Teydea Studio

Documentation – Password Policy & Complexity Requirements PRO WordPress plugin

Review the Password Policy & Complexity Requirements plugin documentation below. Still have some questions? Reach out to us at [email protected]

Customer Portal

After purchasing the plugin, you’ll receive access to the Customer Portal. Login to the Customer Portal with your credentials, and then, navigate to the “Subscriptions” section.

You’ll find a bunch of important information there – the subscription renewal date, license key, and downloadable files of the plugin.

In the sections below, you can define your Billing information, Payment methods, and review your Billing history. You can do any changes by yourself – update the payment method, update or cancel the subscription, etc.

Customer Portal can be accessed under the https://teydeastudio.lemonsqueezy.com/billing link.

Installing the plugin

In the Customer Portal, navigate to the “Subscription” section, find the “Files” row and click on the plugin .zip file name to initiate the download.

After the download process completes, login to your WordPress website, and navigate to the “Plugins” screen. Click on the “Add New” button:

Screenshot

Note: this plugin requires the free version of the Password Policy & Complexity Requirements plugin. Install the free version first, or follow the steps mentioned below.

In the “Add Plugins” screen, click on the “Upload Plugin” button. Then, choose the plugin file (which you downloaded from the Customer Portal), and click on the “Install Now” button:

Screenshot

After the plugin is installed successfully, and only if you already have the free version of this plugin active and enabled, click on the “Activate Plugin” button:

Screenshot

In case if you didn’t installed and/or activated the free version of the plugin yet, navigate to the “Plugins” → “Installed Plugins” screen again, find the “Password Policy & Complexity Requirements PRO” plugin on a list of installed plugins, and click on the link after the “Requires” word:

Screenshot

Now, install the free version of the plugin (as mentioned, this is the dependency of the PRO plugin version):

Screenshot

Congratulations! The Password Policy & Complexity Requirements PRO plugin is now installed on your website:

Screenshot

Accessing the plugin settings page

Plugin settings page can be accessed by:

  • clicking on the “Settings” link under the plugin name on the plugins list,
  • clicking on the “Settngs” → “Password Policy & Complexity Requirements” in the main navigation menu of the WordPress admin panel
  • by directly accessing the /wp-admin/options-general.php?page=password-requirements-settings-page path (relative to your WordPress website).
Screenshot

Network installation

If you installed this plugin in a network WordPress instance (aka. multisite), the plugin settings page can only be accessed at the network level. Direct link to the plugin settings page will change in this case, to wp-admin/network/settings.php?page=password-requirements-settings-page (relative to your WordPress network website).

In case of a network installation, all changes made in the plugin settings page will apply to all sites within the network.

Updating the plugin

Automatic updates

In order to receive automatic updates, right after the installing the plugin navigate to the plugin Settings page and click on the “Manage general settings” tab. Put your license key (which you can find in the Customer Portal) into the “License key” field and click on “Save all changes”.

Now, for as long as your license key remains valid and active, you’ll receive automatic plugin updates.

Screenshot

Manual updates

In order to update this plugin manually, login to the Customer Portal and download the most recent version of the plugin. Then, repeat steps described under the “Installing the plugin” section, using the most recent version of the plugin.

WordPress will automatically detect that you’re attempting to update the plugin, which you can notice on the screenshot below:

Screenshot

Click on the “Replace current with uploaded” button, and the plugin update process will start.

Configuring the plugin

Now as you have the plugin installed, you can access the plugin settings page and configure the password policy for your users.

By default, there’s no any password policy defined. After activating the plugin, you need to configure the password policy to match your needs, and then enable it.

Screenshot

When are the settings saved?

Settings configured in the plugin settings page are not saved automatically; you need to click on the blue “Save all settings” button (at the bottom of the settings section) in order to save the settings.

Screenshot

Adding a new password policy

You can add as many password policies as you need. Policies can be reordered using the drag-and-drop functionality, and should be ordered from the most specific to least specific.

For example – if you create a “generic” policy for all users, and “specific” policy for contractors, the “specific” policy should be higher in the list of policies – otherwise, the “all users” policy with resolve first.

In order to create a new password policy, click on the “Add new policy” button. New policies are always added at the top of the policies list.

Screenshot

Activating and deactivating the password policy

Each new password policy is deactivated by default, which gives you time to configure it properly prior to enforcing its rules to your users.

In order to activate or deactivate the policy, find the policy you want to update in the list of your password policies, and click on the “General settings” panel of it.

After opening the “General settings” panel, you’ll see a toggle with the “Activate this policy” label. Click on that toggle to change the policy activation status.

Besides the toggle, you’ll see if a policy is active or not at the top of the policy panel. Active policy name is preceded with a “Policy” word, and inactive policy is preceded with an “Inactive Policy” phrase.

Screenshot
Screenshot

Changing the password policy name

If you plan to use more than one password policy, it’s a good idea to give them a meaningful, descriptive names, so that they can be easily recognized, and their scope can be understood immediately.

You can have a “Generic policy” that covers all users, and “Policy for administrators” that enforce stronger passwords for the site admins. You can have a “Policy for freelancers” that enforce freelancers you work with to use strong passwords. These are just examples – it’s up to you how you define and name each of the password policy.

In the list of your password policies, find the policy whose name you want to update, and click on the “General settings” panel of it. You’ll see a text input field under the “Policy name” label, where you can change the name of the policy.

Screenshot

Deleting the password policy

You can delete password policy if you no longer want to use it. To do that, in the list of your password policies, find the policy you want to delete, and click on the “General settings” panel of it.

You’ll see a red-bordered button with a “Delete policy” label – click on it, then click on the blue “Save all changes” button at the bottom of the settings section.

Screenshot

Enabling and disabling the rules of the policy

Each password policy can be configured differently, depending on the use case. Click on the “Enabled rules” panel of the policy you want to configure – you’ll see a list of toggles that allows you to enable or disable certain rules. Click on the toggle near the rule name to change the rule status between “enabled” and “disabled”.

Screenshot

Enforce the minimum password length

Once enabled, the users’ password length must equal or exceed the defined value, which is set to 10 characters by default.

Enforce the minimum password age

Once enabled, users can only change their passwords if the current password has been used for at least a defined period (set to 2 days by default). This is meant to prevent users from resetting their password repeatedly to circumvent the “Prevent users from reusing their past passwords” setting and reuse a favorite password immediately.

Enforce the maximum password age

Once enabled, users will have to change their passwords if the current password has been in use for a defined period (set to 30 days by default).

Enforce the password complexity requirements

Once enabled, users’ password must meet the complexity requirements.

Prevent users from reusing their past passwords

Once enabled, users will not be able to set a new password if that password was already used by them in the past.

Adjusting the rule settings

Each rule settings can be adjusted to better suit your specific needs. Click on the “Rule settings” panel of the policy you want to configure – you’ll see a bunch of options that will allow you to adjust the rules behavior.

Note: each of the rule settings applies to specific rules as described below. Associated rule needs to be enabled (see the section above for details), otherwise the setting does not apply.

Minimum password length

This field allows you to define the minimum length of the password, which applies to “Enforce the minimum password length” rule.

This is set to 10 by default, which means the user’s password must must equal or exceed 10 characters.

A valid value of this field is an integer between 1 and 50.

Screenshot

Minimum password age

This field allows you to define the minimum password age, which applies to the “Enforce the minimum password age” rule.

This value represents days, and is set to 2 by default, which means that user can not set a new password if their current password was set within the last 2 days.

As mentioned above, this is meant to prevent users from resetting their password repeatedly to circumvent the “Prevent users from reusing their past passwords” setting and reuse a favorite password immediately.

A valid value of this field is an integer between 1 and 1000.

Screenshot

Maximum password age

This field allows you to define the maximum password age, which applies to the “Enforce the maximum password age” rule.

This value represents days, and is set to 30 by default, which means that user must set a new password if their current password has been in use for 30 days.

A valid value of this field is an integer between 1 and 1000.

Screenshot

Password complexity requirements

This field allows you to select the password complexity rules, which will be applied to the “Enforce the password complexity requirements” rule.

Possible complexity rules:

  • Uppercase letter(s) required” – at least one uppercase letter is required in user’s password.
  • Lowercase letter(s) required” – at least one lowercase letter is required in user’s password.
  • Base digit(s) (0 through 9) required” – at least one base digit is required in user’s password. Base digit is an integer between 0 and 9.
  • At least X unique (non-repeated) characters required“, where “X” is an integer defined in the Minimum number of unique (non-repeated) characters in password field below. For example, in the “aabc” password, three characters are unique (non-repeated): a, b, c.
  • Up to X consecutive symbols from the user’s name or display name allowed“, where “X” is an integer defined in the Number of consecutive symbols of the user’s name or display name allowed in the password field below. If “0” (zero) is chosen, all characters used in user name or display name will not be allowed in user’s password; if “2” is chosen and user name and display name is “Bart”, password can contain “ba”, “ar”, and “rt”, but not “bar” or “art”.
  • Special character(s) required” – at least one special character is required in user’s password. Special character is understood as a one of punctuation characters that are present on standard US keyboard. See: Password Special Characters for more details.
Screenshot

Minimum number of unique (non-repeated) characters in password

This field allows you to define a minimum number of unique, non-repeated characters allowed in user’s password, which will be used by one of the password complexity rules.

For example, in the “aabc” password, three characters are unique (non-repeated): a, b, c. Default value of this field is set to “6”. A valid value of this field is an integer between 1 and 50.

Screenshot

Number of consecutive symbols of the user’s name or display name allowed in the password

This field allows you to define the number of consecutive symbols of the user’s name or display name allowed in the user’s password, which will be used by one of the password complexity rules.

For example, if “0” is chosen, all characters used in user name or display name will not be allowed in user’s password; if “2” is chosen and user name is “Bart”, password can contain “ba”, “ar”, and “rt”, but not “bar” or “art”.

Default value of this field is set to “4”. A valid value of this field is an integer between 0 and 50.

Screenshot

Defining the users coverage of each password policy

Each password policy can be applied to a different set of users, depending on your unique needs. Click on the “User coverage” panel of the policy you want to configure to review the available options.

By default, a new password policy applies to all users. Turn the toggle off to see the option to apply that password policy based on the user roles, and/or to specific users.

Each policy can be applied to a different group of users. Policies should be ordered from the most specific to least specific.

Only one policy apply to a single user. If user match conditions of more than one password policy, the policy that is higher in order defined in this settings page applies, and remaining policies are ignored for that user.

Screenshot
Screenshot

Configuring the recent passwords storage

One of the objectives of a strong password policy is to ensure that users will regularly change their password to a new, strong, and unique password. This can be achieved with enabling these rules altogether:

  • Enforce the minimum password age – once enabled, users will have to change their passwords if the current password has been in use for a defined period.
  • Prevent users from reusing their past passwords – once enabled, users will not be able to set a new password if that password was already used by them in the past.
  • Enforce the maximum password age – once enabled, users can only change their passwords if the current password has been used for at least a defined period. This is meant to prevent users from resetting their password repeatedly to circumvent the “Prevent users from reusing their past passwords” setting and reuse a favorite password immediately.

User’s past passwords are stored in the user meta table, secured using the same hashing technique that WordPress use for “regular” passwords.

By default, 24 past passwords are stored. Combined with the minimum password age, this will prevent your users from reusing their past passwords; otherwise, they might reset their passwords multiple times to continue using their “favorite” password.

A valid value of this field is an integer between 0 and 1000. To turn this feature off, set the value to “0” (zero).

Screenshot