The password reset page behaves differently when the email address matches a user or not, so I’m concerned about it being used for user discovery.
In OJS 3.3, is it possible to have a captcha on this page or have it always say “email has been sent” regardless of a user actually existing?
[I’m very reluctant to change the OJS code. Our upgrade from OJS 2 was made all the more difficult because of changes to OJS’s code. Ideally I would want to restrict any changes to (possibly custom) plugins.]