password reset email best practices

7 Password Reset Email Best Practices [With Example]

People forget passwords all the time. If you’re a website that allows subscribers to create an account, you need to establish an easy account recovery process with password reset emails.

A good password reset email is simple but includes important details that ensure the best experience for your users.

In this article, we’ll recommend password reset email best practices for quick and secure password recovery.

What’s the Purpose of  A Password Reset Email?

Password reset emails have only the single purpose to let your users regain access to their accounts securely.

Typically, password reset emails are short, concise, and contain instructions for performing the reset and recovering your account.

Having said that, there are certain things to keep in mind when composing an email that’s simple to understand for your users and doesn’t cause confusion.

Let’s take a look at some best practices for creating password reset emails.

Password Reset Email Best Practices

The best password reset emails make sure to balance the security of users while keeping the whole process super simple.

Follow these password reset email best practices to enable easy and secure account recovery:

Let’s begin!

Clear Subject and Sender Name

The password reset email should be easy to find within a user’s mailbox. The best way to make sure your users don’t miss the email is by writing a short and clear subject.

You can be fancy and experimental with your newsletter and promo email subject lines, but we strongly recommend avoiding the urge to reinvent the wheel with password reset emails.

Instead, a simple subject line like “Reset Your Password” is all that you need to make it easily identifiable for your users.

The easiest way to customize your password reset email subject lines and content is with WPForms, the top-rated WordPress form builder plugin. It comes with a User Registration addon, using which you can easily create password reset forms and password reset emails.

See how to create a registration form from a template for a step-by-step guide on creating password reset forms and customize the reset email.

Password reset email subject line

In addition to this, your From Name should also ideally reflect your brand name so that it’s easy to identify for your users. Avoid typos or stylization that don’t figure in your brand name when adding your email From Name as this can make your emails look fake and suspicious.

You can easily change your From Name for WordPress emails with WP Mail SMTP. For instructions, see this article on changing email sender name.

Change WordPress sender name

Next, let’s talk about the most important piece of a password reset email: the reset link.

Prominent Reset Link Placement

A password reset link is the most vital piece of information within a password reset email. WPForms takes care of generating a unique password reset link every time a user submits a password reset request.

By default, the WPForms password reset form template includes a password reset link in the email message. It uses a smart tag for the reset URL: {user_registration_password_reset}

WPForms password reset link tag

It helps to clearly add a call-to-action (CTA) right before the password reset link appears in the email so that it’s more prominent to your users.

Use CAPTCHA to Block Hacking Attempts

Hackers use various tools to crack passwords and take over user accounts.

A password reset form can be abused by automated hacking tools in an attempt to take over your account. This can be especially devastating if the email account where you’re expecting the reset email has already been breached.

One effective way to block hacking tools from filling out password reset forms is to add CAPTCHA.

Thankfully, WPForms supports reCAPTCHA, hCAPTCHA, and Custom CAPTCHA to protect your sensitive login and password reset forms from abuse.

Captcha reset form

See this doc guide on how to choose a CAPTCHA in WPForms and add your preferred CAPTCHA type to your password reset form for enhanced security.

Quick and Reliable Email Delivery

With password reset emails, speed is of the essence. Ideally, a password reset email shouldn’t take longer than 20 seconds to reach your user’s inbox.

Slow email delivery means that your user might just move on and forget about it. This is bad for your business since you might end up losing customers.

By default, WordPress uses PHP Mail which is notorious for email deliverability issues. Not only is it slow, but it also fails to deliver emails for a lot of WordPress sites.

It’s imperative to use a reliable transactional email service provider that uses SMTP rather than the outdated PHP system for WordPress email delivery.

WP Mail SMTP is the most reliable solution to fixing email delivery problems with outgoing WordPress messages, including password reset emails.

And when you connect WP Mail SMTP with top email service providers like Sendinblue, SparkPost, or Postmark, you can almost guarantee instant email delivery.

To connect a transactional email service with WP Mail SMTP, you can see the doc link below for your preferred service.

Mailers available in all versions Mailers in WP Mail SMTP Pro
SMTP.com Amazon SES
Sendinblue Microsoft 365 / Outlook.com
Google Workspace / Gmail Zoho Mail
Mailgun
Postmark
SendGrid
SparkPost
Other SMTP

Most professional websites and brands trust SMTP mail services to achieve fast and efficient email delivery.

Include Support Info

The intent of a user behind requesting a password reset isn’t always the same. It’s possible that they might have forgotten their username instead and they need help with it.

Support information in email

It’s always a good idea to include a link that users can click to directly reach your support staff for assistance if need be.

Use Reassuring Messaging

Sometimes, password resets can be requested by mistake. Other times, a user may change their mind about resetting their password.

Whatever their reasons for wishing to ignore a password reset email, it’s advisable to add a short reassuring sentence explaining that it’s safe to do so.

The default password reset email template in WPForms includes a reassuring statement at the bottom of the email. You can edit the sentence if you’d like to.

reset password reassuring message

And while we’re on the topic of email messaging…

Avoid Promotional Elements

As we emphasized earlier, password reset emails serve a very specific purpose: helping users recover their passwords.

If you take this opportunity to upsell or promote anything, it probably won’t be received too enthusiastically by your audience. In fact, they’re likely to be put off by it.

Your marketing creativity and efforts will pay off much better when applied to your newsletter and other emails with a clear marketing intent. The password reset email is just not the right place for it.

Bonus: Include User Metadata for Added Security

If you’d like to add an extra layer of security to your site’s password reset process, we’ve got a bonus tip for you.

It involves taking advantage of user metadata (such as the IP address) that WPForms automatically collects when a user fills out your form.

You can choose to display this metadata using smart tags in the password reset email. This can help a user identify if the password reset request was initiated by someone else.

There are two pieces of metadata supported by WPForms that can be very useful here: the IP address of the person (or bot) filling out the form and their approximate geolocation.

You can include this information in your password reset email using WPForms’ smart tags.  These are:

  • {user_ip) for IP address
  • {entry_geolocation} for approximate location data

location and user ip metadata

Note that you must have the Geolocation addon installed to collect your users’ location data.

These details can help your users get more context into where the reset request originated from.

If the activity seems suspicious, they can report this possible security threat to you so you can look into the matter and block the malicious actor.

Password Reset Form and Email Example

Let’s take a look at an example of a password reset form and the associated email. The password reset form is just as important as the email that it generates because it is the starting point of the whole process.

The password reset form template in WPForms is the perfect example of simplicity. This is how it looks on the backend, from the WPForms visual interface.

WPForms password reset form

Note that this template is smart enough to show the relevant form fields depending on the stage a user is on during the password reset process.

This means that users will only see the Username or Email field when they first open the password reset form on your site’s frontend.

Password reset form

If a given username or email address isn’t registered with your site, the form will simply display an error and no password reset email will be sent.

Submitting the form with the correct email will generate the password reset email as expected, containing the reset link.

Reset password email

Once a user clicks the reset link, they’ll be redirected to the same form, which will now only contain the password field.

This is where you can create your new password to replace the old one.

step 2 password reset form

And that’s all there is to it! We hope that the password reset email best practices and examples in this article help you provide a seamless user experience to your users.

Next, Explore Free Form Builder Plugins

If you’re looking for some of the best form builder options available for free, check out our list of free WordPress form builder plugins.

And if you’d like to manage your WordPress email notifications with better control, see our guide on how to disable WordPress notifications.

Fix Your WordPress Emails Now

​​Ready to fix your emails? Get started today with the best WordPress SMTP plugin. WP Mail SMTP Elite includes full White Glove Setup and offers a 14-day money-back guarantee.

If this article helped you out, please follow us on Facebook and Twitter for more WordPress tips and tutorials.

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our privacy policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.