A local plugin that adds SMS-based password reset with verification code functionality to Moodle without modifying core files.
- SMS Verification Code: Users receive a 6-digit code via SMS to verify their identity
- Two-step verification: Find user by username/email, then verify with SMS code
- Secure: Codes expire after 30 minutes and are single-use
- Intelligent requirement: Only users with phone numbers can use SMS reset
- Multiple SMS gateway support:
- Test mode (logs to file for development)
- Twilio integration
- Custom SMS provider support
- Upgrade-safe implementation (no core file modifications except config.php)
- Clean separation of concerns
- Easy to enable/disable
1. User clicks "Forgot Password"
?
2. User enters username or email
?
3. System checks if user has phone number
?? NO ? Error (phone required)
?? YES ? Continue
?
4. System generates 6-digit code
?
5. SMS sent with code (e.g., "123456")
?
6. User enters code on website
?
7. System validates code
?? Invalid ? Error
?? Valid ? Allow password reset
?
8. User sets new password
Standard Moodle: Sends reset LINK via email This Plugin: Sends verification CODE via SMS
Copy the sms_password_reset folder to your Moodle's local/ directory:
cp -r sms_password_reset /path/to/moodle/local/Visit your Moodle site admin notifications page or run:
php admin/cli/upgrade.phpThis will create the database table for verification codes.
Add the following line to your config.php file (after the $CFG->wwwroot line):
$CFG->forgottenpasswordurl = $CFG->wwwroot . '/local/sms_password_reset/forgot_password.php';This redirects the standard "Forgot password" link to use the SMS verification version.
Go to Site administration ? Plugins ? Local plugins ? SMS Password Reset
- No configuration needed
- SMS messages (verification codes) are logged to
moodledata/sms_test_log.txt - Perfect for development and testing
- Select "Twilio" as the SMS Gateway
- Enter your Twilio Account SID
- Enter your Twilio Auth Token
- Enter your Twilio phone number (E.164 format, e.g., +1234567890)
- Select "Custom Provider" as the SMS Gateway
- Enter your API URL
- Select HTTP method (GET or POST)
- Configure API parameters as JSON, use placeholders:
{phone}- Will be replaced with the phone number{message}- Will be replaced with the message text (code)
Example:
{
"to": "{phone}",
"message": "{message}",
"api_key": "your_api_key_here"
}- Click "Lost your password?" on the login page
- Enter your username or email
- Click Search
- You will receive a 6-digit code via SMS
- Enter the code on the website
- If code is correct, set your new password
Important: You must have a phone number in your Moodle profile to use SMS reset.
Users must have a phone number in their profile:
- Go to user profile
- Add phone number to "Phone" or "Mobile phone" field
- Use international format recommended (e.g., +1234567890)
- Moodle 4.0 or later
- PHP cURL extension (for SMS sending)
- Users must have phone numbers in their profiles
The plugin creates one table:
mdl_local_sms_pwd_reset_codes- Stores verification codes temporarily
Codes are automatically cleaned up every 30 minutes by a scheduled task.
Codes expire after 30 minutes by default (uses $CFG->pwresettime).
To change, add to config.php:
$CFG->pwresettime = 1800; // 30 minutes in secondsThe SMS message is:
[Site Name]: Your password reset code is: 123456
Core files are NOT modified (except config.php which is never overwritten by upgrades):
- All functionality is contained in
local/sms_password_reset/ - Uses standard Moodle hooks and APIs
- Can be disabled by removing the config.php line
-
Remove the line from
config.php:$CFG->forgottenpasswordurl = $CFG->wwwroot . '/local/sms_password_reset/forgot_password.php';
-
Uninstall the plugin from Site administration ? Plugins ? Plugins overview
-
Or manually delete the folder:
rm -rf /path/to/moodle/local/sms_password_reset
- Check the gateway configuration in plugin settings
- For test mode, check
moodledata/sms_test_log.txt - Enable debugging: Site administration ? Development ? Debugging
- Check PHP error logs
- Verify the user has a phone number in their profile
- Check phone number format is valid
- Verify SMS gateway is working (check test log or gateway logs)
- Check that code was entered correctly (6 digits)
- Verify code hasn't expired (30 minutes)
- Ensure code hasn't been used already (single-use)
- Check database table
mdl_local_sms_pwd_reset_codes
- Verify the config.php line is correct
- Check file permissions on the plugin directory
- Clear Moodle caches: Site administration ? Development ? Purge all caches
- Set SMS Gateway to "Test Provider"
- Add a phone number to a test user
- Try password reset with that user
- Check the log file:
tail -f /path/to/moodledata/sms_test_log.txt
- You should see the 6-digit code in the log
- Enter the code on the verification page
- Codes are 6 digits (1 million combinations)
- Codes expire after 30 minutes
- Codes are single-use (marked as used after verification)
- Codes are stored securely in database
- Old codes are cleaned up automatically
- SMS messages are sent over HTTPS (Twilio/custom providers)
The plugin includes a scheduled task that runs every 30 minutes:
- Cleanup expired SMS verification codes
- Removes codes older than expiry time
- Keeps database clean
View/configure at: Site administration ? Server ? Scheduled tasks
GPL v3 or later
Created for Acdbra Moodle implementation
Copyright 2025 Your Organization
For issues, questions, or contributions, please contact your system administrator.
- Changed to verification CODE flow instead of reset LINK
- User enters code on website to verify identity
- Added database table for code storage
- Added code expiry and single-use functionality
- Added scheduled task for code cleanup
- Improved security with time-limited codes
- Initial release (reset link via SMS)