get_password_reset_key

The timeline below displays how wordpress function get_password_reset_key has changed across different WordPress versions. If a version is not listed, refer to the next available version below.

WordPress Version: 6.5

/**
 * Creates, stores, then returns a password reset key for user.
 *
 * @since 4.4.0
 *
 * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
 *
 * @param WP_User $user User to retrieve password reset key for.
 * @return string|WP_Error Password reset key on success. WP_Error on error.
 */
function get_password_reset_key($user)
{
    global $wp_hasher;
    if (!$user instanceof WP_User) {
        return new WP_Error('invalidcombo', __('<strong>Error:</strong> There is no account with that username or email address.'));
    }
    /**
     * Fires before a new password is retrieved.
     *
     * Use the {@see 'retrieve_password'} hook instead.
     *
     * @since 1.5.0
     * @deprecated 1.5.1 Misspelled. Use {@see 'retrieve_password'} hook instead.
     *
     * @param string $user_login The user login name.
     */
    do_action_deprecated('retreive_password', array($user->user_login), '1.5.1', 'retrieve_password');
    /**
     * Fires before a new password is retrieved.
     *
     * @since 1.5.1
     *
     * @param string $user_login The user login name.
     */
    do_action('retrieve_password', $user->user_login);
    $password_reset_allowed = wp_is_password_reset_allowed_for_user($user);
    if (!$password_reset_allowed) {
        return new WP_Error('no_password_reset', __('Password reset is not allowed for this user'));
    } elseif (is_wp_error($password_reset_allowed)) {
        return $password_reset_allowed;
    }
    // Generate something random for a password reset key.
    $key = wp_generate_password(20, false);
    /**
     * Fires when a password reset key is generated.
     *
     * @since 2.5.0
     *
     * @param string $user_login The username for the user.
     * @param string $key        The generated password reset key.
     */
    do_action('retrieve_password_key', $user->user_login, $key);
    // Now insert the key, hashed, into the DB.
    if (empty($wp_hasher)) {
        require_once ABSPATH . WPINC . '/class-phpass.php';
        $wp_hasher = new PasswordHash(8, true);
    }
    $hashed = time() . ':' . $wp_hasher->HashPassword($key);
    $key_saved = wp_update_user(array('ID' => $user->ID, 'user_activation_key' => $hashed));
    if (is_wp_error($key_saved)) {
        return $key_saved;
    }
    return $key;
}

WordPress Version: 6.3

/**
 * Creates, stores, then returns a password reset key for user.
 *
 * @since 4.4.0
 *
 * @global PasswordHash $wp_hasher Portable PHP password hashing framework.
 *
 * @param WP_User $user User to retrieve password reset key for.
 * @return string|WP_Error Password reset key on success. WP_Error on error.
 */
function get_password_reset_key($user)
{
    global $wp_hasher;
    if (!$user instanceof WP_User) {
        return new WP_Error('invalidcombo', __('<strong>Error:</strong> There is no account with that username or email address.'));
    }
    /**
     * Fires before a new password is retrieved.
     *
     * Use the {@see 'retrieve_password'} hook instead.
     *
     * @since 1.5.0
     * @deprecated 1.5.1 Misspelled. Use {@see 'retrieve_password'} hook instead.
     *
     * @param string $user_login The user login name.
     */
    do_action_deprecated('retreive_password', array($user->user_login), '1.5.1', 'retrieve_password');
    /**
     * Fires before a new password is retrieved.
     *
     * @since 1.5.1
     *
     * @param string $user_login The user login name.
     */
    do_action('retrieve_password', $user->user_login);
    $password_reset_allowed = wp_is_password_reset_allowed_for_user($user);
    if (!$password_reset_allowed) {
        return new WP_Error('no_password_reset', __('Password reset is not allowed for this user'));
    } elseif (is_wp_error($password_reset_allowed)) {
        return $password_reset_allowed;
    }
    // Generate something random for a password reset key.
    $key = wp_generate_password(20, false);
    /**
     * Fires when a password reset key is generated.
     *
     * @since 2.5.0
     *
     * @param string $user_login The username for the user.
     * @param string $key        The generated password reset key.
     */
    do_action('retrieve_password_key', $user->user_login, $key);
    // Now insert the key, hashed, into the DB.
    if (empty($wp_hasher)) {
        require_once ABSPATH . WPINC . '/class-phpass.php';
        $wp_hasher = new PasswordHash(8, true);
    }
    $hashed = time() . ':' . $wp_hasher->HashPassword($key);
    $key_saved = wp_update_user(array('ID' => $user->ID, 'user_activation_key' => $hashed));
    if (is_wp_error($key_saved)) {
        return $key_saved;
    }
    return $key;
}

WordPress Version: 6.1

/**
 * Creates, stores, then returns a password reset key for user.
 *
 * @since 4.4.0
 *
 * @global PasswordHash $wp_hasher Portable PHP password hashing framework.
 *
 * @param WP_User $user User to retrieve password reset key for.
 * @return string|WP_Error Password reset key on success. WP_Error on error.
 */
function get_password_reset_key($user)
{
    global $wp_hasher;
    if (!$user instanceof WP_User) {
        return new WP_Error('invalidcombo', __('<strong>Error:</strong> There is no account with that username or email address.'));
    }
    /**
     * Fires before a new password is retrieved.
     *
     * Use the {@see 'retrieve_password'} hook instead.
     *
     * @since 1.5.0
     * @deprecated 1.5.1 Misspelled. Use {@see 'retrieve_password'} hook instead.
     *
     * @param string $user_login The user login name.
     */
    do_action_deprecated('retreive_password', array($user->user_login), '1.5.1', 'retrieve_password');
    /**
     * Fires before a new password is retrieved.
     *
     * @since 1.5.1
     *
     * @param string $user_login The user login name.
     */
    do_action('retrieve_password', $user->user_login);
    $allow = true;
    if (is_multisite() && is_user_spammy($user)) {
        $allow = false;
    }
    /**
     * Filters whether to allow a password to be reset.
     *
     * @since 2.7.0
     *
     * @param bool $allow   Whether to allow the password to be reset. Default true.
     * @param int  $user_id The ID of the user attempting to reset a password.
     */
    $allow = apply_filters('allow_password_reset', $allow, $user->ID);
    if (!$allow) {
        return new WP_Error('no_password_reset', __('Password reset is not allowed for this user'));
    } elseif (is_wp_error($allow)) {
        return $allow;
    }
    // Generate something random for a password reset key.
    $key = wp_generate_password(20, false);
    /**
     * Fires when a password reset key is generated.
     *
     * @since 2.5.0
     *
     * @param string $user_login The username for the user.
     * @param string $key        The generated password reset key.
     */
    do_action('retrieve_password_key', $user->user_login, $key);
    // Now insert the key, hashed, into the DB.
    if (empty($wp_hasher)) {
        require_once ABSPATH . WPINC . '/class-phpass.php';
        $wp_hasher = new PasswordHash(8, true);
    }
    $hashed = time() . ':' . $wp_hasher->HashPassword($key);
    $key_saved = wp_update_user(array('ID' => $user->ID, 'user_activation_key' => $hashed));
    if (is_wp_error($key_saved)) {
        return $key_saved;
    }
    return $key;
}

WordPress Version: 5.9

/**
 * Creates, stores, then returns a password reset key for user.
 *
 * @since 4.4.0
 *
 * @global PasswordHash $wp_hasher Portable PHP password hashing framework.
 *
 * @param WP_User $user User to retrieve password reset key for.
 * @return string|WP_Error Password reset key on success. WP_Error on error.
 */
function get_password_reset_key($user)
{
    global $wp_hasher;
    if (!$user instanceof WP_User) {
        return new WP_Error('invalidcombo', __('<strong>Error</strong>: There is no account with that username or email address.'));
    }
    /**
     * Fires before a new password is retrieved.
     *
     * Use the {@see 'retrieve_password'} hook instead.
     *
     * @since 1.5.0
     * @deprecated 1.5.1 Misspelled. Use {@see 'retrieve_password'} hook instead.
     *
     * @param string $user_login The user login name.
     */
    do_action_deprecated('retreive_password', array($user->user_login), '1.5.1', 'retrieve_password');
    /**
     * Fires before a new password is retrieved.
     *
     * @since 1.5.1
     *
     * @param string $user_login The user login name.
     */
    do_action('retrieve_password', $user->user_login);
    $allow = true;
    if (is_multisite() && is_user_spammy($user)) {
        $allow = false;
    }
    /**
     * Filters whether to allow a password to be reset.
     *
     * @since 2.7.0
     *
     * @param bool $allow   Whether to allow the password to be reset. Default true.
     * @param int  $user_id The ID of the user attempting to reset a password.
     */
    $allow = apply_filters('allow_password_reset', $allow, $user->ID);
    if (!$allow) {
        return new WP_Error('no_password_reset', __('Password reset is not allowed for this user'));
    } elseif (is_wp_error($allow)) {
        return $allow;
    }
    // Generate something random for a password reset key.
    $key = wp_generate_password(20, false);
    /**
     * Fires when a password reset key is generated.
     *
     * @since 2.5.0
     *
     * @param string $user_login The username for the user.
     * @param string $key        The generated password reset key.
     */
    do_action('retrieve_password_key', $user->user_login, $key);
    // Now insert the key, hashed, into the DB.
    if (empty($wp_hasher)) {
        require_once ABSPATH . WPINC . '/class-phpass.php';
        $wp_hasher = new PasswordHash(8, true);
    }
    $hashed = time() . ':' . $wp_hasher->HashPassword($key);
    $key_saved = wp_update_user(array('ID' => $user->ID, 'user_activation_key' => $hashed));
    if (is_wp_error($key_saved)) {
        return $key_saved;
    }
    return $key;
}

WordPress Version: 5.5

/**
 * Creates, stores, then returns a password reset key for user.
 *
 * @since 4.4.0
 *
 * @global PasswordHash $wp_hasher Portable PHP password hashing framework.
 *
 * @param WP_User $user User to retrieve password reset key for.
 * @return string|WP_Error Password reset key on success. WP_Error on error.
 */
function get_password_reset_key($user)
{
    global $wp_hasher;
    if (!$user instanceof WP_User) {
        return new WP_Error('invalidcombo', __('<strong>Error</strong>: There is no account with that username or email address.'));
    }
    /**
     * Fires before a new password is retrieved.
     *
     * Use the {@see 'retrieve_password'} hook instead.
     *
     * @since 1.5.0
     * @deprecated 1.5.1 Misspelled. Use {@see 'retrieve_password'} hook instead.
     *
     * @param string $user_login The user login name.
     */
    do_action_deprecated('retreive_password', array($user->user_login), '1.5.1', 'retrieve_password');
    /**
     * Fires before a new password is retrieved.
     *
     * @since 1.5.1
     *
     * @param string $user_login The user login name.
     */
    do_action('retrieve_password', $user->user_login);
    $allow = true;
    if (is_multisite() && is_user_spammy($user)) {
        $allow = false;
    }
    /**
     * Filters whether to allow a password to be reset.
     *
     * @since 2.7.0
     *
     * @param bool $allow Whether to allow the password to be reset. Default true.
     * @param int  $ID    The ID of the user attempting to reset a password.
     */
    $allow = apply_filters('allow_password_reset', $allow, $user->ID);
    if (!$allow) {
        return new WP_Error('no_password_reset', __('Password reset is not allowed for this user'));
    } elseif (is_wp_error($allow)) {
        return $allow;
    }
    // Generate something random for a password reset key.
    $key = wp_generate_password(20, false);
    /**
     * Fires when a password reset key is generated.
     *
     * @since 2.5.0
     *
     * @param string $user_login The username for the user.
     * @param string $key        The generated password reset key.
     */
    do_action('retrieve_password_key', $user->user_login, $key);
    // Now insert the key, hashed, into the DB.
    if (empty($wp_hasher)) {
        require_once ABSPATH . WPINC . '/class-phpass.php';
        $wp_hasher = new PasswordHash(8, true);
    }
    $hashed = time() . ':' . $wp_hasher->HashPassword($key);
    $key_saved = wp_update_user(array('ID' => $user->ID, 'user_activation_key' => $hashed));
    if (is_wp_error($key_saved)) {
        return $key_saved;
    }
    return $key;
}

WordPress Version: 5.4

/**
 * Creates, stores, then returns a password reset key for user.
 *
 * @since 4.4.0
 *
 * @global PasswordHash $wp_hasher Portable PHP password hashing framework.
 *
 * @param WP_User $user User to retrieve password reset key for.
 *
 * @return string|WP_Error Password reset key on success. WP_Error on error.
 */
function get_password_reset_key($user)
{
    global $wp_hasher;
    if (!$user instanceof WP_User) {
        return new WP_Error('invalidcombo', __('<strong>Error</strong>: There is no account with that username or email address.'));
    }
    /**
     * Fires before a new password is retrieved.
     *
     * Use the {@see 'retrieve_password'} hook instead.
     *
     * @since 1.5.0
     * @deprecated 1.5.1 Misspelled. Use {@see 'retrieve_password'} hook instead.
     *
     * @param string $user_login The user login name.
     */
    do_action_deprecated('retreive_password', array($user->user_login), '1.5.1', 'retrieve_password');
    /**
     * Fires before a new password is retrieved.
     *
     * @since 1.5.1
     *
     * @param string $user_login The user login name.
     */
    do_action('retrieve_password', $user->user_login);
    $allow = true;
    if (is_multisite() && is_user_spammy($user)) {
        $allow = false;
    }
    /**
     * Filters whether to allow a password to be reset.
     *
     * @since 2.7.0
     *
     * @param bool $allow         Whether to allow the password to be reset. Default true.
     * @param int  $user_data->ID The ID of the user attempting to reset a password.
     */
    $allow = apply_filters('allow_password_reset', $allow, $user->ID);
    if (!$allow) {
        return new WP_Error('no_password_reset', __('Password reset is not allowed for this user'));
    } elseif (is_wp_error($allow)) {
        return $allow;
    }
    // Generate something random for a password reset key.
    $key = wp_generate_password(20, false);
    /**
     * Fires when a password reset key is generated.
     *
     * @since 2.5.0
     *
     * @param string $user_login The username for the user.
     * @param string $key        The generated password reset key.
     */
    do_action('retrieve_password_key', $user->user_login, $key);
    // Now insert the key, hashed, into the DB.
    if (empty($wp_hasher)) {
        require_once ABSPATH . WPINC . '/class-phpass.php';
        $wp_hasher = new PasswordHash(8, true);
    }
    $hashed = time() . ':' . $wp_hasher->HashPassword($key);
    $key_saved = wp_update_user(array('ID' => $user->ID, 'user_activation_key' => $hashed));
    if (is_wp_error($key_saved)) {
        return $key_saved;
    }
    return $key;
}

WordPress Version: 5.3

/**
 * Creates, stores, then returns a password reset key for user.
 *
 * @since 4.4.0
 *
 * @global PasswordHash $wp_hasher Portable PHP password hashing framework.
 *
 * @param WP_User $user User to retrieve password reset key for.
 *
 * @return string|WP_Error Password reset key on success. WP_Error on error.
 */
function get_password_reset_key($user)
{
    global $wp_hasher;
    if (!$user instanceof WP_User) {
        return new WP_Error('invalidcombo', __('<strong>ERROR</strong>: There is no account with that username or email address.'));
    }
    /**
     * Fires before a new password is retrieved.
     *
     * Use the {@see 'retrieve_password'} hook instead.
     *
     * @since 1.5.0
     * @deprecated 1.5.1 Misspelled. Use 'retrieve_password' hook instead.
     *
     * @param string $user_login The user login name.
     */
    do_action('retreive_password', $user->user_login);
    /**
     * Fires before a new password is retrieved.
     *
     * @since 1.5.1
     *
     * @param string $user_login The user login name.
     */
    do_action('retrieve_password', $user->user_login);
    $allow = true;
    if (is_multisite() && is_user_spammy($user)) {
        $allow = false;
    }
    /**
     * Filters whether to allow a password to be reset.
     *
     * @since 2.7.0
     *
     * @param bool $allow         Whether to allow the password to be reset. Default true.
     * @param int  $user_data->ID The ID of the user attempting to reset a password.
     */
    $allow = apply_filters('allow_password_reset', $allow, $user->ID);
    if (!$allow) {
        return new WP_Error('no_password_reset', __('Password reset is not allowed for this user'));
    } elseif (is_wp_error($allow)) {
        return $allow;
    }
    // Generate something random for a password reset key.
    $key = wp_generate_password(20, false);
    /**
     * Fires when a password reset key is generated.
     *
     * @since 2.5.0
     *
     * @param string $user_login The username for the user.
     * @param string $key        The generated password reset key.
     */
    do_action('retrieve_password_key', $user->user_login, $key);
    // Now insert the key, hashed, into the DB.
    if (empty($wp_hasher)) {
        require_once ABSPATH . WPINC . '/class-phpass.php';
        $wp_hasher = new PasswordHash(8, true);
    }
    $hashed = time() . ':' . $wp_hasher->HashPassword($key);
    $key_saved = wp_update_user(array('ID' => $user->ID, 'user_activation_key' => $hashed));
    if (is_wp_error($key_saved)) {
        return $key_saved;
    }
    return $key;
}

WordPress Version: 5.1

/**
 * Creates, stores, then returns a password reset key for user.
 *
 * @since 4.4.0
 *
 * @global wpdb         $wpdb      WordPress database abstraction object.
 * @global PasswordHash $wp_hasher Portable PHP password hashing framework.
 *
 * @param WP_User $user User to retrieve password reset key for.
 *
 * @return string|WP_Error Password reset key on success. WP_Error on error.
 */
function get_password_reset_key($user)
{
    global $wpdb, $wp_hasher;
    if (!$user instanceof WP_User) {
        return new WP_Error('invalidcombo', __('<strong>ERROR</strong>: There is no account with that username or email address.'));
    }
    /**
     * Fires before a new password is retrieved.
     *
     * Use the {@see 'retrieve_password'} hook instead.
     *
     * @since 1.5.0
     * @deprecated 1.5.1 Misspelled. Use 'retrieve_password' hook instead.
     *
     * @param string $user_login The user login name.
     */
    do_action('retreive_password', $user->user_login);
    /**
     * Fires before a new password is retrieved.
     *
     * @since 1.5.1
     *
     * @param string $user_login The user login name.
     */
    do_action('retrieve_password', $user->user_login);
    $allow = true;
    if (is_multisite() && is_user_spammy($user)) {
        $allow = false;
    }
    /**
     * Filters whether to allow a password to be reset.
     *
     * @since 2.7.0
     *
     * @param bool $allow         Whether to allow the password to be reset. Default true.
     * @param int  $user_data->ID The ID of the user attempting to reset a password.
     */
    $allow = apply_filters('allow_password_reset', $allow, $user->ID);
    if (!$allow) {
        return new WP_Error('no_password_reset', __('Password reset is not allowed for this user'));
    } elseif (is_wp_error($allow)) {
        return $allow;
    }
    // Generate something random for a password reset key.
    $key = wp_generate_password(20, false);
    /**
     * Fires when a password reset key is generated.
     *
     * @since 2.5.0
     *
     * @param string $user_login The username for the user.
     * @param string $key        The generated password reset key.
     */
    do_action('retrieve_password_key', $user->user_login, $key);
    // Now insert the key, hashed, into the DB.
    if (empty($wp_hasher)) {
        require_once ABSPATH . WPINC . '/class-phpass.php';
        $wp_hasher = new PasswordHash(8, true);
    }
    $hashed = time() . ':' . $wp_hasher->HashPassword($key);
    $key_saved = $wpdb->update($wpdb->users, array('user_activation_key' => $hashed), array('user_login' => $user->user_login));
    if (false === $key_saved) {
        return new WP_Error('no_password_key_update', __('Could not save password reset key to database.'));
    }
    return $key;
}

WordPress Version: 4.8

/**
 * Creates, stores, then returns a password reset key for user.
 *
 * @since 4.4.0
 *
 * @global wpdb         $wpdb      WordPress database abstraction object.
 * @global PasswordHash $wp_hasher Portable PHP password hashing framework.
 *
 * @param WP_User $user User to retrieve password reset key for.
 *
 * @return string|WP_Error Password reset key on success. WP_Error on error.
 */
function get_password_reset_key($user)
{
    global $wpdb, $wp_hasher;
    /**
     * Fires before a new password is retrieved.
     *
     * Use the {@see 'retrieve_password'} hook instead.
     *
     * @since 1.5.0
     * @deprecated 1.5.1 Misspelled. Use 'retrieve_password' hook instead.
     *
     * @param string $user_login The user login name.
     */
    do_action('retreive_password', $user->user_login);
    /**
     * Fires before a new password is retrieved.
     *
     * @since 1.5.1
     *
     * @param string $user_login The user login name.
     */
    do_action('retrieve_password', $user->user_login);
    $allow = true;
    if (is_multisite() && is_user_spammy($user)) {
        $allow = false;
    }
    /**
     * Filters whether to allow a password to be reset.
     *
     * @since 2.7.0
     *
     * @param bool $allow         Whether to allow the password to be reset. Default true.
     * @param int  $user_data->ID The ID of the user attempting to reset a password.
     */
    $allow = apply_filters('allow_password_reset', $allow, $user->ID);
    if (!$allow) {
        return new WP_Error('no_password_reset', __('Password reset is not allowed for this user'));
    } elseif (is_wp_error($allow)) {
        return $allow;
    }
    // Generate something random for a password reset key.
    $key = wp_generate_password(20, false);
    /**
     * Fires when a password reset key is generated.
     *
     * @since 2.5.0
     *
     * @param string $user_login The username for the user.
     * @param string $key        The generated password reset key.
     */
    do_action('retrieve_password_key', $user->user_login, $key);
    // Now insert the key, hashed, into the DB.
    if (empty($wp_hasher)) {
        require_once ABSPATH . WPINC . '/class-phpass.php';
        $wp_hasher = new PasswordHash(8, true);
    }
    $hashed = time() . ':' . $wp_hasher->HashPassword($key);
    $key_saved = $wpdb->update($wpdb->users, array('user_activation_key' => $hashed), array('user_login' => $user->user_login));
    if (false === $key_saved) {
        return new WP_Error('no_password_key_update', __('Could not save password reset key to database.'));
    }
    return $key;
}

WordPress Version: 4.7

/**
 * Creates, stores, then returns a password reset key for user.
 *
 * @since 4.4.0
 *
 * @global wpdb         $wpdb      WordPress database abstraction object.
 * @global PasswordHash $wp_hasher Portable PHP password hashing framework.
 *
 * @param WP_User $user User to retrieve password reset key for.
 *
 * @return string|WP_Error Password reset key on success. WP_Error on error.
 */
function get_password_reset_key($user)
{
    global $wpdb, $wp_hasher;
    /**
     * Fires before a new password is retrieved.
     *
     * Use the {@see 'retrieve_password'} hook instead.
     *
     * @since 1.5.0
     * @deprecated 1.5.1 Misspelled. Use 'retrieve_password' hook instead.
     *
     * @param string $user_login The user login name.
     */
    do_action('retreive_password', $user->user_login);
    /**
     * Fires before a new password is retrieved.
     *
     * @since 1.5.1
     *
     * @param string $user_login The user login name.
     */
    do_action('retrieve_password', $user->user_login);
    $allow = true;
    if (is_multisite() && is_user_spammy($user)) {
        $allow = false;
    }
    /**
     * Filters whether to allow a password to be reset.
     *
     * @since 2.7.0
     *
     * @param bool $allow         Whether to allow the password to be reset. Default true.
     * @param int  $user_data->ID The ID of the user attempting to reset a password.
     */
    $allow = apply_filters('allow_password_reset', $allow, $user->ID);
    if (!$allow) {
        return new WP_Error('no_password_reset', __('Password reset is not allowed for this user'));
    } elseif (is_wp_error($allow)) {
        return $allow;
    }
    // Generate something random for a password reset key.
    $key = wp_generate_password(20, false);
    /**
     * Fires when a password reset key is generated.
     *
     * @since 2.5.0
     *
     * @param string $user_login The username for the user.
     * @param string $key        The generated password reset key.
     */
    do_action('retrieve_password_key', $user->user_login, $key);
    // Now insert the key, hashed, into the DB.
    if (empty($wp_hasher)) {
        $wp_hasher = new PasswordHash(8, true);
    }
    $hashed = time() . ':' . $wp_hasher->HashPassword($key);
    $key_saved = $wpdb->update($wpdb->users, array('user_activation_key' => $hashed), array('user_login' => $user->user_login));
    if (false === $key_saved) {
        return new WP_Error('no_password_key_update', __('Could not save password reset key to database.'));
    }
    return $key;
}

WordPress Version: 4.6

/**
 * Creates, stores, then returns a password reset key for user.
 *
 * @since 4.4.0
 *
 * @global wpdb         $wpdb      WordPress database abstraction object.
 * @global PasswordHash $wp_hasher Portable PHP password hashing framework.
 *
 * @param WP_User $user User to retrieve password reset key for.
 *
 * @return string|WP_Error Password reset key on success. WP_Error on error.
 */
function get_password_reset_key($user)
{
    global $wpdb, $wp_hasher;
    /**
     * Fires before a new password is retrieved.
     *
     * Use the {@see 'retrieve_password'} hook instead.
     *
     * @since 1.5.0
     * @deprecated 1.5.1 Misspelled. Use 'retrieve_password' hook instead.
     *
     * @param string $user_login The user login name.
     */
    do_action('retreive_password', $user->user_login);
    /**
     * Fires before a new password is retrieved.
     *
     * @since 1.5.1
     *
     * @param string $user_login The user login name.
     */
    do_action('retrieve_password', $user->user_login);
    $allow = true;
    if (is_multisite() && is_user_spammy($user)) {
        $allow = false;
    }
    /**
     * Filters whether to allow a password to be reset.
     *
     * @since 2.7.0
     *
     * @param bool $allow         Whether to allow the password to be reset. Default true.
     * @param int  $user_data->ID The ID of the user attempting to reset a password.
     */
    $allow = apply_filters('allow_password_reset', $allow, $user->ID);
    if (!$allow) {
        return new WP_Error('no_password_reset', __('Password reset is not allowed for this user'));
    } elseif (is_wp_error($allow)) {
        return $allow;
    }
    // Generate something random for a password reset key.
    $key = wp_generate_password(20, false);
    /**
     * Fires when a password reset key is generated.
     *
     * @since 2.5.0
     *
     * @param string $user_login The username for the user.
     * @param string $key        The generated password reset key.
     */
    do_action('retrieve_password_key', $user->user_login, $key);
    // Now insert the key, hashed, into the DB.
    if (empty($wp_hasher)) {
        require_once ABSPATH . WPINC . '/class-phpass.php';
        $wp_hasher = new PasswordHash(8, true);
    }
    $hashed = time() . ':' . $wp_hasher->HashPassword($key);
    $key_saved = $wpdb->update($wpdb->users, array('user_activation_key' => $hashed), array('user_login' => $user->user_login));
    if (false === $key_saved) {
        return new WP_Error('no_password_key_update', __('Could not save password reset key to database.'));
    }
    return $key;
}

WordPress Version: 4.5

/**
 * Creates, stores, then returns a password reset key for user.
 *
 * @since 4.4.0
 *
 * @global wpdb         $wpdb      WordPress database abstraction object.
 * @global PasswordHash $wp_hasher Portable PHP password hashing framework.
 *
 * @param WP_User $user User to retrieve password reset key for.
 *
 * @return string|WP_Error Password reset key on success. WP_Error on error.
 */
function get_password_reset_key($user)
{
    global $wpdb, $wp_hasher;
    /**
     * Fires before a new password is retrieved.
     *
     * @since 1.5.0
     * @deprecated 1.5.1 Misspelled. Use 'retrieve_password' hook instead.
     *
     * @param string $user_login The user login name.
     */
    do_action('retreive_password', $user->user_login);
    /**
     * Fires before a new password is retrieved.
     *
     * @since 1.5.1
     *
     * @param string $user_login The user login name.
     */
    do_action('retrieve_password', $user->user_login);
    /**
     * Filter whether to allow a password to be reset.
     *
     * @since 2.7.0
     *
     * @param bool $allow         Whether to allow the password to be reset. Default true.
     * @param int  $user_data->ID The ID of the user attempting to reset a password.
     */
    $allow = apply_filters('allow_password_reset', true, $user->ID);
    if (!$allow) {
        return new WP_Error('no_password_reset', __('Password reset is not allowed for this user'));
    } elseif (is_wp_error($allow)) {
        return $allow;
    }
    // Generate something random for a password reset key.
    $key = wp_generate_password(20, false);
    /**
     * Fires when a password reset key is generated.
     *
     * @since 2.5.0
     *
     * @param string $user_login The username for the user.
     * @param string $key        The generated password reset key.
     */
    do_action('retrieve_password_key', $user->user_login, $key);
    // Now insert the key, hashed, into the DB.
    if (empty($wp_hasher)) {
        require_once ABSPATH . WPINC . '/class-phpass.php';
        $wp_hasher = new PasswordHash(8, true);
    }
    $hashed = time() . ':' . $wp_hasher->HashPassword($key);
    $key_saved = $wpdb->update($wpdb->users, array('user_activation_key' => $hashed), array('user_login' => $user->user_login));
    if (false === $key_saved) {
        return new WP_Error('no_password_key_update', __('Could not save password reset key to database.'));
    }
    return $key;
}

WordPress Version: 4.4

/**
 * Creates, stores, then returns a password reset key for user.
 *
 * @since 4.4.0
 *
 * @global wpdb         $wpdb      WordPress database abstraction object.
 * @global PasswordHash $wp_hasher Portable PHP password hashing framework.
 *
 * @param WP_User $user User to retrieve password reset key for.
 *
 * @return string|WP_Error Password reset key on success. WP_Error on error.
 */
function get_password_reset_key($user)
{
    global $wpdb, $wp_hasher;
    /**
     * Fires before a new password is retrieved.
     *
     * @since 1.5.0
     * @deprecated 1.5.1 Misspelled. Use 'retrieve_password' hook instead.
     *
     * @param string $user_login The user login name.
     */
    do_action('retreive_password', $user->user_login);
    /**
     * Fires before a new password is retrieved.
     *
     * @since 1.5.1
     *
     * @param string $user_login The user login name.
     */
    do_action('retrieve_password', $user->user_login);
    /**
     * Filter whether to allow a password to be reset.
     *
     * @since 2.7.0
     *
     * @param bool true           Whether to allow the password to be reset. Default true.
     * @param int  $user_data->ID The ID of the user attempting to reset a password.
     */
    $allow = apply_filters('allow_password_reset', true, $user->ID);
    if (!$allow) {
        return new WP_Error('no_password_reset', __('Password reset is not allowed for this user'));
    } elseif (is_wp_error($allow)) {
        return $allow;
    }
    // Generate something random for a password reset key.
    $key = wp_generate_password(20, false);
    /**
     * Fires when a password reset key is generated.
     *
     * @since 2.5.0
     *
     * @param string $user_login The username for the user.
     * @param string $key        The generated password reset key.
     */
    do_action('retrieve_password_key', $user->user_login, $key);
    // Now insert the key, hashed, into the DB.
    if (empty($wp_hasher)) {
        require_once ABSPATH . WPINC . '/class-phpass.php';
        $wp_hasher = new PasswordHash(8, true);
    }
    $hashed = time() . ':' . $wp_hasher->HashPassword($key);
    $key_saved = $wpdb->update($wpdb->users, array('user_activation_key' => $hashed), array('user_login' => $user->user_login));
    if (false === $key_saved) {
        return new WP_Error('no_password_key_update', __('Could not save password reset key to database.'));
    }
    return $key;
}