Password Reset Links Aren't Working


Some web hosts aggressively cache sites for performance reasons, and while this is a good thing, it can sometimes cause problems with things like password reset links. This can also happen with caching plugins like WP Super Cache and W3 Total Cache. This can be easily resolved by excluding your login page from the caching system. If your caching system also has a cookie whitelist, then you may need to whitelist our password reset cookie.

Web Host Caching

To have your host disable caching on your login page, open a support ticket with them and ask them to exclude it. The login page location is controlled by the setting under Restrict > Settings > Misc. Feel free to use the example below and adjust the URL for your site:


My site runs the Restrict Content Pro plugin and I'm having problems with password reset links not working. The Restrict Content Pro support team has asked me to add a cache exception for our login page. Could you please add the following URL to the exception list?{put your login page URL here}


Reminder: "" should be replaced with your actual domain name.

Password reset cookie

When processing password reset links, Restrict Content Pro sets a cookie. If your web host's caching system uses a cookie whitelist, then RCP's cookie will need to be added to that whitelist.

The cookie Restrict Content Pro sets is:

'rcp-resetpass-' . COOKIEHASH 

If necessary, the cookie name can be customized using our filter:

$rp_cookie = apply_filters( 'rcp_resetpass_cookie_name', 'rcp-resetpass-' . COOKIEHASH );

For example:

function ag_rcp_resetpass_cookie_name( $cookie_name ) {
    return 'your-custom-cookie-name';
add_filter( 'rcp_resetpass_cookie_name', 'ag_rcp_resetpass_cookie_name' );

Please continue below for specific instructions on whitelisting this cookie with Varnish.

Varnish Caching

If your server uses Varnish caching then your Varnish config might look something like this to disable caching on the login page:

# Do not cache the admin and login pages
if (req.url ~ "/wp-(login|admin)" || req.url ~ "/login")
    return (pass);

You will also need to ensure Restrict Content Pro is able to set the password reset cookie. Your config might already look something like this:

if (beresp.http.Set-Cookie && bereq.url !~ "^/wp-(login|admin)" && beresp.http.Set-Cookie !~ "comment_") {
	unset beresp.http.Set-Cookie;

You'll need to also add in a check for cookies prefixed with "rcp-" like this:

if (beresp.http.Set-Cookie && bereq.url !~ "^/wp-(login|admin)" && beresp.http.Set-Cookie !~ "comment_" && $.http.Set-Cookie !~ "rcp-") {
	unset beresp.http.Set-Cookie;

If your host provides an interface for managing the Varnish config, then you will need to wildcard whitelist cookies beginning with rcp-*.

Caching Plugins

Each caching plugin is different. You can find the cache exclusion option in the plugin's settings. If you have any questions, please contact the support team for the caching plugin.

Most caching plugins allow you to exclude specific pages from caching. To resolve the issue, add the page that contains the [login_form] shortcode to the exclusion list.

Plugins that are known to cause issues if the exclusion is not set:

  • WordFence
  • W3 Total Cache
  • WP Rocket
  • WP Super Cache
Have more questions? Submit a request