicts section that might be interfering with the page loading, particularly login customizers, translation/localization (especially WooCommerce Multilingual) plugins, caching plugins/services, and URL-rewriters.
A login page comes up instead of the reset form
Check for security/anti-spam/CAPTCHA plugins that might be erroneously trying to protect the page, and try disabling them or altering the settings until the reset form is fixed. WPBruiser is one example that has caused this problem.
Problems on step #2, the page for entering the username/email:
Blank/empty password reset page
The most common cause of this problem is the WooCommerce
My account page setting being set to a page that doesn’t have the correct shortcode. See the ensuring a valid My Account page section for details on fixing that.
If the URL for the page is something other than
www.yourstore.com/my-account/lost-password, check this section to see if another plugin might be incorrectly providing its own page content.
If the URL looks correct, you may want to check for plugin conflicts:
- iThemes Security: it’s worth trying to turn off these filter options in
System Tweaksto see if the problem is fixed:
Suspicious Query Strings
Long URL Strings
- Security plugins in general (such as iThemes Security or WordFence) may be worth disabling entirely for a moment to see if the problem is fixed.
- Caching plugins or caching services can be temporarily disabled to see if the problem is fixed. If they are the source of the problem, setting them to exclude URLs starting with
/my-account/from caching should fix the problem. See the caching section for more details.
- If none of these help, trying to temporarily disable all the plugin types in the commonly-conflicting plugins list may reveal the cause of the problem.
Page looping/reloading when submitted
If the page just reloads without any messages when submitted, it’s very likely that some kind of caching plugin/service is causing the problem. So the first step is to review the caching section.
If that doesn’t work, I’d suggest looking into security plugins and services next, ensuring they’re set to exclude the
/my-account/ path from any protection that might interfere with forms being submitted to your site, or user accounts being changed.
After that, I’d suggest temporarily disabling any login-customizing or CAPTCHA plugins to see if they’re the source of the problem. They may be overriding or trying to protect the WooCommerce account management pages.
If you find specific plugin/service settings that fix this problem for you, please let me know in the comments so I can add them to the page.
“Invalid username or email” error message
First, the obvious: is the username or e-mail correct (no unusual characters/whitespace, accidental character substitutions, etc.)? Is it a login to a different site, or to an account on WordPress.org or WordPress.com instead of your site?
Second, do you have security plugins like iThemes Security or WordFence enabled? They may be trying to intercept password resets perceived as invalid.
Third, are you running Multisite, and using a username/email that’s not local to this site? That can cause this error message.
“Password reset is not allowed for this user” error message
This error can have several causes:
1) Are you using Multisite?
If Multisite has labeled the user as spammy, they’ll get this error. I’m not sure if there’s a GUI or plugin way to see if the user is considered spammy, but if you have access to your database (through phpMyAdmin or similar), see if the
spam column on
wp_users is set to something other than 0 for the user you’re testing with.
2) Do you use the Manage Notification Emails plugin?
Under the WordPress admin, open
Notification emails, make sure the
Password forgotten e-mail to user check box is checked. You probably also want the
Password change notification to user and
Password forgotten e-mail to administrator check boxes checked.
3) Do you use No CAPTCHA reCAPTCHA for WooCommerce?
If you’re on version 1.2.4 or older, try updating to the latest version. If that doesn’t work, it still might be worth temporarily disabling the plugin to see if the problem goes away.
4) Other causes
If you’re comfortable with PHP, a
var_dump($wp_filter['allow_password_reset']); may reveal a hook for a plugin that’s denying access to reset the password. With a plain WooCommerce-only install, there shouldn’t be any hooks on this.
If you’re not comfortable with PHP, try disabling plugins one by one to see if any of them are the culprit, particularly security, single sign-on, and login customization plugins.
“The e-mail could not be sent. Possible reason: your host may have disabled the mail() function” error message
This is a problem that can usually be fixed on your host’s end, but I’d suggest switching to a dedicated SMTP provider as mentioned in WooCommerce support. This will usually help the delivery of all your store’s email, including reducing how often it ends up in people’s junk/spam folders.
However, if you’d just like to fix the error message, here’s a few suggestions. You can either apply these yourself if you have access, or send them to your host if they’re initially unable to solve the problem for you:
- On any platform:
- Check that php.ini doesn’t include
- Check that a mail program is specified in php.ini’s
sendmail_path, and is installed and configured correctly.
- Make sure there isn’t an entry in the hosts file that’s directing mail for the domain to the local server instead of doing an actual DNS lookup for the MX records, and that the mail server is configured for "remote" delivery.
- Check that the SMTP port isn’t blocked on the server’s firewall or the host’s network.
- Check that php.ini doesn’t include
- On cPanel: try adding the sender email address to Trusted mail users.
- On SELinux: try running
setsebool -P httpd_can_sendmail=1
Problems on step #3, the reset email:
Reset email not sending
First, double-check that the mail isn’t turned off in the WooCommerce settings: in the WordPress admin, open
Emails, and click
Manage next to
Reset password. Make sure
Enable this email notification is checked.
Second, it’s worth identifying where in the chain the mail-sending failed:
- Did the password reset page display its success message ("Password reset email has been sent")? If it just shows the initial form again, check the section about the page looping.
- Did WordPress successfully pass off the email for delivery? You can check this with the WP Mail Logging plugin. If it doesn’t show any mail in its log after you trigger a password reset, check the commonly-conflicting plugins section for things that might be interfering, particularly security and login-customization plugins.
- Is any email (user registration, contact forms, etc.) from your site being sent? If not, you may need to contact the host to see if they’ve disabled outgoing mail or are firewalling it.
- If none of the above steps seem to apply in your case, the mail might be being blocked as junk/spam even if it doesn’t end up in the recipients junk/spam folder. To troubleshoot that, continue reading the next section.
Reset email in junk/spam folder
You can try creating a test account on your store using an address provided by the Mail Tester site. It will tell you of problems it finds with mail sent to it, including specific suggestions for keeping your mail out of junk/spam folders.
If you get a low score with Mail Tester, and you haven’t specifically configured an SMTP service in your WordPress install, doing so will usually help a lot. You can either use a dedicated SMTP provider (usually free if you don’t send a lot of email), or use an SMTP plugin like WP Mail SMTP to connect your site to an existing mail server (like Gmail). In either case, make sure the mail provider is configured under the same domain name you have set for the email on
You can also manually check common spam blocklists to see if your mail server is on them and contest any entries if so.
There are some additional steps to optimizing email deliverability that I’ll write about in the future.
To fix the text or formatting of the reset email, I’d suggest checking three common sources of problems:
- Make sure there’s no mail-customizing plugins you’ve forgotten about that might be interfering.
- Make sure there’s no localization/translation plugins that might be interfering.
- Check whether there’s been any customizations of the email template files. If you find customizations, open the customized files and check whether they’re the source of the incorrect text or formatting.
Problems on step #4, the page for setting the password:
Page can’t be found (404) error
Does the URL in the email look like WooCommerce’s default
yourstore.com/my-account/lost-password/?key=SomeRandomAlphanumericCharacters&id=123 format? If not:
- Are there any email-customizing plugins installed? You may want to check their settings or temporarily disable them to see if they’re altering the link.
- Have the WooCommerce emails been customized? You can check the email overrides section, and if the password reset file has been customized, check whether the URL has been properly constructed and escaped.
Even if the URL looks like it’s in the correct format, try temporarily disabling security and caching plugins/services to see if they’re protecting or misinterpreting the password recovery page.
“This key is invalid or has already been used” error message
- Plugin bugs: check for outdated versions of WP User Frontend (pre v3.1.1) and No CAPTCHA reCAPTCHA (pre v1.2.2) and update them to the latest version.
- Outdated/duplicate email: is the email old or sent multiple times? This error can be caused by opening a link from an email after there’s been a more-recent reset attempt, or if the email has expired. That expiration is 24 hours by default, but it might be changed to a lower setting by other plugins. If you’re comfortable with PHP, you can check for plugins changing the expiration by doing a
- Broken link formatting: if the URL in the email includes an
&instead of an
&, check the above section for email customizations.
“Your password reset link appears to be invalid” error message
This is a default error provided by the WordPress reset system rather than the WooCommerce one. It suggests that the WooCommerce lost-password system isn’t being used. If that’s not an intentional choice on your part, see the first section. If it is an intentional choice, check for login-customizing plugins (particularly Theme My Login), CAPTCHA plugins, and caching plugins/services. Temporarily disabling those may reveal the source of the problem.
“Your password reset link has expired.” error message
This is another default error provided by the WordPress reset system rather than the WooCommerce one. It suggests that the WooCommerce lost-password system isn’t being used. If that’s not an intentional choice on your part, see the first section. If it is an intentional choice, and you’re comfortable with PHP, try doing a
var_dump($wp_filter['password_reset_expiration']); to check for plugins that are changing the reset expiration to too short a time.
Stuck in a loop: the lost password reset page just shows back upFixing this usually involves one of three causes:
1. Caching: this problem is most commonly caused by caching plugins/services, so see the caching section if you’re using any.
2. Cookies: this problem can also occur if cookies aren’t provided, specifically one starting with
wp-resetpass. That can inadvertently happen if a caching service (including the one used with WP Engine) is caching the same page without regarding that cookie, so it’s worth reviewing the caching section first. After that, check whether any security software or plugins might be blocking that cookie or protecting the reset page. Finally, check whether the browser settings, browser add-ons, or desktop security/privacy software might be blocking cookies for your site.
3. Broken URLs: in the URL in the email, the end should look similar to
key=iBj6pgVn7Rj48Xtv6MO6&id=123. The key should only have alphanumeric characters, no special characters or spaces. The "
&" should be just that, not "
&". The id should be numeric. If any of those things are not true, check if there’s been any customizations to the WooCommerce email templates, plugins that might modify the login process (like security or login-changing plugins), or the use of SendGrid’s click-tracking (this can be turned off in your SendGrid account under
The “My Account” page comes up in place of the reset pageThis is probably due to you already being logged into an account when the reset link is opened. Try doing the reset process in an incognito/private-browsing window so that the site will treat you as a “new” visitor who isn’t logged in.
These types of plugins/services commonly conflict with WooCommerce’s account management:
- Login customizers (LoginPress, Theme My Login, Login With Ajax, Custom Login Page Customizer, etc.)
- Login-securing/CAPTCHA plugins (Loginizer, Login No Captcha reCAPTCHA, etc.)
- WooCommerce My Account page customizers (YITH Customize My Account Page, Custom My Account, etc.)
- General security plugins (Wordfence, iThemes Security, etc.)
- Caching plugins (WP Super Cache, W3 Total Cache, etc.)
- Caching services on your host (Varnish, Squid, etc.)
- External caching/CDN services (Cloudflare, CloudFront, etc.)
- Localization/text-customizing plugins (Loco Translate, WooCommerce Multilingual, WPML, etc.)
- URL rewriting/redirecting plugins (Redirection, Simple 301 Redirects, etc.)
- URL rewriting in your web server (Apache .htaccess RewriteRules, NGINX return/rewrite directives, etc.)
If you find a plugin/service at fault, they’ll often have a setting you can disable for more compatibility with WooCommerce, such as excluding URLs that start with
/my-account/. They may also have updates available to fix WooCommerce compatibility if you’re not on the latest version. If they don’t, you may have to contact their support.
Don’t let caching break your store
The most frequent cause of password reset problems (and a lot of other WooCommerce problems!) are caching plugins and services that aren’t aware of the way WooCommerce needs its pages handled.
To troubleshoot this, I’d suggest two steps:
Step 1) Identify which caching plugin/service is causing problems
I’d suggest temporarily disabling all of the following, and if the problem goes away, enable them one-by-one until the problem returns:
- Caching plugins (WP Super Cache, W3 Total Cache, etc.)
- Caching services on your host (hosts like Flywheel, Cloudways, SiteGround, and WP Engine provide a caching layer, often powered behind the scenes by Varnish, NGINX, or Squid)
- External caching/CDN/security services (Cloudflare, CloudFront, MaxCDN, Fastly, Akamai, Sucuri, etc.)
Step 2) Configuring the offending plugin/service to avoid caching
The goal is to exclude URLs that start with the following paths (I’m including ones that are useful to exclude for other WooCommerce features):
Doing so will vary based on the plugin/service being used, but here’s a few links for specific plugins/services:
- WP Total Cache
- WP Engine (the writeup doesn’t currently describe all of the necessary exclusions to fix password-reset problems, but it’s a good starting point before contacting their support with the list of URLs above)
- Cloudflare’s cache exclusions are done using their page rules, but be aware the free plan only allows 3 rules.
The default WooCommerce account management settings
To make sure WooCommerce’s account management settings haven’t been accidentally changed, open the WordPress admin and click
Advanced. Check both of the following settings, either one can cause a different lost password page to appear:
Page setup, make sure the
My account pagedrop down has a page selected. By default it’s set to the WooCommerce
My accountpage. If it’s set to a custom page (or if you’ve customized the default page), make sure everything in the next section is correct.
Account endpoints, make sure the
Lost passwordfield has a value (the default is
lost-password). If it’s blank, the default WordPress password reset (or one provided by another plugin) will be used.
Ensuring a valid My Account page
In the WordPress admin, the page under
My account page needs to meet several criteria to work properly:
- It needs to exist. If the drop down just says "Select a page…", it needs to be set to a page. Either select the default
My accountpage, or recreate it (see #3 below)
- It needs to be public, not scheduled for the future, and not in the trash. From the WordPress admin, select the
My accountpage (or your custom version) needs to be in the
Publishedsection, not in the
Trashsection. If it’s scheduled, change the date to a date in the past, and if it’s in the trash, click the
Restorebutton underneath it.
- It needs to include the
[woocommerce_my_account]shortcode in the page content. You can either enter that directly in a non-Gutenberg post, or in a Shortcode block in a Gutenberg post. If you’ve created a fresh page to do that, make sure to assign it to the
My account pagein the WooCommerce settings. You can also have WooCommerce recreate its default pages by going to the WordPress admin and clicking
Create default WooCommerce pages.
Email override gotchas
To check whether the WooCommerce’s emails have been overridden, go to the WordPress admin,
Status, and scroll down to
Templates, and look at the
Overrides field. If it’s empty, nothing’s been changed/overridden. But if
customer-reset-password.php is in the list, the reset password email template has been overridden, possibly with contents that are causing your problem. You can either edit that file to fix the problem, or if it’s listed as "out of date", you can try updating it.
You’ve somehow miraculously read all the way to the end!
As a reward, here are 3 randomly-generated emojis that will surely tell a compelling story: