Password reset not working in WordPress

You click Forgot password and nothing useful happens. This article explains how the WordPress password reset actually works, the four root causes that make it fail, and how to tell which one applies to you so you do not waste time on the wrong fix.

When people say "the WordPress password reset is broken", they rarely mean the same thing. Sometimes the email never arrives. Sometimes the link loads a screen that says the key is invalid. Sometimes the form bounces you back to the login screen. These look identical from the outside and have completely different fixes. This article is the mental model: the reset flow, the four causes that break it, and how to tell which one is yours.

How the WordPress password reset actually works

The reset is a four-step pipeline. Almost every "it does not work" maps to one step.

  1. You request a reset. Submitting the "Lost your password?" form posts to wp-login.php?action=lostpassword, which calls retrieve_password(). WordPress looks up the account by username or email and returns a WP_Error if no match exists.
  2. WordPress generates a reset key. On a successful lookup, get_password_reset_key() creates a hashed token and stores it in the user_activation_key column on wp_users. The same token is embedded in a URL like wp-login.php?action=rp&key=...&login=....
  3. WordPress sends the email. The function hands the message to wp_mail(), a wrapper around PHP's mailer. From here on the email is a delivery problem, not a WordPress problem. If the host blocks outgoing mail or the domain has no SPF or DKIM, the message never reaches the inbox.
  4. You click the link and set a new password. WordPress checks the key against user_activation_key and against the password_reset_expiration filter, which defaults to DAY_IN_SECONDS (24 hours). If the key matches and is fresh, you pick a new password. If it is missing, mismatched, or expired, you get "Your password reset link appears to be invalid. Please request a new link below."

Every failure mode below breaks at exactly one of these four steps.

The four reasons the password reset fails

1. The email never arrives (the top cause by far)

Steps 1 and 2 succeed. WordPress finds the user, generates a key, hands the message to wp_mail(), and wp_mail() returns success. The message never reaches the inbox.

This is the most common cause by a wide margin. WordPress passes mail to PHP's mail() function by default, and on shared hosting that means the message is sent from a server with no sender reputation, no SPF or DKIM signature, and no DMARC alignment with your domain. Gmail, Outlook, and Hotmail discard those messages silently. The fix is not in the login flow: it is in the mail delivery layer. Read WordPress not sending email for the diagnosis path and the SMTP relay setup that replaces wp_mail().

The email arrived, you clicked the link, and WordPress shows "Your password reset link appears to be invalid". The cause is at step 4: the key in the URL no longer matches user_activation_key for that user. Two things cause this.

The first is expiration. The default lifetime is 24 hours, set by password_reset_expiration. If you requested the reset yesterday and only saw the email today, the key is gone. Request a fresh one and use it in the same session.

The second is reuse. WordPress clears user_activation_key once a reset completes, and any new "Lost your password?" request overwrites the previous key. If you clicked "Forgot password" twice in a row, only the most recent link works.

WordPress builds the link in the email from WP_HOME (or the home option in the database if WP_HOME is not defined in wp-config.php). If those values do not match the domain your visitors actually use, the link points somewhere wrong. You see a 404, a different site, or a connection error.

I see this most often after a domain migration, an HTTPS rollout that left the option pointing at http://, or a multisite setup with mapped domains. The check is fast: open wp-config.php and look for WP_HOME. If it is not there, query the home option in the database. Both should match the URL you actually serve, including scheme and the www. prefix. The same misalignment causes the WordPress login redirect loop, so if you have one symptom you usually have the other.

4. The account is linked to a different email than you expect

WordPress stores one email per user in the user_email column. The reset goes there, not to whichever address you currently use. If the account was created years ago with an old work address, or migrated from another system, "Forgot password" sends the link to that old address. From your inbox, nothing arrives. From WordPress's perspective, everything worked.

Check your user record in the wp_users table for user_email, or ask another administrator on the site to look. If the link is going to an address you no longer control, an admin can update the email field directly and trigger a fresh reset.

What password reset not working is NOT

This is the section that prevents most wasted time. The "Forgot password" flow looks like a login problem, but most of the things people confuse it with are not.

  • It is not a cookie or session problem. Cookie problems break the login form itself, not the reset email. If the reset email arrives and the link works, but you still cannot stay logged in afterwards, that is a different problem. Read cookies are blocked or not supported in WordPress.
  • It is not a server-down problem. If wp-login.php loads in your browser, the server is reachable and WordPress is responding. A failed reset is a logic problem inside an otherwise working site, not an outage.
  • It is not a blocked or banned account. WordPress shows an explicit error if your account is locked by a security plugin or rejected by a brute-force shield. A blocked account does not silently swallow the reset request, it tells you. If you see no error at all, the block is not the problem.
  • It is not the same as "I cannot log in". "Cannot log in" is the umbrella for every failure mode at the login screen, from cookies to permissions to redirects. Password reset not working is one specific failure inside it: the recovery path that should rescue you when you forget your password. Treating them as the same problem sends you down the wrong diagnostic path. For the umbrella view, read why you cannot log in to WordPress.

Which one is yours

Walk the four causes in order. Did the email arrive? If not, you are in cause 1, and the work happens in WordPress not sending email. If yes, click the link. Did WordPress reject it as invalid? Cause 2: request a fresh one and use it right away. Did the link load the wrong site or a 404? Cause 3, fix WP_HOME. If the email is going to an address you no longer control, cause 4: an admin needs to update the email on your user record. They look identical from the outside until you know which step of the pipeline broke.

Locked out of wp-admin too often?

Login and access issues usually come down to changes, conflicts or security rules. WordPress maintenance reduces surprises with controlled updates and checks.

See WordPress maintenance

  1. Why you cannot log in to WordPress

    Being shut out of your own WordPress site is unsettling. This article is the starting point: it explains how WordPress login actually works, the three categories every login problem falls into, and where to go for the specific symptom you are seeing.

    1282 words
  2. WordPress login redirect loop: why it happens

    A WordPress login redirect loop happens when authentication succeeds but the session cookie never makes it back to the server. This article explains the mechanism behind the loop, the configurations that cause it, and what it is not, so you land on the right fix instead of guessing.

    1170 words
  3. No access to wp-admin without an error

    You try to reach the WordPress dashboard, but instead of an error you get nothing you can read: a blank page, a silent bounce to the homepage, or a login screen that will not stay logged in. This article explains the three categories that cause the silent version of wp-admin lockout and how to recognise which one you are in.

    1212 words

Start typing to search, or browse the knowledge base and blog.