We have already noticed other sites requiring their users to have a strong password. Bluehost requires their users to have a strong password for email in cPanel. Arstechnica wrote a great article on why passwords have never been weaker — and crackers have never been stronger. While WordPress has a password strength meter that shows user how strong their password is, it does not enforce the strength. Having an administrator or editor level user with a weak password can present a security risk. In this article, we will show you how to force strong passwords on users in WordPress.
We will use the plugin Force Strong Passwords. This plugin duplicates the WordPress JavaScript password strength check in PHP, and forces users with executive powers to use a strong password.
So basically any user that has the capability to publish posts, upload files, or edit published posts must have a strong password. This means all user roles except for Contributor and Subscriber.
All you have to do is install and activate the plugin. It will take care of the rest.
Are you using a strong password on your site?
Any ideas on how to implement this same approach but for all users; even ‘subscribers’?
Yes you would have to use
slt_fsp_weak_rolesfilter. Haven’t tried the code below, but something like this should work:add_filter( 'slt_fsp_weak_roles', 'wpb_weak_roles' ); function wpb_weak_roles( $roles ) { $roles[] = ''; return $roles; }Thank you! I’m surprised WordPress hasn’t implemented a simple ‘tick box’ option to increase security password requirements with all the brute force attacks lately. I’ll give this a go.
Great concept. Looking at the “support” page at wordpress’s plugins site, the developers haven’t responded to support messages and don’t appear to have any reputation in the security world.
I want to stress, I love the idea. But I am not wowed by what I’m seeing of the “company” or developers behind the software, and for something like security, that makes me nervous. I’m gonna pass for now.
Often developers build their plugins out of their free time. Having built several ourselves, we know how hard it is to support them specially when you are not getting anything in return. This plugin’s author has updated his github page for the plugin. That seems to be running version 1.1 which has a lot of upgrades and fixes.
If they have (simply) converted the WordPress strength test to PHP then they don’t need to have a reputation in the security world. It is not really “new” code, just ported code.