imp/

Well-known URL for changing password in WordPress

There's a proposal for a well-known URL for changing passwords.

The main idea is to redirect the /.well-known/change-password URL to the actual URL for changing the password. If you have a WordPress installation, your change password URL, by default, /wp-login.php?action=lostpassword.

Of course, this applies only if your website offers some account registration.

If we would all implement this as a standard, users, and apps, specifically password managers, would know where the change password page is located without an effort. And with knowledge, we could build better integrations, workflows, and so on.

It got me thinking, is this something WordPress could offer by default? In fact, there's already a ticket created in the Track requiring this feature.

But until then, how can somebody implement this? There are three ways to do it.

The server handles the redirect

For some sites on an Apache server, if .htaccess is enabled, the redirect could be as straightforward as this:

Redirect 301 "/.well-known/change-password" "/wp-login.php?action=lostpassword"

Surely, this would not work for all installations. If you are using multi-sites, you would have to go with regex and RedirectMatch to get what you want.

I don't think WordPress core will update the .htaccess rules that are generated when pretty permalinks are enabled. But many security, caching plugins add additional rules, so I think we could see this approach from a plugin.

Users with other server types, like Nginx, would have to do what they do now, follow the documentation and instructions.

Probably managed WordPress hostings will take care if this for you sooner or later; for example, WordPress.com set up the redirect.

Create an actual file

If you are running WordPress, this would be the most atypical way to solve it, that is, to create a file named change-password inside the .well-known folder with the following content:

<!DOCTYPE html><meta http-equiv="refresh" content="0;url=/wp-login.php?action=lostpassword">

I can imagine this as a fallback solution when nothing else works since it's not a good practice to create files outside the uploads folder in the WordPress space.

And it's also unclear for me how this would work for multi-sites.

Technically the redirection should work because of the http-equiv="refresh". At least as long as the proper content-type header is set and the browser interprets the file as HTML.

Handling the response with PHP

The third option is to intercept the request and do a redirect with PHP.

Because there are many uses for well-known URLs, there are already plugins that support specific well-known URLs in the WordPress.org plugin directory.

For example, the Brave Payments Verification plugin uses a rewrite rule to handle a well-known URL. This is quite common), I would say the most common way to do it.

Another way is to use an early hook and check the global $_SERVER. This is what WordPress does for handling some current redirects.

Handing it on the PHP side is also not a bulletproof solution. Many servers do not pass the request to the PHP because they URLs with paths that start with . (dot) differently.


I hope whoever writes a WordPress plugin for this well-known change password URL will somehow implement all options for the redirect. That is because those who are not able to do this on their own need the most options. A site with membership or a shop has the capability or resources to resolve it.

Back to all posts

implenton is my (Mészáros Róbert) online web development-related presence, playground, and the name of my company of one.