Created
June 27, 2025 13:51
-
-
Save shameemreza/86f6622e9dcbf41d33d047ceae6e6faa to your computer and use it in GitHub Desktop.
Limits WooCommerce password reset attempts to 3 per hour per user and IP address to reduce abuse and spam.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * Limit WooCommerce password reset attempts to 3 per hour per user+IP | |
| */ | |
| add_action( 'lostpassword_post', 'limit_wc_password_reset_attempts', 10, 2 ); | |
| function limit_wc_password_reset_attempts( $errors, $user_data ) { | |
| // If there's no user data or errors already exist, don't proceed | |
| if ( ! $user_data || $errors->has_errors() ) { | |
| return; | |
| } | |
| // Get the username/email and IP | |
| $login = isset( $_POST['user_login'] ) ? sanitize_user( wp_unslash( $_POST['user_login'] ) ) : ''; | |
| $ip = $_SERVER['REMOTE_ADDR']; | |
| // Create a unique key for this user+IP combination | |
| $key = 'wc_reset_limit_' . md5( strtolower( $login ) . '_' . $ip ); | |
| // Get current attempts count | |
| $attempts = (int) get_transient( $key ); | |
| // If exceeded limit, add an error that will prevent the reset email | |
| if ( $attempts >= 3 ) { | |
| $errors->add( 'too_many_requests', __( 'Too many password reset attempts. Please try again in an hour.', 'woocommerce' ) ); | |
| return; | |
| } | |
| // Increment and store the attempt count | |
| set_transient( $key, $attempts + 1, HOUR_IN_SECONDS ); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment