Beginner's Guide for WordPress / Start your WordPress Blog in minutes

How to Force Strong Passwords on Users in WordPress (2 Ways)

Do you want to force a strong password on users in WordPress?

Enforcing strong passwords for users creating an account on your website is a great way to improve your WordPress website security.

In this article, we’ll show you how to force a strong password on users in WordPress and improve website security.

How to force strong password on users in WordPress (2 ways)

Why Enforce Strong Passwords for Your WordPress Users?

A strong password makes it more difficult for a hacker to use brute force attacks to access your site. If you’ve spent time optimizing your WordPress website security, then you’ll also want to protect your login pages by using a strong password.

However, if you have an online store, membership site, or multi-author blog, there’s a risk that your customers or other site users will make your website vulnerable to hackers by using weak passwords that are easily guessed with brute force attacks.

Having users with weak passwords can present a security risk, especially those with high level user roles like admins and editors.

WordPress has built in settings that will show users how strong the password is when creating an account, but it doesn’t enforce its strength. 

Luckily, you can use a WordPress plugin to force your users to create a strong password when creating an account on your WordPress website

With that said, let’s show you how to force a strong password on your WordPress users. Simply use the quick links below to jump to the method you want to use.

Method 1. Forcing a Strong Password on WordPress Users with iThemes Security

The easiest way to force strong passwords on your users is with a WordPress security plugin

We recommend iThemes Security since it lets you force strong passwords with a couple of clicks.

Note: The premium version offers security hardening, file integrity checks, 404 detections, and more, but we’ll use the free version for this tutorial since it has password protection features. 

First thing you need to do is install and activate the plugin. For more details, see our guide on how to install a WordPress plugin

Upon activation, go to Security » Setup to choose your security settings. There’s a setup wizard that will walk you through configuring the security plugin for your needs.

First, click on the option for the type of website you have. We’ll select the ‘Blog’ option.

Choose type of website

After that, choose whether it’s a personal or client site.

We’re selecting ‘Self’ for this tutorial.

Choose personal or client website

Next, there’s a toggle to turn on a strong password policy for your users.

You need to click the toggle to enforce a strong password for your users and click ‘Next’.

Turn on enforce password policy

Now, you’ve successfully forced users to have a strong password. There are a variety of other settings you can enable to make your login even more secure. 

If you want to enable two-factor authentication, then click the toggle and click the ‘Next’ button.

Optional turn on two-factor authentication

After that, you’ll be asked if you want to enable a few more security settings. You can simply click ‘Next’.

Then, you’ll get to a screen where you can force strong passwords and change other settings by user role.

The first screen will be your security settings for admin users.

Set administrator password requirements

You can turn on strong passwords and refuse to let users register with a compromised password that’s been previously used on other sites.

To change the security settings for other users, simply click the ‘Administrators’ drop down and select a new option. 

Select new user group

Once you’re finished, click the ‘Next’ button.

This will walk you through the rest of the setup wizard to enable additional security settings for your website. 

If you want to change your password settings in the future, then go to Security » Settings, click on ‘User Groups’, and select the group you want to change.

Change password settings in the future

After you’re done, make sure to click the ‘Save’ button to save your settings. 

Method 2. Forcing a Strong Password on WordPress Users with Password Policy Manager

Another way to force strong passwords on your WordPress blog is by using the Password Policy Manager plugin. It lets you easily create strong password rules your users must follow, but doesn’t have other security features to protect your site like iThemes Security does.

First thing you need to do is install and activate the plugin. For more details, see our beginner’s guide on how to install a WordPress plugin.

After activation, you’ll have a new menu option called ‘miniOrange Password Policy’ in your WordPress admin panel. You need to click this to set up your password rules.

Then, click on the ‘Password Policy Settings’ toggle to turn on your strong password settings.

Turn on password policy settings

After that, you can set your strong password settings. Simply check the boxes for the password requirements you want to set.

Next, set the required password length.

Create password policy settings

After that, you can choose to have passwords expire after a set time period.

If you want to enable this, then click the ‘Enable expiration time’ toggle and enter the time in number of weeks.

Add password expiration time

Once you’re finished, make sure to click the ‘Save Settings’ button.

You can also reset all of your user’s passwords at any time. 

Simply click the ‘Reset Password’ button, and all of your users will be prompted to create new strong passwords.

Reset all user passwords

We hope this article helped you learn how to force strong passwords on users in WordPress. You may also want to see our guide on how to create a free business email address and our picks of the best virtual business phone number apps.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit – a collection of WordPress related products and resources that every professional should have!

Reader Interactions

14 CommentsLeave a Reply

    • Thank you for the update, we will keep an eye out for a plugin we would recommend for an alternative :)

      Admin

  1. Is there any function in this plugin to change the password level? I was looking for this issue over a month.

  2. It does not sound like the, “Force Strong Passwords” plugin is as safe as it is touted to be if it does not block emailing the password in unencrypted form.

  3. Not to mention that the “Force Strong Passwords” plugin does nothing to prevent emailing of strong password during User setup…

    • Yes you would have to use slt_fsp_weak_roles filter. Haven’t tried the code below, but something like this should work:

      add_filter( 'slt_fsp_weak_roles', 'wpb_weak_roles' );
      	function wpb_weak_roles( $roles ) {
      		$roles[] = '';
      		return $roles;
      	}
      

      Admin

      • Thank you! I’m surprised WordPress hasn’t implemented a simple ‘tick box’ option to increase security password requirements with all the brute force attacks lately. I’ll give this a go.

  4. Great concept. Looking at the “support” page at wordpress’s plugins site, the developers haven’t responded to support messages and don’t appear to have any reputation in the security world.

    I want to stress, I love the idea. But I am not wowed by what I’m seeing of the “company” or developers behind the software, and for something like security, that makes me nervous. I’m gonna pass for now.

    • Often developers build their plugins out of their free time. Having built several ourselves, we know how hard it is to support them specially when you are not getting anything in return. This plugin’s author has updated his github page for the plugin. That seems to be running version 1.1 which has a lot of upgrades and fixes.

      Admin

    • If they have (simply) converted the WordPress strength test to PHP then they don’t need to have a reputation in the security world. It is not really “new” code, just ported code.

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.