What is the purpose of the .well-known/change-password
URL?
The .well-known
directory is a web convention (introduced by the IETF) that defines a standard location for hosting metadata or official policies on a site.
One of the applications of this convention is the /.well-known/change-password URL. Its purpose is simple: to systematically redirect the user to your site's password change page.
This notably allows browsers and password managers (like those from Google, Apple, etc.) to offer a direct link to update a potentially compromised password, without the user having to search for the right page.
What are the benefits?
Setting up a .well-known/change-password
URL offers several important benefits:
- Simplified user experience: Instead of searching for the right page, users (and their password managers) have a single, predictable address. This is a significant time saver, especially when updating many accounts.
- Enhanced security: By offering an official and recognizable URL, you reduce the risk of your users being tricked by phishing attacks that would imitate your page.
- Interoperability and standardization: You adopt a consistent approach, recognized by the web ecosystem. This promotes the integration of your site with security tools and browsers.
Is this relevant for my site?
If your website has a private area where users can manage their password, then yes, it is likely that your website should support the .well-known/change-password
URL. It's a good practice that improves security and your users' experience without any drawbacks.
Who uses such .well-known/change-password
URLs?
The main players on the web have already implemented the .well-known/change-password
redirect:
- Google - https://accounts.google.com/.well-known/change-password
- GitHub - https://github.com/.well-known/change-password
- Wordpress - https://wordpress.com/.well-known/change-password
- redirection.io 😁 https://redirection.io/.well-known/change-password
Screenshots


How to install this recipe on my website with redirection.io?
Installing this recipe on your website requires the following steps:
On your website, locate the users account page where they can change their password. Of course, accessing this page requires users to authenticate first Copy the complete URL of this page- Paste this URL in the recipe configuration
- Click on the install button: this will create a new rule in "draft" mode, so you can edit it if necessary
- Publish the rules: a few seconds after the publication, the
.well-known/change-password
will be active