Beginner's Guide for WordPress / Start your WordPress Blog in minutes

How to Force Users to Change Passwords in WordPress – Expire Password

Do you want to force users to change passwords in WordPress? If you are worried that your WordPress security may have compromised, then you should reset all passwords immediately. In this article, we will show you how to force users to change passwords in WordPress by expiring their passwords after a given time period.

Force password change for all users in WordPress

When and Why Force WordPress Users to Change Passwords?

Many large organizations such as banks, government agencies, universities, require all users to change their passwords regularly. This prevents unauthorized access and prevents hackers from logging in with a stolen password.

If you run a multi-user WordPress site, then you should ask users to update passwords after a specific amount of time. We will show you how to set this up in WordPress later in this article.

On the other hand, if you recently noticed a suspicious activity on your WordPress site, then you should immediately expire all existing user passwords and ask users to update passwords.

Having said that, let’s see how you can expire passwords and force users to change passwords in WordPress.

Force Users to Change Passwords in WordPress

First thing you need to do is install and activate the Expire Passwords plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, you need to visit Users » Expire Passwords page to configure plugin settings.

Setup a policy to expire passwords

The first option on the settings page allows you to set number of days after which a user must change their password.

Next, you can select user roles on which this policy applies. Ideally, you should select all user roles except administrator. However, if you are not the only administrator on your website, then you should check administrators as well.

Don’t forget to click on the save changes button to store your settings.

Now when a user signs in after the specified period, they will be redirected to password reset screen.

Password reset screen

Quickly Expire All User Passwords in WordPress

The plugin we mentioned above allows you to set a password update policy for your website. However, sometimes due to a hacking attempt you may need to immediately reset all user passwords.

First you will need to install and activate the Emergency Password Reset plugin.

Upon activation, you need to visit Users » Emergency Password Reset page and click on ‘Reset All Passwords’ button.

Reset all passwords in WordPress

That’s all, the plugin will immediately reset passwords for all WordPress users including administrators. It will also send an email to all users with instructions to reset their passwords.

How to Manage WordPress Passwords

Stronger passwords are difficult to remember. We all have so many online accounts that it is impossible to use a unique password for each account and then remember all of them.

However, this excuse is not valid anymore since there are already apps and tools to manage all your passwords. Take a look at our guide on the best way to manage passwords for WordPress beginners.

Troubleshooting Tips

In case you are not receiving email notifications then please take a look at our guide on how to fix WordPress not sending email issue.

If you somehow can’t get inside WordPress admin area, then take a look at our guide on what to do when you are locked out of the WordPress admin area.

That’s all, we hope this article helped you learn how to force users to change passwords in WordPress. You may also want to see our ultimate WordPress security guide to help improve your website security.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.a

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

9 CommentsLeave a Reply

  1. Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!


    • Thank you for letting us know, we will look into updating the article when we are able :)


  2. Very difficult for older people like me, to remember all the different passwords in their lives! Everything these days seem to have passwords of one form or another!

    Even if you write the passwords down in your little book, at the time you need the new password, you have left the little book in the car, and the roundabout starts once more!

    I can’t be the only one to have to stop and think about all the different passwords that I use each day!

  3. Good post – I have now configured the plugin on my blog site. I would strongly recommend also the following:

    1) You remove the admin user altogether – here you create another user who has the admin role, login as them the delete the existing admin user; ensuring you click on the option to transfer admin’s previous posts to you
    2) The ‘admin’ ( role user) password is complex – use or similar
    3) finally, you must must,mus,t install the “Limit Login attempts” plugin … This is a work of genius and is regularly blocking the 10 or so attempts per day to login into my blog. Set long lockout times and get the plugin to email you (new admin user ) after 2 lockouts

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.