How to Force Users to Change Passwords in WordPress – Expire Password

Do you want to force users to change passwords in WordPress?

Improve your WordPress website’s security by forcing regular password changes. This simple step makes it significantly harder for hackers to compromise your site, protecting your data and that of your users.

In this article, we will show you how to force users to change passwords in WordPress by expiring their passwords after a given time period.

When and Why Force WordPress Users to Change Passwords?

80% of data breaches involve weak or stolen passwords. Regular changes disrupt hackers’ attempts.

Hackers will try to repeatedly access your account regularly over a period of time. In this case, you’ll prevent brute-force attacks made by people with malicious intent.

Most new users are prone to using weak passwords or the same password as their other accounts since they’re easy to remember. If a hacker gets into your WordPress site, it can compromise the security of all other users.

But forcing password changes isn’t possible for admin users. You should also force changes on membership users and returning customers. For instance, when customers register on your WooCommerce store or membership site, they receive the password via email. As such, forcing regular password changes will help mitigate phishing attempts made through email.

Also, if you run a multi-user WordPress site, then you should ask users to update passwords after a specific amount of time.

On the other hand, if you recently noticed suspicious activity on your WordPress site, then you should immediately expire all existing user passwords and ask everyone to update their passwords.

Having said that, let’s see how you can expire passwords and force users to change passwords in WordPress.

Force Users to Change Passwords in WordPress

The best way to force users to change passwords in WordPress is by using the Password Policy Manager plugin. It allows you to easily create and enforce strong and secure password policies.

To get started, you’ll need to install and activate the Password Policy Manager plugin. For more details, check out our tutorial on how to install a WordPress plugin.

From here, you’ll need to head over to the Password Policy Manager » Password Policy Manager page. Then, under the Policy Settings » For All Users tab, you’ll see various password policy settings that you can set.

First, ensure that you turn on the big toggle button that says ‘Enable all settings.’ Below that, you can check off all the password policy rules that you want to enforce every time a new user needs to create a new password.

The options include:

• Must contain lower and uppercase letters
• Must contain numeric digits
• Must contain special characters
• Length of password between 8 and 25

We recommend keeping these boxes checked off since these are best practices for having a strong password. You may also want to read our guide on how to add a simple user password generator in WordPress.

Below that, you’ll need to check the box that says ‘Force Reset Password on first login.’ This helps to prevent new users from using the same password as their other online accounts and ensures they set up a strong password right off the bat.

Then, you’ll need to turn on the option ‘Enable Password Expiry’ so that you set a specific expiration time that forces all site users to change their password. Next to that, you can set the number of weeks you’d like to force the change.

After that, you can also hit the ‘Save Settings’ button.

Underneath the save settings, you’ll see an option to reset your password with one click. If you or your users haven’t reset your password in a while, it’s a good idea to hit the ‘Reset Password’ button.

This automatically terminates all logged-in sessions from users and forces them to reset their passwords.

All users will receive an email with a link to reset their passwords.

Just click the link in the email.

You’ll be taken to your WordPress login screen, where you enter your current and new password.

We recommend using a secure password generator rather than trying to come up with something you can memorize. Then, a password manager like 1Password or LastPass can be used to store it.

From here, click ‘Change Password.’

Then, you’ll be taken back to your WordPress login page, where you can enter your new credentials.

You can also go to the Password Policy Manager » Reports page. Here is where you’ll find all the login attempts made by users. It is good to check periodically to see if any suspicious attempts have been made to your WordPress site. If so, you can easily perform the one-click reset we’ve just mentioned.

To see data, you’ll need to toggle the ‘Enable Report Entry’ tab.

And that’s it! You’ve now successfully set up your WordPress site so that it forces all users to change passwords after the expiration date.

Troubleshooting Tips

What If My Users Never Recieve Their Emails?

In case your users are not receiving email notifications to reset their passwords, then any number of things could be happening. Please take a look at our guide on how to fix WordPress not sending email issue.

What If I Can’t Get Into the WordPress Admin Area To Reset My Password?

If you somehow can’t get inside the WordPress admin area, then take a look at our guide on what to do when you are locked out of the WordPress admin area.

We hope this article helped you learn how to force users to change passwords in WordPress. You may also want to see our ultimate WordPress security guide to help improve your website security or our list of the most common WordPress errors and how to fix them.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.