The Issue #
If you are on WP Engine and using the Ultimate Member plugin to create a registration form and the link that is sent via email to reset the password keeps throwing the “invalid key” error, try the following instructions.
The Solution #
1. Disable Object Cache. This is done on WP Engine User Portal > Caching > Object Cache > Disable.
2. Ask WP Engine support team to disable cache on the following URL: https://yoursite.com/member-password-reset/?act=reset_password
Be sure that this is what they add on the exclusions. We have experienced issues when they add a ^or / at the beggining of the path:
arg: act=reset_password
path: member-password-reset/?act=reset_password
3. Clear all caches and test again.
Additional Information #
This happens because Ultimate Member does some validation on /plugins/ultimate-member/includes/core/class-password.php using Password::form_init(); and after that validation, the page is redirected to the previous mentioned URL (that is the same from the email link but without the has and user_id, that was replaced with a cookie), so, the user clicks the link for something like this:
https://mysite.com/member-password-reset/?act=reset_password&hash=RcGpvp0FOwi8ldEjTuUv&user_id=149
but is redirected to something like this:
https://mysite.com/member-password-reset/?act=reset_password
As you can see, the original URL has a unique hash so, the cache won’t be an issue, but the redirected URL is always the same, and that’s where we have cache issues. And that’s why we need to exclude that URL.