Enforcing strong user passwords is a fundamental step in increasing a website’s security. In this article, we’ll walk you through configuring your website’s password policy and requiring users to set new passwords that are compliant with it.
Users tend to use simple passwords, often composed of their names (like john123), missing special characters, or short enough to be easily guessed by the bad actors’ machines.
This can be a real security threat to your WordPress website, mainly if administrator users use such weak passwords. Thankfully, there’s a simple way to restrict the usage of weak passwords – here’s where the Password Policy & Complexity Requirements plugin comes into play.
Setting up the password policy
Let’s start by downloading the plugin from the WordPress.org plugin directory, installing it on your website, and activating it. Follow these steps:
- Navigate to the “Plugins” page in your WordPress admin panel,
- Click on the “Add New Plugin” button, and type “Password Policy & Complexity Requirements” into the search field,
- Ensure you install the plugin authored by Teydea Studio before continuing,
- Click on the “Install Now” and then “Activate” buttons.
After installing and activating the plugin, you’ll be redirected to the plugin settings screen, where you can configure the password policy for users. You can also access the plugin’s settings screen under the “Settings” section in the WordPress admin navigation menu:
Now, you’re ready to configure the password policy! Start by defining the password policy name. You’ll find a toggle above the “Policy Name” field, which you can use to turn the password policy on and off. All new policies are turned off by default, so you must toggle that setting to enable it.
After you finish the policy configuration, click on the blue “Save all settings” button on the top-right side of the screen.
In the “Enabled rules” and “Rule settings” sections, configure the password policy details:
- whether to enforce the minimum password length – and what the minimum value is,
- whether to enforce the minimum/maximum password age – and what the minimum and maximum values are,
- whether to enforce the password complexity requirements, such as required uppercase/lowercase letters, digits, special characters, unique characters, how many consecutive symbols from the user’s name or display name are allowed, etc.
If you’re interested in more details about all configuration options, check the plugin documentation or test it live in WordPress Playground.
Note: free version of the plugin allows you to configure the single password policy for all users of your website. If you want more granular configuration (for example: a policy for Administrators, or different policy rules for Editors only, etc.), check out the PRO version of the plugin.
Enforce users to use strong passwords
Congratulations, you just enabled the password policy for the users of your WordPress website!
Now, when users will log in to the WordPress admin panel or change their password, the plugin will validate its compliance with the matching password policy. If the password is not compliant, the user will be asked to set a new password following the defined complexity rules.
However, if you do not want to wait until the current session expires and request all users to change their passwords at once to comply with the new policy, the Password Reset Enforcement plugin is a perfect tool to achieve this.
Follow these steps to install and activate that plugin:
- Navigate to the “Plugins” page in your WordPress admin panel,
- Click on the “Add New Plugin” button, and type “Password Reset Enforcement” into the search field,
- Ensure you install the plugin authored by Teydea Studio before continuing,
- Click on the “Install Now” and then “Activate” buttons.
After installing and activating the plugin, you’ll be redirected to the plugin settings screen, where you can configure the password reset process. You can also access the plugin’s settings screen under the “Settings” section in the WordPress admin navigation menu:
In the plugin settings screen, choose the users to reset passwords for (all users at once or specific users by role or name). Then, decide whether to email the password reset link to users and allow users to initiate the password reset process using the current passwords.
Finally, choose that the password should be reset immediately to log out all users from your website and force them to set up the new passwords.
Click on the blue “Process action” button on the top-right side of the screen and see the password reset action progress in the progress bar below the settings screen.
Conclusion
By using these two WordPress plugins, you can configure a strong password policy for your users and force them to reset their passwords immediately, making sure that from now on, they will no longer be able to access the admin panel using weak, insecure passwords.