That’s one I have not seen before. The process works fine in dev, testing, and known production environments, so it may be a localized issue. With that in mind, you may need to run some testing with other plugins deactivated to see if you can track down a potential conflict.
The reason for my thoughts on that is that in the example you provided, there is no “key” value. Normally, the URL should look like this:
https://ourdomain.com/my-account/?a=set_password_from_key&key=some_random_key_string&login=username
Since there is no “key” query arg, my guess would be that something is removing that at some stage after the WP-Members process that adds it. The process where the query string values are added uses core WP’s add_query_args() function to add the query arguments, so if one of those is getting dropped, my initial thought would be something external is removing them. add_query_args() does not have any filter hooks of its own, but it does use some other core functions that do (such as wp_parse_str()). So it would be possible for some other process to strip that out indiscriminately.
Do you have any “Security” plugins installed?
How about the core WP password reset (via the wp-login.php page)? Does that process work correctly?
Ya, it seemed strange to me, too. The normal WordPress function works fine, and I’m actually just using that in the meantime.
I’m not using any other security plugins.
This may have gotten lost in the shuffle, but it’s probably where you need to start:
you may need to run some testing with other plugins deactivated to see if you can track down a potential conflict.
