WordPress Errors

WordPress Password Reset Link Not Working

Warning Updated: July 10, 2026

What Is This Error?

When you click “Lost your password?” on the WordPress login screen, WordPress emails you a special one-time link to set a new password. The “Password Reset Link Not Working” error happens when that link fails — it might display an “Invalid key” message, redirect you to a blank or broken page, or simply expire the instant you click it.

This is one of the more frustrating WordPress issues because it locks users out of their accounts with no clear explanation. The good news is it almost always traces back to one of a handful of root causes, and you can resolve it without writing any code in most situations.

The problem can appear on any WordPress site but is especially common after a domain migration, a URL change, or when a caching or security plugin enters the picture.

Get free WordPress & AI tips

Join 500+ readers. No spam, unsubscribe anytime.

Why Does This Happen?

  • Site URL mismatch: If your WordPress Address and Site Address in Settings don’t match, WordPress generates reset links pointing to the wrong domain — clicking them goes nowhere useful.
  • Cache serving a stale page: A page cache can deliver an outdated version of the password reset page, causing token validation to fail even when the link itself is technically correct.
  • Reset link already used or expired: WordPress reset keys are single-use and expire after 24 hours. Clicking the link once — even accidentally — consumes the key, making any repeat attempt fail.
  • Security plugins blocking the request: Plugins like Wordfence or iThemes Security can flag password reset attempts as suspicious and silently block them, especially when rate limiting or login lockout features are active.
  • Email client breaking the URL: Some email clients wrap long URLs in tracking redirects or split them across multiple lines, corrupting the reset token before you even get a chance to click it.

How to Fix It — Step by Step

  1. Verify your WordPress URL settings. In your dashboard, go to Settings → General. Confirm that “WordPress Address (URL)” and “Site Address (URL)” are exactly the same — same protocol (http vs https), same spelling, no trailing slash difference.

    You should see: Both URL fields matching perfectly before you move on.

  2. Purge all caches. Open your caching plugin (W3 Total Cache, WP Super Cache, LiteSpeed Cache, etc.) and clear everything. If you use Cloudflare or another CDN, purge that cache too. Then request a brand-new password reset email — never reuse the old link.

    You should see: A fresh “Check your email for the confirmation link” notice after submitting the reset request.

  3. Temporarily disable security plugins. Go to Plugins → Installed Plugins and deactivate Wordfence, iThemes Security, or anything similar. Try the full reset flow again from scratch. If it works, re-enable the plugin and look for a rate-limiting or login-lockout setting that may be interfering.

    You should see: The reset link opens correctly and presents a “Choose a new password” form.

  4. Reset the password directly in phpMyAdmin. Log into your hosting control panel, open phpMyAdmin, select your WordPress database, and open the wp_users table. Find the affected user row, click Edit, locate the user_pass column, set the Function dropdown to MD5, enter a new password as the Value, and click Go.

    -- Or run this SQL query directly:
    UPDATE wp_users
    SET user_pass = MD5('YourNewPassword123')
    WHERE user_login = 'your_username';

    You should see: A green success banner in phpMyAdmin. Log in with the new password right away to confirm it works.

  5. Use WP-CLI for a faster server-side reset. If you have SSH access, this is the cleanest option — no database editing required:

    wp user update your_username --user_pass="NewSecurePassword!"

    You should see: “Success: Updated user <ID>.” printed in your terminal output.

  6. Fix email delivery with an SMTP plugin. Install WP Mail SMTP and connect it to a proper mail provider (Gmail, SendGrid, or Mailgun). This prevents WordPress’s default PHP mail function from sending malformed emails with broken reset links. Use the plugin’s built-in Test Email feature to confirm delivery before logging out.

    You should see: A clean, fully clickable reset link arrive in your inbox within a few seconds.

Common Mistakes When Fixing This

  • Clicking the reset link more than once: Each WordPress reset key is one-time-use. A second click — even just to copy the URL — invalidates it. Always request a fresh reset email each time you attempt the process rather than reusing the same link.
  • Testing the fix without clearing cache first: Applying a fix and immediately testing with a cached page gives you false results. Purge every cache layer — plugin cache, CDN, and browser — before running through the reset flow again.
  • Mixing wp-config.php constants with database values: Hardcoding WP_HOME and WP_SITEURL in wp-config.php overrides the database, so the Settings page can look correct while reset links still embed the wrong URL. Pick one method and stay consistent.
  • Calling it done after a phpMyAdmin fix: Getting back in through phpMyAdmin is a workaround, not a solution. Your users will hit the same broken reset links again. Set up SMTP delivery properly so the email flow actually works going forward.

Frequently Asked Questions

How long does a WordPress password reset link stay valid?

Reset links expire after 24 hours by default. They are also single-use — visiting the URL even once invalidates it, whether or not you complete the password change. If you are unsure whether the link is still fresh, just request a new one instead of troubleshooting an already-consumed key.

The reset email never arrives at all — where do I start?

Check your spam or junk folder first. If the email is not there at all, your server’s PHP mail function is likely failing silently. Install WP Mail SMTP, configure it with a real SMTP provider, and use the built-in test email feature to confirm delivery is working before trying the password reset again.

Why does the reset link work for some users but not others?

A user-specific failure usually points to a corrupted record in the wp_users or wp_usermeta table for that particular account. Try resetting the affected user’s password directly via phpMyAdmin or WP-CLI to bypass the email flow entirely and rule out a database-level issue.

I moved my site to a new domain recently — is that the cause?

Very likely. After a domain change, the old URL is still stored in the siteurl and home rows of your wp_options table. WordPress uses those stored values to build reset links, so every link still points to the old domain. Fix it by running a search-replace in phpMyAdmin or with the WP-CLI command: wp search-replace 'olddomain.com' 'newdomain.com' --all-tables.

This site contains affiliate links. If you make a purchase through one of these links, we may earn a small commission at no extra cost to you. Learn more.