The old system of giving out password-reset URLs that only work in the current month is
More security than is really needed
Sometimes buggy
I ran into an edge case where at the end of the month, date('F', strtotime('+1 month')) actually output the name of the month two months in the future, which made the "If you need to reset your password in <?= date('F', strtotime('+1 month')) ?> or later, you'll need to...") instruction confusing
Kind of arbitrary
It's a time limit that can be anything less than one month, including just one second. It makes more sense to me to make it a specific length of time or none at all.
My recommendation is to remove this time limit entirely, but it would also be okay to change the limit to a specific period of time (like 24 hours, enforced by including a timestamp in the URL and making it part of the hash's input).
The old system of giving out password-reset URLs that only work in the current month is
date('F', strtotime('+1 month'))actually output the name of the month two months in the future, which made the "If you need to reset your password in<?= date('F', strtotime('+1 month')) ?>or later, you'll need to...") instruction confusingMy recommendation is to remove this time limit entirely, but it would also be okay to change the limit to a specific period of time (like 24 hours, enforced by including a timestamp in the URL and making it part of the hash's input).