Invalid or expired key

Problem

Users click the password reset link in their email but see an error message about an invalid or expired key.

Symptoms

• Error message: "Invalid or expired key"
• Error message: "The key is no longer valid"
• Reset link doesn't work when clicked
• User is redirected to error page

Common causes

Key has expired

WordPress password reset keys expire after 24 hours by default.

Key already used

Reset keys can only be used once. After successful password reset, the key becomes invalid.

URL parameters modified

User may have accidentally modified the reset link URL.

Database issues

Database connection problems or corrupted user meta data.

Caching issues

Page caching may serve stale content with old error messages.

Solutions

Solution 1: Request new reset link

The simplest solution is to request a fresh reset link.

Steps:

1. Go to the password reset page
2. Enter email address or username
3. Submit the form
4. Check email for new reset link
5. Click the new link within 24 hours

tip

Reset links expire after 24 hours for security. Always use the most recent link.

Solution 2: Clear browser cache

Browser cache may store old error messages.

Steps:

1. Clear browser cache and cookies
2. Close all browser windows
3. Open new browser window
4. Request new password reset
5. Click reset link from email

Keyboard shortcuts:

• Chrome/Edge: Ctrl+Shift+Delete (Windows) or Cmd+Shift+Delete (Mac)
• Firefox: Ctrl+Shift+Delete (Windows) or Cmd+Shift+Delete (Mac)
• Safari: Cmd+Option+E (Mac)

Solution 3: Clear site cache

Site caching plugins may serve stale content.

Steps:

1. Go to your caching plugin settings
2. Clear all cache
3. Request new password reset
4. Test reset link

Common caching plugins:

• WP Super Cache
• W3 Total Cache
• WP Rocket
• LiteSpeed Cache

Solution 4: Check URL parameters

Verify the reset link URL is complete and unmodified.

Required URL parameters:

• somresetpass=true
• key=[reset_key]
• uid=[user_id]

Example valid URL:

https://example.com/reset-password/?somresetpass=true&key=abc123def456&uid=1

Check for issues:

• URL is not truncated
• No spaces in URL
• All parameters present
• No extra characters added

Solution 5: Increase key expiration time

Extend the 24-hour expiration period.

Add to theme's functions.php:

functions.php

// Extend reset key expiration to 48 hours
add_filter( 'password_reset_expiration', 'custom_password_reset_expiration' );
function custom_password_reset_expiration() {
    return DAY_IN_SECONDS * 2; // 48 hours
}

warning

Longer expiration times reduce security. Only increase if necessary.

Solution 6: Check database connection

Verify WordPress can connect to the database.

Steps:

1. Check if other WordPress features work
2. Try logging in to WordPress admin
3. Check database credentials in wp-config.php
4. Contact hosting provider if database is down

Test database connection:

test-db.php

<?php
require_once( 'wp-load.php' );
global $wpdb;
if ( $wpdb->check_connection() ) {
    echo 'Database connection OK';
} else {
    echo 'Database connection failed';
}

Solution 7: Clear user meta

Corrupted user meta may cause key validation issues.

Using WP-CLI:

# Delete all password reset keys
wp user meta delete $(wp user list --field=ID) password_reset_key

Using phpMyAdmin:

1. Access phpMyAdmin
2. Select your WordPress database
3. Go to wp_usermeta table
4. Find rows where meta_key = password_reset_key
5. Delete those rows

warning

Only do this if you have database backup. This will invalidate all pending reset requests.

Solution 8: Check for plugin conflicts

Other plugins may interfere with key validation.

Steps:

1. Deactivate all plugins except Frontend Reset Password
2. Request new password reset
3. Test reset link
4. If it works, reactivate plugins one by one
5. Identify conflicting plugin

Common conflicts:

• Security plugins with strict validation
• Custom login plugins
• User management plugins

Solution 9: Verify user exists

The user account may have been deleted.

Steps:

1. Go to Users > All Users in WordPress admin
2. Search for the user's email address
3. Verify user account exists
4. If deleted, user must re-register

Solution 10: Debug key validation

Add logging to see why validation fails.

Add to theme's functions.php:

functions.php

add_action( 'validate_password_reset', 'debug_password_reset_validation', 10, 2 );
function debug_password_reset_validation( $errors, $user ) {
    if ( is_wp_error( $errors ) ) {
        error_log( 'Password reset validation errors: ' . print_r( $errors->get_error_messages(), true ) );
    }
    if ( $user ) {
        error_log( 'Password reset for user: ' . $user->user_login );
    }
}

Check debug log at: wp-content/debug.log

Verification

After implementing solutions:

1. Request new password reset
2. Check email for reset link
3. Click link within 24 hours
4. Verify you reach the password reset form
5. Enter new password
6. Confirm successful password change

Prevention

Educate users

• Use reset links within 24 hours
• Don't modify reset link URLs
• Request new link if expired

Monitor expiration

• Check if 24 hours is sufficient for your users
• Consider extending expiration if needed
• Balance security with usability

Clear cache regularly

• Configure caching to exclude reset pages
• Clear cache after plugin updates

Related issues

• Email not sending - If users don't receive reset emails
• Three-stage reset flow - Understand the reset process
• Security and validation - Learn about key validation

What's next

• Form not displaying - Fix form display issues
• Password validation issues - Fix validation problems
• Troubleshooting overview - Return to troubleshooting guide