Password reset forms are very easy to abuse for spam bots. And despite the significant improvements in anti-spam technologies over the years, spam continues to remain a huge problem for most websites.
In my experience, smaller websites often don’t think proactively about spam prevention. Since you’d have to be a well-known website in order for you to become a noticeable spam target, the common thinking goes that it’s not an issue new websites want to worry about initially.
But I’ve encountered a few cases where that mindset caused websites a lot of trouble they could’ve avoided if they had implemented the right solutions from the start.
Enabling anti-spam isn’t complicated, and there are different ways of handling it. So in this article, I’ll discuss the easiest and the most effective ways you can stop unauthorized password resets on your WordPress site.
How to Prevent Unauthorized WordPress Password Resets
Here are some of my tried and true methods for getting rid of those unwanted password resets from your site
1. Install WPForms and Activate the User Registration Addon
To combat spam effectively on your password reset form, you’ll need a form builder equipped with strong spam prevention tools.
WPForms is one of the few plugins that take spam very seriously, which is why it offers multiple anti-spam defenses for your forms.
While you can access many powerful spam filters with WPForms Lite, I’ll be using WPForms Pro for more comprehensive anti-spam techniques.
Once you’ve acquired the WPForms Pro license, go to your account, log in to access your WPForms account page and navigate to the Downloads tab. Click the Download WPForms button.
Important: while you’re on this page, copy your License Key number. You’ll need it in the next steps.
Next, head to your WordPress site and log in. On the dashboard, click Plugins » Add New. Then, click on the Upload Plugin button. Attach the WPForms .zip file you downloaded and install it.
Once WordPress has finished installing your WPForms plugin, click Activate Plugin.
Now that the plugin is installed and activated, you should see WPForms in your left navigation sidebar. Click on WPForms » Settings, and the General settings tab will open by default.
You should see the License Key settings at the top. Paste the license key that you copied from your account page. Then click Verify Key to activate WPForms.
Now that WPForms is installed on your site, all you have to do is take a quick second to install the User Registration addon.
From your WordPress dashboard, click WPForms » Addons. Remember that you must have a Pro license or above for access to this addon.
Locate the User Registration addon and click the Install Addon button.
After the addon is installed, you’ll see a toggle switch that you can use to activate and deactivate it as you like.
If you’re having any issues, read our detailed instructions on installing and activating WPForms addons. You can also check out this complete guide to installing WordPress plugins.
2. Create a Password Reset Form
With is installed and activated, so now we’re ready to create a form! First, from your WordPress dashboard, click WPForms » Add New.
After that, find the search templates bar, enter User Password Reset Form. Hover over the option and then click Use Template.
The template will load in the form builder, and you’ll see that it’s very simple. You can make any customizations you’d like, such as adding one or more spam filters to keep bots at bay.
3. Enable Spam Prevention on Password Reset Form
By default, WPForms has modern anti-spam protection for all forms. But you can further increase your security by enabling additional spam prevention measures on top of the default filter.
Let’s explore some of these options. First, you’ll need to go to Settings » Spam Protection and Security, where you’ll find all anti-spam related features in one place.
You can also check out our comprehensive contact form spam prevention guide to learn more about the different types of anti-spam techniques you can use for your forms.
Akismet for Password Reset Form
Akismet is arguably the most reliable anti-spam solution in the world of WordPress. And it integrates seamlessly with WPForms without requiring any additional setup.
All you need is for Akismet to be installed and activated on your site, and you can then easily enable it on your form by pressing the Enable Akismet anti-spam protection toggle button.
Akismet works intelligently to detect spam by analyzing patterns in the provided form input.
If Akismet detects something is fishy it will block the submission from going through. Here’s how that looks on the frontend for user.
You can follow this complete tutorial on filtering spam with Akismet to use this power tool against spambots.
Alternatively, you can use different captcha services and even Cloudflare Turnstile.
Cloudflare Turnstile to Prevent Password Reset Abuse
To set up Turnstile with WPForms, you can go to the main Settings menu in the WordPress admin menu and click on the CAPTCHA tab. You’ll find options for integration hCaptcha, Google reCAPTCHA, and Cloudflare Turnstile here.
You can find the full tutorial on setting up Cloudflare Tunrstile for your forms here. I’ve seen some great results with Turnstile, with the number of spam submissions reducing significantly on a friend’s startup website that I helped develop.
When you’ve enabled Turnstile on your site, you’ll see a verification badge appear on the top-right of your form builder.
Minimum Time to Submit
The minimum time to submit setting is my secret weapon against spam. This is one of the simplest spam prevention techniques. And yet, it remains one of the most impactful.
That’s because spam bots are automated programs that are designed to operate quickly, submitting tons of forms repeatedly over a short span of time. By adding a simple minimum time limit, you can beat many types of spambots in their own game.
To use this spam filter, simply click on the Enable minimum time to submit toggle button and insert a value in seconds.
A password reset form is very short, so you can expect real people to take at least 2 seconds to fill out the form. However, bots will it out in milliseconds, which means those fake and unauthorized submissions will never be allowed to pass through.
Keyword and Country Filters
Keyword and country filters are quite versatile because they’re not necessarily used to block spam. But if you’re paying attention, sometimes you can find the same kind of keyword patterns being repeated by spambots.
For instance, it may be characters in another language, certain website names being used by spammers, or something similar. The keyword filter can effectively block such instances of spam if you’ve identified frequent usage of keywords that you don’t expect your real visitors to use.
Similarly, the country filter is super useful for situations when spam originates from a specific country. While blocking an entire country from accessing your forms may not be a good option if you have real customers or visitors located in that country, this feature works really well for local businesses with a clear separation between the location of your real audience and spammers.
But you need to have clear information about where spam is coming from. The easy way to obtain this information is by using the WPForms Geolocation features or infer the location based on IP address of the user.
Add a Custom Captcha
The Custom Captcha is another simple but effective antidote to spam. To use it, open your form builder, and scroll down through the Fancy Fields and drag or click on the Custom Captcha option to add it to your form.
There are 2 types of custom Captcha questions you can add: math and question and answer.
Math Captchas
The default Custom Captcha is a math question. Click on it in the form builder to open up the field options.
If you decide to keep the math problem, it will automatically generate a new question every time the page loads and could be addition, subtraction, or multiplication.
If you’d like to customize the Math Captcha, you can do that with some custom code. Please see our tutorial on how to change the Math Captcha for more details.
Question and Answer Captchas
You can also change it to a custom question and answer. This option lets you create your own questions that users must answer. Take care to make these questions pretty general knowledge and easy to spell.
By default, there is only one question, but you can add more. Your form will cycle through them, displaying a different one every time the page loads or refreshes.
And that’s really all there is to adding a Custom Captcha field to your form!
For full customization options, see our documentation on how to install and use the Custom Captcha addon.
4. Save and Publish Your Form
In just a short period of time, you’ve installed WPForms and created your own user password reset form to help stop unauthorized password reset requests in WordPress.
Pretty easy, right?
All that’s left to do now is save and publish your form. This part should be a piece of cake.
First, find that orange Save button in the top right corner and click it. You don’t want to lose your work!
Once your form is saved, move right to the left and click on the Embed button.
You have 2 options for embedding your form on your website. You can either embed it on an existing page, or you can create a new one.
If you choose an existing page, a list of the pages on your website will show up in a dropdown for you to select the page you want to use.
For our example, let’s embed this form on a new page. After you select that option, you’ll see a prompt to give your page a name. Once you name the new page, click Let’s Go! Your new page will open with the form embedded, and you can make additional updates from there.
If you aren’t ready to embed your form right now, don’t worry. There are other ways to do it later when you’re ready. We’ve got some more information on ways to embed your forms on your website, so check that out whenever you’re ready!
More Questions on Unauthorized Password Reset Requests
How can I tell if someone else is trying to reset my WordPress password?
If someone else is trying to reset your WordPress password, you’ll likely get emails that let you know a request was made. You can also check your website logs for login attempts. If this is the case, change your password.
By creating a password reset form with anti-spam enabled on WPForms, you’re adding an extra layer of security that will help eliminate bot attempts.
What additional steps can I take to keep my site safe from unauthorized WordPress password resets?
Always create a strong password that’s unique to the site. A lot of web browsers or tools like 1Password will even help make suggestions for you. Change your password on a regular basis, too.
It’s also wise to turn on 2FA (2-Factor Authentication). It adds a step to your sign-in process, but it creates another layer of WordPress security in the process. For example, you might need to enter your password and then also enter an authentication code that you get by email, text message, or an authentication app.
What kind of site security should I consider for my WordPress site?
In addition to what’s already been suggested, use SSL encryption on your site to protect data. You can also implement rate limits, which will help to prevent brute-force attacks that are typically coming from bots.
If other users have accounts on your site, it’s also a good idea to have some kind of user verification process.
Next, Try Customizing Your Password Protected Pages
You now have the necessary steps in place to finally eliminate unauthorized password resets in WordPress. Now read up on how to customize a password-protected page in WordPress.
Create Your WordPress Form Now
Ready to build your form? Get started today with the easiest WordPress form builder plugin. WPForms Pro includes lots of free templates and offers a 14-day money-back guarantee.
If this article helped you out, please follow us on Facebook and Twitter for more free WordPress tutorials and guides.