Is the “lost password” feature truly a vulnerability?

»The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts.« (Gene Spafford)

The lost password feature might potentially be a risk, but if you are keeping it or not is just a matter of risk assessment. For that assessment there surely is not the one answer, you have to assess it for your case yourself. Last but not least, I personally would say, it is not to an extent unsafe, which would justify the suggestion, to always remove the feature. So I wouldn’t say it generally is a serious vulnerability.

Related Posts:

  1. Where to securely store API keys and passwords in WordPress?
  2. Why are passwords exportable as plain text in WordPress?
  3. How is password strength calculated?
  4. Make password invalid once logged out of password-protected page
  5. Can’t reset WordPress password
  6. Frontend Password change
  7. Is it possible to reduce the minimum character length for passwords?
  8. Is there any point setting the keys and salts in wp-config.php?
  9. When is wp_set_password() called or how to capture a password
  10. Moving away from MD5: Where to declare the custom global $wp_hasher?
  11. How to get WordPress to send Password Reset Link Email instead of New Password?
  12. Basic password protection without using users and roles
  13. How can I force a specific password?
  14. Can a WordPress administrator see other users’ passwords?
  15. After limiting the access to my wp-login.php by IP through .htaccess, all my password-protected posts stopped working. What’s the best solution now?
  16. Password-protect feed and make it usable in major aggregators
  17. Could a user account with a stolen password compromised entire WP site?
  18. How to set custom validation for WordPress Passwords?
  19. Is my WP site being hacked?
  20. How to get real password (before encrypt) when register a user?
  21. Directory to store secure file
  22. Can you alter the default wordpress strong password requirements?
  23. what is a auth_user_file.txt?
  24. Is moving wp-config outside the web root really beneficial?
  25. Can I Prevent Enumeration of Usernames?
  26. Best way to eliminate xmlrpc.php?
  27. If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?
  28. Should I remove install.php and install-helper.php?
  29. How do I technically prove that WordPress is secure?
  30. Which KSES should be used and when?
  31. How can I easily verify a core or plugin update has not broken anything?
  32. Disable comment windows for all existing posts (pages/blogposts)
  33. Generate WordPress salt
  34. Stop wordpress automatically escaping $_POST data
  35. Secure my “add_settings_field” translation?
  36. how can i embed wordpress backend in iframe
  37. Handling nonces for actions from guests to logged-in users
  38. WordPress Logout Only If User Click Logout or If User Delete Browser History
  39. Can I force a password change?
  40. What is pclzip.lib.php file that wordfence think it’s a malicious code
  41. Can someone (Support of my themeprovider) get access to my server If I send them my admin login?
  42. Completely remove the author url
  43. Restricting access to content
  44. About WordPress site security
  45. Relative security of different releases of WordPress
  46. Where to store OAuth 2.0 client id and secret?
  47. How can I safely use $_SERVER[‘REQUEST_URI’] to avoid XSS?
  48. Using HTACCESS for Secret Access
  49. Definitive wordpress directory ownership and permissions on linux
  50. Dangers to allowing Access-Control-Allow-Origin: * for Feeds only?
  51. How do I protect user_activation_key?
  52. wordpress website host price and security [closed]
  53. Are there security risks in working directly in the themes folder that builds into a theme folder?
  54. Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
  55. Secure WordPress: Change admin
  56. Changing the default header name
  57. how much information can we hide when using wordpress cms?
  58. Wordfence detects change in wp-admin/includes/upgrade.php
  59. System setting changed by system user
  60. Does meta-data need to be sanitized?
  61. Will there be security updates for WordPress 4.9.9
  62. Need help for WordPress User Session Management?
  63. Specific way to allow WordPress users to view their current password? And edit it?
  64. On new server, site got hacked, permissions a bit strange? Please help
  65. Are SVG image files safe to upload? Why WP defines them as a security risk? [duplicate]
  66. Security issue with ‘paged’ and ‘posts_per_page’ parameters taken directly from a POST request?
  67. How to prevent to direct access of my custom plugin folder/files
  68. Checking for origin of a xmlrpc request
  69. RESTRICT EDIT of PHP files?
  70. wp-content – permissions for files/folders created by apache
  71. How can I restrict access to specific parts of a page, not just the page itself?
  72. Using password protection to load different page elements?
  73. User generated content and security
  74. Are major WordPress updates mandatory for security?
  75. i moved wp-config.php outside of public html and this broke my website
  76. Monitor wordpress all external calls
  77. Is it safe to use the basic administration with reduced rights for private member space
  78. Securing WordPress running on Azure platform
  79. Verifying that I have fully removed a WordPress hack?
  80. Spam Registrations
  81. How can I have more confidence that WP plugins aren’t getting and storing user data?
  82. Standard Method for Securing a WordPress Site
  83. wordpress security (only one part of the site)
  84. Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?
  85. Any way to disable /wp-login.php redirecting to the site folder?
  86. Folder Permissions + Security Concerns
  87. Malware/Permission bug removal?
  88. Step by Step Instructions for Making Media/Uploads Private to Only Logged-In Users
  89. Secure a WordPress website in 2019: one plugin or a combinations of them?
  90. What are the different types of firewall protections available for a WordPress website?
  91. Run a security scan on WordPress site that has .htaccess password [closed]
  92. Is this a WordPress security bug?
  93. Competitor is somehow accessing MetaData on a hidden WordPress site
  94. WordPress Hacks/Defacing [closed]
  95. Our security auditor is an idiot. How do I give him the information he wants?
  96. I am under DDoS. What can I do?
  97. SSH keypair generation: RSA or DSA?
  98. How do I protect my company from my IT guy? [closed]
  99. Does changing default port number actually increase security? [closed]
  100. WordPress – tracking options