diff --git a/security/MemberLoginForm.php b/security/MemberLoginForm.php
index cccdf9089..c95216b42 100644
--- a/security/MemberLoginForm.php
+++ b/security/MemberLoginForm.php
@@ -1,6 +1,14 @@
 <?php
 /**
- * Log-in form for the "member" authentication method
+ * Log-in form for the "member" authentication method.
+ *
+ * Available extension points:
+ * - "authenticationFailed": Called when login was not successful. 
+ *    Arguments: $data containing the form submission
+ * - "forgotPassword": Called before forgot password logic kicks in, 
+ *    allowing extensions to "veto" execution by returning FALSE. 
+ *    Arguments: $member containing the detected Member record
+ * 
  * @package framework
  * @subpackage security
  */
@@ -256,9 +264,12 @@ JS
 
 
 	/**
-	 * Forgot password form handler method
-	 *
-	 * This method is called when the user clicks on "I've lost my password"
+	 * Forgot password form handler method.
+	 * Called when the user clicks on "I've lost my password".
+	 * Extensions can use the 'forgotPassword' method to veto executing
+	 * the logic, by returning FALSE. In this case, the user will be redirected back
+	 * to the form without further action. It is recommended to set a message
+	 * in the form detailing why the action was denied.
 	 *
 	 * @param array $data Submitted data
 	 */
@@ -267,6 +278,12 @@ JS
 		$SQL_email = $SQL_data['Email'];
 		$member = DataObject::get_one('Member', "\"Email\" = '{$SQL_email}'");
 
+		// Allow vetoing forgot password requests
+		$results = $this->extend('forgotPassword', $member);
+		if($results && is_array($results) && in_array(false, $results, true)) {
+			return $this->controller->redirect('Security/lostpassword');
+		}
+
 		if($member) {
 			$token = $member->generateAutologinTokenAndStoreHash();