I had the same problem recently on 4 different WordPress installations: When trying to reset my password the process would stop short at the last stage (when I submit the new password) and the server would return me a “403 Forbidden” HTTP status code.
I still don’t know what’s going on, there is little information on the web about that issue. It doesn’t seem related to a plugin for example because not all installations have the same set of plugins and there is no one plugin common to all of them. It’s not a problem with the .htaccess file either because I tried without an .htaccess and it wouldn’t work anyway.
I start to suspect this is a problem either with WP 3.5.1 or with the host, both of which being the common denominator for all 4 sites.
Now, I am the admin and the webmaster on those sites, I cannot ask my clients to reset my password for me (you know, professional pride…) and I don’t really have time right now to investigate further. So what I do?
Well, one solution would be to change the password directly in the database, but this is overly complicated, you need to concatenate random strings with your password and ash them. The other solution is to use the WordPress API. So here is what I did.
I created a small PHP file, named it randomly for sake of security and put the following code inside:
# load WordPress, without theming the output
# here you set your user's id, that you can easily find in the database
# and your new password
I uploaded it to my WordPress folder and hit it with my browser. Et voilà, a fresh new password.
I will update that post if I find new information about that issue, or a definitive solution. In the mean time, if you have any idea, feel free to leave a comment.
Over the last month or so there have been massive brute force attacks on WordPress installs worldwide. All trying to get into the site with admin for username and a list of 1000 or so common passwords. I run a bunch of WP sites hosted in different places, all giving these 403 errors recently, because the hosters are disallowing traffic trying to login to WP sites.
I agree, one of the solution to that problem was to protect the admin area using HTTP Basic authentication. But here this is not the case, there is no authentication beyond WordPress’ and the 403 is only returned at the end of the “request new password” procedure, when you submit the new password. And to access this form you already went successfully 4 times to that wp-login.php page (the whole process is managed by the same script).
This is either a problem in the code or Apache filtering on some part of the query string…
As I had the same problem as you, I went on your post and I spoke with my host.
Here are the results of our research:
“We are currently facing several waves bruteforcing interface
Administration Joomla and WordPress. Following this, we implemented a
system to eliminate this kind of attacks. The rules established
were obviously too strict and prevented access to certain pages.
They have just been adapted this morning…”
Since then, the 403 error is gone and the change password is operational again.
It is therefore necessary to contact your host to ask him to look at it closely.
WordPress have not involved.
Hoping this will help you.
Thanks for the info Jeff, I will contact my hosts about that and will update the post if it happens to be something they did :)