Disabling Password Resets

I’ve come across numerous security hardening articles relating to various measures for disabling password resets (i.e. lost password retrieval).

https://www.google.com/search?q=wordpress+disable+lost+password

SQL Injection

I’ve read that SQL injection can be used to obtain the user email etc. and ultimately to gain control of the site by intercepting the password reset email is automatically sent to a user.

https://hackertarget.com/attacking-wordpress/

Serious Vulnerability?

If I’m already protected against SQL injections (via security plugin), do I need to disable the password reset feature? Is it really a serious vulnerability?

Brute force attacks are on the rise. I’ve encountered several instances myself in recent months.

»The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts.« (Gene Spafford)

The lost password feature might potentially be a risk, but if you are keeping it or not is just a matter of risk assessment. For that assessment there surely is not the one answer, you have to assess it for your case yourself. Last but not least, I personally would say, it is not to an extent unsafe, which would justify the suggestion, to always remove the feature. So I wouldn’t say it generally is a serious vulnerability.