Improve customer privacy by not indicating if email is associated with account

  • Resolved clonemykey

    (@clonemykey)


    3 years, 6 months ago

    Hello all!

    I am hoping to find the a reasonable way to help protect our customers privacy a bit more. I don’t like that someone can put any email address into our forgot password page and figure out if that email address has an account.

    Right now, if you enter an email address that isn’t valid you get an error message “Invalid username or email.” Ideally, I’d like a new message to be “If this email address has an account with us a reset password will be sent”. This message should appear for inputted email accounts that do and do not have an account with us.

    I was a bit shocked that there isn’t more documentation on this so I am worried I might just not be searching with the correct key words. If so, some kind direction would be appreciated!

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)

  • Hi @clonemykey,

    It’s been a while since you posted, so you may have found a solution for this. If not, try this snippet in your theme’s functions.php file or with the Code Snippets plugin.

    
function ijab_password_reset_message($allow, $user_id){

   return new WP_Error('invalidcombo', __('If this email address has an account with us a reset password will be sent.'));

}
add_filter( 'lostpassword_errors', 'ijab_password_reset_message', 99, 2 );

    Let me know if you have any questions or trouble.

    Thread Starter clonemykey

    (@clonemykey)

    Awesome, this works! Do you of a filter to change the “Password reset email has been sent.” message that gets generated for users who have accounts? Ideally, we’d like these to be the same message.

    Plugin Support Shohan Hossain Nabil – a11n

    (@sohanhossain)

    Hello @clonemykey,

    You can use the below filter:

    
apply_filters( 'woocommerce_lost_password_confirmation_message', esc_html__( 'A password reset email has been sent to the email address on file for your account, but may take several minutes to show up in your inbox. Please wait at least 10 minutes before attempting another reset.', 'woocommerce' ) )

    Here is the file location: /woocommerce/templates/myaccount/lost-password-confirmation.php

    Thanks!

    Plugin Support Shohan Hossain Nabil – a11n

    (@sohanhossain)

    Hey there!

    We haven’t heard back from you in a while, so I’m going to mark this as resolved – if you have any further questions, you can start a new thread.

    Thanks!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Improve customer privacy by not indicating if email is associated with account’ is closed to new replies.