To be honest? It’s a little bit hard to say…
This behavior was introduced in 3.9.2 (which is security release). Here’s the bug in Trac: 29060: Don’t pass around the resetpass key, but there isn’t much info on why was it introduced in the bug report.
Is it for security reasons? Most probably. But does it really make the process more secure? It’s a little bit hard to say…
Both GET params and Cookies are sent in every request – so attacker still can intercept them. It just makes such attempts a little bit harder (since you have to get pass_key and it’s hashed value).
Related Posts:
- Can I programmatically login a user without a password?
- How to login with email only no username?
- Removing username from the ‘wordpress_logged_in’ cookie
- Woocommerce registration page [closed]
- Share login data/cookies between multiple installations
- How to fake a WordPress login?
- Receiving “This content cannot be displayed in a frame” error on login page
- Getting “Cookies are blocked or not supported by your browser” on login page
- wp-login.php redirecting to HTTPS
- wp_login action hook not working
- Make wordpress admin failed login attempt return 401
- How do I extend auto logout on idle OR redirect inline popup
- Positioning the “Lost your password?” and “← Back to Site”
- Warning: Cannot modify header information – headers already sent
- Change to nofollow tag in wp-login.php
- Can’t stop hacker trying to get admin access in WordPress blog after trying many ways [closed]
- Validate Custom Login field
- How can I allow access to two user accounts using one login?
- How to set different cookies for logged in admin users and logged in non admin users?
- Is it possible a one click user registration with Facebook or Twitter (or other Social Networks)?
- How to shutdown wordpress login temporarily
- Restricting frontend acess based on user role otherwise redirect to login form
- Where is the query and form in wp-login.php?
- How to edit .htaccess to change site’s login url?
- How do I force “users must be registered and logged in” on subsites?
- redirect to homepage after login
- “lambda_xx” on all wordpress login pages
- How to allow only certain users to login
- Login redirects and query strings
- wp-admin folder, brute force, and password protection
- Allow Users Only Edit Their Profile?
- User Login System with File Delivery?
- Chrome 83 doesn’t connect WP login page after update from http to https on localhost
- WordPress login problem
- Skip login form wp-login.php when already logged in,
- Forcing SSL login, have to log in again from WP/BP-Admin Bar
- Call header and footer on wordpress default login page
- Notifications when someone is on the site
- How can I prevent anyone from logging into a WordPress failover site?
- How to password-protect everything except the logo
- Generate email on meta value update
- Login Redirect Error – $user->roles
- WordPress login security
- Why isn’t the login page rate limited by default?
- how can redirect sign in and sign out link front-end page rather then wp-login .php in comment form in wordpress
- Can not login to wordpress site after resolving white screen of death
- Input sanitation
- Advice on redirect to lock site from unauthorized users
- Custom code needed to be executed on login and logout
- I renamed my server from http to https and now I can’t login
- Sending new registration meta values to admin by email
- Single Time Login HELP
- Allow Access to Home Page and Login Screen but Nothing Else (unless logged in)
- Error on WordPress Login
- Reloading page with a query string upon login for admins
- force login loophole
- Alert Message through email or phone(Message)
- Custom login page problem!
- Looking up WordPress account information from Host or php files
- Get WordPress login functions without printing anything
- Multiple issues with Ajax login function due to browsers and cookies
- Allow login only for one account from one device
- URL with login details included for public members
- woocommerce store login not working at first time
- How is it possible to current user info on page in WordPress?
- Trouble when I try to connect to WordPress
- Custom failed login error messages for users based on user role?
- Recognize custom login page as wp-login.php
- Set logged in user based on API response
- Can’t login to wordpress, got ERR_EMPTY_RESPONSE after a few minutes
- Create a login page which redirects to a specific page?
- wp_signon works localhost but not wokrs https site
- how to add social login option in wordpress
- Allow log in to the dashboard only from specific gadget?
- Why deleting/removing cookies in WordPress does not log me out from admin?
- How to use google api for wordpress login
- Avoiding accidentally creating a second account at “Or log in with your existing social profile”
- Can we start session from another php site to wordpress blog site?
- display last login date in the frontend
- How user should automatically activated and go for login?
- How to lock WordPress front-end with login and password?
- Site is not loading after relogin attempts on SSL
- Log in to wordpress after executing another form function
- Disabling the login form and redirect users on logout without headers sent php warning
- WordPress keeps redirecting to an unsecure connection?
- A way to redirect users when they log in based on their current page
- Webpage not found upon entering wrong username and password on custom login form?
- changing WordPress login page
- Where do I find “log in” and “register” link which are located on the top right corner?
- Check to see if there a wordpress user account and create one if not outside of wordpress
- User not logged first time I open the homepage
- How to force login after user browses for a few minutes or browses a few pages?
- WordPress Login Box horizontal at the top.
- Cannot login with correct username and password anymore
- How to limit user to login only once per session
- How to make WordPress keep me signed in? [duplicate]
- how to add custom word press regisration form in word press 3.5 with out module [closed]
- Warning-session start errors and cannot login to administer
- make a login system for site visitors
- Must Log In to Visit Site [duplicate]