Beginner's Guide for WordPress / Start your WordPress Blog in minutes

How to Force Strong Password on Users in WordPress

We have already noticed other sites requiring their users to have a strong password. Bluehost requires their users to have a strong password for email in cPanel. Arstechnica wrote a great article on why passwords have never been weaker — and crackers have never been stronger. While WordPress has a password strength meter that shows user how strong their password is, it does not enforce the strength. Having an administrator or editor level user with a weak password can present a security risk. In this article, we will show you how to force strong passwords on users in WordPress.

Video Tutorial

Subscribe to WPBeginner

If you don’t like the video or need more instructions, then continue reading.

We will use the plugin Force Strong Passwords. This plugin duplicates the WordPress JavaScript password strength check in PHP, and forces users with executive powers to use a strong password.

So basically any user that has the capability to publish posts, upload files, or edit published posts must have a strong password. This means all user roles except for Contributor and Subscriber.

All you have to do is install and activate the plugin. It will take care of the rest.

Are you using a strong password on your site?

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit – a collection of WordPress related products and resources that every professional should have!

Reader Interactions

14 CommentsLeave a Reply

    • Thank you for the update, we will keep an eye out for a plugin we would recommend for an alternative :)

      Admin

  1. Is there any function in this plugin to change the password level? I was looking for this issue over a month.

  2. It does not sound like the, “Force Strong Passwords” plugin is as safe as it is touted to be if it does not block emailing the password in unencrypted form.

  3. Not to mention that the “Force Strong Passwords” plugin does nothing to prevent emailing of strong password during User setup…

    • Yes you would have to use slt_fsp_weak_roles filter. Haven’t tried the code below, but something like this should work:

      add_filter( 'slt_fsp_weak_roles', 'wpb_weak_roles' );
      	function wpb_weak_roles( $roles ) {
      		$roles[] = '';
      		return $roles;
      	}
      

      Admin

      • Thank you! I’m surprised WordPress hasn’t implemented a simple ‘tick box’ option to increase security password requirements with all the brute force attacks lately. I’ll give this a go.

  4. Great concept. Looking at the “support” page at wordpress’s plugins site, the developers haven’t responded to support messages and don’t appear to have any reputation in the security world.

    I want to stress, I love the idea. But I am not wowed by what I’m seeing of the “company” or developers behind the software, and for something like security, that makes me nervous. I’m gonna pass for now.

    • Often developers build their plugins out of their free time. Having built several ourselves, we know how hard it is to support them specially when you are not getting anything in return. This plugin’s author has updated his github page for the plugin. That seems to be running version 1.1 which has a lot of upgrades and fixes.

      Admin

    • If they have (simply) converted the WordPress strength test to PHP then they don’t need to have a reputation in the security world. It is not really “new” code, just ported code.

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.