Enforcing Stronger Passwords in WordPress

One area of security many WordPress users don’t think about is enforcing stronger passwords in WordPress which can reduce the risk of your WordPress blog or user accounts becoming compromised. If you happen to allow users to register for your WordPress blog you will find out that WordPress doesn’t have any password strength requirements built in by default.  It shows you the password strength via a colored bar, but it will not actually enforce stronger passwords without a separate plugin.

Example:

WP Better Security Plugin

To enforce stronger passwords in WordPress and to ensure users create stronger passwords I recommend the WP Better Security plugin. It does a lot more than just enforce stronger passwords, but let’s focus in on just that one function for this plugin for now.

Configuring Enforce Stronger Passwords

1. After you install the plugin WP Better Security, go to System Tweaks:

2. Scroll down to Strong Password Tweaks

Check mark to enable strong password enforcement then select the strong password role.  This is basically the role or higher that will enforce strong passwords. You can make it so only Administrators require strong passwords, or all contributors –> administrators, but in my case I select Subscriber. This means that every account from Subscriber to Administrator requires a strong password to be set for the account.

Automatically Creating Strong Passwords for Users

There is another WordPress plugin called WP Password Generator which I recommend using if you need to create a new user account for your WordPress blog.  This allows you to instantly generate a strong password that will also be enforced by Better WP Security so that you don’t have to manually create one and send it to the new user.

Here is a video demonstration of the WP Password Generator plugin for WordPress.

The plugin adds a “generate password” button in the new user profile screen where you can generate a password, view it or re-generate if it didn’t create a strong one (occasionally it will generate medium ones).

In Summary

Making sure you are enforcing stronger passwords in WordPress reduces the chances of accounts being compromised by a brute force attack and helps keep guest accounts and administrator accounts more secure for your WordPress blog.  It is highly recommended you enforce strong password policies for your WordPress blog. Implementing either of these plugins applies to new accounts or passwords going forward, and won’t enforce passwords updates for existing accounts (so you don’t have to worry about a negative user experience or interrupting your normal WordPress users).  It is recommended that you remind all your authors to use strong passwords and recreate a new password if needed.