Enforcing Stronger Passwords in WordPress

Enforcing Stronger Passwords in WordPress

One area of security many WordPress users don’t think about is enforcing stronger passwords in WordPress which can reduce the risk of your WordPress blog or user accounts becoming compromised. If you happen to allow users to register for your WordPress blog you will find out that WordPress doesn’t have any password strength requirements built in by default.  It shows you the password strength via a colored bar, but it will not actually enforce stronger passwords without a separate plugin.

Example:

WordPress Strong Password

 

WP Better Security Plugin

To enforce stronger passwords in WordPress and to ensure users create stronger passwords I recommend the WP Better Security plugin. It does a lot more than just enforce stronger passwords, but let’s focus in on just that one function for this plugin for now.

Configuring Enforce Stronger Passwords

1. After you install the plugin WP Better Security, go to System Tweaks:

 

WP Better Sucurity Plugin

2. Scroll down to Strong Password Tweaks

Strong Password Tweaks

 

Check mark to enable strong password enforcement then select the strong password role.  This is basically the role or higher that will enforce strong passwords. You can make it so only Administrators require strong passwords, or all contributors –> administrators, but in my case I select Subscriber. This means that every account from Subscriber to Administrator requires a strong password to be set for the account.

Automatically Creating Strong Passwords for Users

There is another WordPress plugin called WP Password Generator which I recommend using if you need to create a new user account for your WordPress blog.  This allows you to instantly generate a strong password that will also be enforced by Better WP Security so that you don’t have to manually create one and send it to the new user.

Here is a video demonstration of the WP Password Generator plugin for WordPress.

The plugin adds a “generate password” button in the new user profile screen where you can generate a password, view it or re-generate if it didn’t create a strong one (occasionally it will generate medium ones).

In Summary

Making sure you are enforcing stronger passwords in WordPress reduces the chances of accounts being compromised by a brute force attack and helps keep guest accounts and administrator accounts more secure for your WordPress blog.  It is highly recommended you enforce strong password policies for your WordPress blog. Implementing either of these plugins applies to new accounts or passwords going forward, and won’t enforce passwords updates for existing accounts (so you don’t have to worry about a negative user experience or interrupting your normal WordPress users).  It is recommended that you remind all your authors to use strong passwords and recreate a new password if needed.

Justin Germino
IT Security Manager by day and Tech blogger, enthusiast on his spare time. Justin Germino is the owner of Dragon Blogger Technology and Entertainment
Justin Germino
Justin Germino
Justin Germino

Latest posts by Justin Germino (see all)

This article has 3 comments
  1. John L Webster says:

    Justin,

    Do you know of a plugin or script that will make the default password strength indicator, stronger. For example WP thinks that long dictionary words are strong.

    1. AJ Clarke | WPExplorer says:

      I am not aware. Is there any reason why you would need this? I don’t really understand why you would use it, you can just use a third party plugin to create your strong passwords – http://strongpasswordgenerator.com/

      Is it a member site? In which case, I wouldn’t worry too much, if a user doesn’t choose a strong password it’s their fault.

      Admin

Leave a Reply