Where is password reset link stored in wordpress database

Question

If you use Wordpress's built in password reset service it will go something like this:

1. Click forgot password
2. Enter your email or username
3. Receive a link in your email inbox
4. Click the link
5. Fill out form

That link you click, will look something like this:

http://yourdomain/wp-login.php?action=rp&key=vqwwSPzf6OK6bUv42XPk&login=natelough

If you try to change the &login to another name, it will reject you. So, somewhere that 'key' is being stored in some way, and compared.

Where is it stored in the database? I did an export of the database and searched the db for that string. It returned no results.

So what gives?

Answer 1

That key is generated by hashing a random string. You can see how this key is generated in the WordPress developer reference.

To answer your specific question, when a key is generated it is stored in the users table in the user_activation_key column. Only the most recently generated key is stored (invalidating previous reset keys). The key is also removed from the database once it has been used.

If you are looking to send these keys programmatically, you can generate them when you need them using get_password_reset_key(). That function accepts a WP_User object as its argument.

Depending on what you are trying to accomplish, there may be a more "best practices" way to do it than accessing that function directly.

Answer 2

The password is stored as a hash of the login name and password. You will find it in the users table under user_pass as an incomprehensible string. If the login name is changed, the entered password hashed with the login name will not match the string found in the database where the password was hashed with the original login name.