Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
WPB Cup
25 Million+
Websites using our plugins
16+
Years of WordPress experience
3000+
WordPress tutorials
by experts

How to Force Strong Passwords on Users in WordPress (2 Ways)

Editorial Note: We earn a commission from partner links on WPBeginner. Commissions do not affect our editors' opinions or evaluations. Learn more about Editorial Process.

Do you want to force users to use a strong password on your WordPress site?

A great way to improve your WordPress website security is to make your users create a strong password when signing up with a new account.

In this article, we will show you how to force a strong password on users in WordPress and improve website security.

How to force strong password on users in WordPress (2 ways)

Why Enforce Strong Passwords for Your WordPress Users?

Strong passwords make it more difficult for hackers to use brute force attacks to access your site. If you’ve spent time optimizing your WordPress website security, then you’ll also want to protect your login pages by using a strong password.

However, if you have an online store, membership site, or multi-author blog, there’s a risk that your customers or other site users will make your website vulnerable to hackers by using weak passwords that are easily guessed with brute force attacks.

Having users with weak passwords can present a security risk, especially those with high-level user roles like admins and editors.

WordPress has built-in settings that will show users how strong the password is when creating an account, but it doesn’t enforce its strength. 

Luckily, you can use a WordPress plugin to force your users to create a strong password when creating an account on your WordPress website

With that said, let’s take a look at how to force a strong password on your WordPress users. Simply use the quick links below to jump to the method you want to use:

Method 1. Forcing Strong Passwords With iThemes Security

The easiest way to force strong passwords is with a WordPress security plugin.  We recommend iThemes Security since it lets you force strong passwords with a couple of clicks.

There is a premium version that offers security hardening, file integrity checks, 404 detections, and more, but we will use the free version for this tutorial since it has password protection features. 

The first thing you need to do is install and activate the plugin. For more details, see our guide on how to install a WordPress plugin

Upon activation, go to Security » Setup to choose your security settings. There’s a setup wizard that will walk you through configuring the security plugin for your needs.

First, click on the option for the type of website you have. We will select the ‘Blog’ option.

Choose type of website

After that, you need to choose whether it’s a personal or client site.

We are selecting ‘Self’ for this tutorial.

Choose personal or client website

Next, there’s a toggle to turn on a strong password policy for your users.

You need to click the toggle to enforce a strong password for your users and click ‘Next’.

Turn on enforce password policy

Now, you’ve successfully forced users to have a strong password. There are a variety of other settings you can enable to make your login even more secure. 

If you want to enable two-factor authentication, then click the toggle to the On position and then click the ‘Next’ button.

Optional turn on two-factor authentication

After that, you’ll be asked if you want to enable a few more security settings. You can simply click ‘Next’, and you’ll get to a screen where you can force strong passwords and change other settings by user role.

The first screen will be your security settings for admin users.

Set administrator password requirements

You can turn on strong passwords and refuse to let users register with a compromised password that’s been previously used on other sites.

To change the security settings for other users, simply click the ‘Administrators’ drop-down and select a new option. 

Select new user group

Once you are finished, click the ‘Next’ button.

This will walk you through the rest of the setup wizard to enable additional security settings for your website. 

If you want to change your password settings in the future, then go to Security » Settings, click on ‘User Groups,’ and select the group you want to change.

Change password settings in the future

After you are done, make sure to click the ‘Save’ button to save your settings. 

Method 2: Forcing Strong Passwords With Password Policy Manager

Another way to force strong passwords on your WordPress blog is by using the Password Policy Manager plugin. It lets you easily create strong password rules your users must follow but doesn’t have other security features to protect your site as iThemes Security does.

The first thing you need to do is install and activate the plugin. For more details, see our beginner’s guide on how to install a WordPress plugin.

After activation, you’ll have a new menu option called ‘miniOrange Password Policy’ in your WordPress admin panel. You need to click this to set up your password rules.

Then, click on the ‘Password Policy Settings’ toggle to turn on your strong password settings.

Turn on password policy settings

After that, you can set your strong password settings. Simply check the boxes for the password requirements you want to set.

Next, set the required password length.

Create password policy settings

After that, you can choose to have passwords expire after a set time period.

If you wish to enable this, then you should click the ‘Enable expiration time’ toggle and then enter the expiration time in weeks.

Add password expiration time

Once you are finished, make sure to click the ‘Save Settings’ button.

You can also reset all of your user’s passwords at any time. Simply click the ‘Reset Password’ button, and all of your users will be prompted to create new strong passwords.

Reset all user passwords

Our Best Guides for Protecting WordPress Passwords

Enforcing strong passwords is a great way to start improving the security of your WordPress website. Here are some other guides you may want to see about protecting WordPress passwords.

We hope this article helped you learn how to force strong passwords on users in WordPress. You may also want to see our guide on how to create a free business email address and our expert picks of the best virtual business phone number apps.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

17 CommentsLeave a Reply

  1. Syed Balkhi says

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

  2. Mrteesurez says

    Good job here.
    but my question is, why there is a risk when my site users use weak passwords when they are not actually the admins ??
    Also, thanks for that plugin Password Policy Manager, I love how it works.
    My websites are becoming more professional by implementing your guides. I appreciate.

    • WPBeginner Support says

      The chances are very low but if there is a plugin or theme with a vulnerability that only requires a user on the site then hackers could target your users instead of your admins.

      Admin

    • WPBeginner Support says

      Thank you for the update, we will keep an eye out for a plugin we would recommend for an alternative :)

      Admin

  3. Bobby says

    Is there any function in this plugin to change the password level? I was looking for this issue over a month.

  4. CST says

    It does not sound like the, “Force Strong Passwords” plugin is as safe as it is touted to be if it does not block emailing the password in unencrypted form.

  5. dwf says

    Not to mention that the “Force Strong Passwords” plugin does nothing to prevent emailing of strong password during User setup…

      • Chris Miller says

        Thank you! I’m surprised WordPress hasn’t implemented a simple ‘tick box’ option to increase security password requirements with all the brute force attacks lately. I’ll give this a go.

  6. Sara says

    Great concept. Looking at the “support” page at wordpress’s plugins site, the developers haven’t responded to support messages and don’t appear to have any reputation in the security world.

    I want to stress, I love the idea. But I am not wowed by what I’m seeing of the “company” or developers behind the software, and for something like security, that makes me nervous. I’m gonna pass for now.

    • Editorial Staff says

      Often developers build their plugins out of their free time. Having built several ourselves, we know how hard it is to support them specially when you are not getting anything in return. This plugin’s author has updated his github page for the plugin. That seems to be running version 1.1 which has a lot of upgrades and fixes.

      Admin

    • Damien says

      If they have (simply) converted the WordPress strength test to PHP then they don’t need to have a reputation in the security world. It is not really “new” code, just ported code.

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.