Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
25 Million+
Websites using our plugins
Years of WordPress experience
WordPress tutorials
by experts

How to Force Users to Change Passwords in WordPress – Expire Password

Editorial Note: We earn a commission from partner links on WPBeginner. Commissions do not affect our editors' opinions or evaluations. Learn more about Editorial Process.

Do you want to force users to change passwords in WordPress?

Improve your WordPress website’s security by forcing regular password changes. This simple step makes it significantly harder for hackers to compromise your site, protecting your data and that of your users.

In this article, we will show you how to force users to change passwords in WordPress by expiring their passwords after a given time period.


When and Why Force WordPress Users to Change Passwords?

80% of data breaches involve weak or stolen passwords. Regular changes disrupt hackers’ attempts.

Hackers will try to repeatedly access your account regularly over a period of time. In this case, you’ll prevent brute-force attacks made by people with malicious intent.

Most new users are prone to using weak passwords or the same password as their other accounts since they’re easy to remember. If a hacker gets into your WordPress site, it can compromise the security of all other users.

But forcing password changes isn’t possible for admin users. You should also force changes on membership users and returning customers. For instance, when customers register on your WooCommerce store or membership site, they receive the password via email. As such, forcing regular password changes will help mitigate phishing attempts made through email.

Also, if you run a multi-user WordPress site, then you should ask users to update passwords after a specific amount of time.

On the other hand, if you recently noticed suspicious activity on your WordPress site, then you should immediately expire all existing user passwords and ask everyone to update their passwords.

Having said that, let’s see how you can expire passwords and force users to change passwords in WordPress.

Force Users to Change Passwords in WordPress

The best way to force users to change passwords in WordPress is by using the Password Policy Manager plugin. It allows you to easily create and enforce strong and secure password policies.

Password Policy Manager plugin

To get started, you’ll need to install and activate the Password Policy Manager plugin. For more details, check out our tutorial on how to install a WordPress plugin.

From here, you’ll need to head over to the Password Policy Manager » Password Policy Manager page. Then, under the Policy Settings » For All Users tab, you’ll see various password policy settings that you can set.

First, ensure that you turn on the big toggle button that says ‘Enable all settings.’ Below that, you can check off all the password policy rules that you want to enforce every time a new user needs to create a new password.

The options include:

  • Must contain lower and uppercase letters
  • Must contain numeric digits
  • Must contain special characters
  • Length of password between 8 and 25

We recommend keeping these boxes checked off since these are best practices for having a strong password. You may also want to read our guide on how to add a simple user password generator in WordPress.

Password policy settings

Below that, you’ll need to check the box that says ‘Force Reset Password on first login.’ This helps to prevent new users from using the same password as their other online accounts and ensures they set up a strong password right off the bat.

Then, you’ll need to turn on the option ‘Enable Password Expiry’ so that you set a specific expiration time that forces all site users to change their password. Next to that, you can set the number of weeks you’d like to force the change.

After that, you can also hit the ‘Save Settings’ button.

enable password expiry

Underneath the save settings, you’ll see an option to reset your password with one click. If you or your users haven’t reset your password in a while, it’s a good idea to hit the ‘Reset Password’ button.

This automatically terminates all logged-in sessions from users and forces them to reset their passwords.

one click reset password

All users will receive an email with a link to reset their passwords.

Just click the link in the email.

reset password email

You’ll be taken to your WordPress login screen, where you enter your current and new password.

We recommend using a secure password generator rather than trying to come up with something you can memorize. Then, a password manager like 1Password or LastPass can be used to store it.

From here, click ‘Change Password.’

reset password

Then, you’ll be taken back to your WordPress login page, where you can enter your new credentials.

You can also go to the Password Policy Manager » Reports page. Here is where you’ll find all the login attempts made by users. It is good to check periodically to see if any suspicious attempts have been made to your WordPress site. If so, you can easily perform the one-click reset we’ve just mentioned.

To see data, you’ll need to toggle the ‘Enable Report Entry’ tab.

enable report entry

And that’s it! You’ve now successfully set up your WordPress site so that it forces all users to change passwords after the expiration date.

Troubleshooting Tips

What If My Users Never Recieve Their Emails?

In case your users are not receiving email notifications to reset their passwords, then any number of things could be happening. Please take a look at our guide on how to fix WordPress not sending email issue.

What If I Can’t Get Into the WordPress Admin Area To Reset My Password?

If you somehow can’t get inside the WordPress admin area, then take a look at our guide on what to do when you are locked out of the WordPress admin area.

We hope this article helped you learn how to force users to change passwords in WordPress. You may also want to see our ultimate WordPress security guide to help improve your website security or our list of the most common WordPress errors and how to fix them.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

9 CommentsLeave a Reply

  1. Syed Balkhi says

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

    • WPBeginner Support says

      Thank you for letting us know, we will look into updating the article when we are able :)


  2. Millie Aveyard says

    Very difficult for older people like me, to remember all the different passwords in their lives! Everything these days seem to have passwords of one form or another!

    Even if you write the passwords down in your little book, at the time you need the new password, you have left the little book in the car, and the roundabout starts once more!

    I can’t be the only one to have to stop and think about all the different passwords that I use each day!

  3. Daniel says

    Good post – I have now configured the plugin on my blog site. I would strongly recommend also the following:

    1) You remove the admin user altogether – here you create another user who has the admin role, login as them the delete the existing admin user; ensuring you click on the option to transfer admin’s previous posts to you
    2) The ‘admin’ ( role user) password is complex – use or similar
    3) finally, you must must,mus,t install the “Limit Login attempts” plugin … This is a work of genius and is regularly blocking the 10 or so attempts per day to login into my blog. Set long lockout times and get the plugin to email you (new admin user ) after 2 lockouts

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.