Do you want to force users to change passwords in WordPress? If you are worried that your WordPress security may have compromised, then you should reset all passwords immediately. In this article, we will show you how to force users to change passwords in WordPress by expiring their passwords after a given time period.
When and Why Force WordPress Users to Change Passwords?
Many large organizations such as banks, government agencies, universities, require all users to change their passwords regularly. This prevents unauthorized access and prevents hackers from logging in with a stolen password.
If you run a multi-user WordPress site, then you should ask users to update passwords after a specific amount of time. We will show you how to set this up in WordPress later in this article.
On the other hand, if you recently noticed a suspicious activity on your WordPress site, then you should immediately expire all existing user passwords and ask users to update passwords.
Having said that, let’s see how you can expire passwords and force users to change passwords in WordPress.
Force Users to Change Passwords in WordPress
First thing you need to do is install and activate the Expire Passwords plugin. For more details, see our step by step guide on how to install a WordPress plugin.
Upon activation, you need to visit Users » Expire Passwords page to configure plugin settings.
The first option on the settings page allows you to set number of days after which a user must change their password.
Next, you can select user roles on which this policy applies. Ideally, you should select all user roles except administrator. However, if you are not the only administrator on your website, then you should check administrators as well.
Don’t forget to click on the save changes button to store your settings.
Now when a user signs in after the specified period, they will be redirected to password reset screen.
Quickly Expire All User Passwords in WordPress
The plugin we mentioned above allows you to set a password update policy for your website. However, sometimes due to a hacking attempt you may need to immediately reset all user passwords.
First you will need to install and activate the Emergency Password Reset plugin.
Upon activation, you need to visit Users » Emergency Password Reset page and click on ‘Reset All Passwords’ button.
That’s all, the plugin will immediately reset passwords for all WordPress users including administrators. It will also send an email to all users with instructions to reset their passwords.
How to Manage WordPress Passwords
Stronger passwords are difficult to remember. We all have so many online accounts that it is impossible to use a unique password for each account and then remember all of them.
However, this excuse is not valid anymore since there are already apps and tools to manage all your passwords. Take a look at our guide on the best way to manage passwords for WordPress beginners.
Troubleshooting Tips
In case you are not receiving email notifications then please take a look at our guide on how to fix WordPress not sending email issue.
If you somehow can’t get inside WordPress admin area, then take a look at our guide on what to do when you are locked out of the WordPress admin area.
That’s all, we hope this article helped you learn how to force users to change passwords in WordPress. You may also want to see our ultimate WordPress security guide to help improve your website security.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.a
WPBeginner Support says
Hey WPBeginner readers,
Did you know you can win exciting prizes by commenting on WPBeginner?
Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
You can get more details about the contest from here.
Start sharing your thoughts below to stand a chance to win!
Admin
Marko says
Article need update.
WPBeginner Support says
Thank you for letting us know, we will look into updating the article when we are able
Admin
Shallum Vohr says
How to force user to update password on first login only?
Millie Aveyard says
Very difficult for older people like me, to remember all the different passwords in their lives! Everything these days seem to have passwords of one form or another!
Even if you write the passwords down in your little book, at the time you need the new password, you have left the little book in the car, and the roundabout starts once more!
I can’t be the only one to have to stop and think about all the different passwords that I use each day!
WPBeginner Support says
Please see our guide on how to manage passwords for WordPress beginners. We use LastPass to store and manage all our passwords. It is a browser extension that sits in your web browser. It can save and automatically fill in your passwords for you. It can also generate strong passwords for you when you are creating a new account.
Admin
Remi says
Very nice idea! It’s a great to give more security to the administration!
Daniel says
Good post – I have now configured the plugin on my blog site. I would strongly recommend also the following:
1) You remove the admin user altogether – here you create another user who has the admin role, login as them the delete the existing admin user; ensuring you click on the option to transfer admin’s previous posts to you
2) The ‘admin’ ( role user) password is complex – use oninepasswordgenerator.com or similar
3) finally, you must must,mus,t install the “Limit Login attempts” plugin … This is a work of genius and is regularly blocking the 10 or so attempts per day to login into my blog. Set long lockout times and get the plugin to email you (new admin user ) after 2 lockouts
Navneet says
This is a very good post ……