How to Enforce Strong Passwords in WordPress
One area of security many WordPress users neglect is passwords. Surely you’ve heard that using stronger passwords can help reduce the risk of your WordPress blog or user accounts becoming compromised. But do you know how to enforce strong passwords for all users?
If you allow users to register for your WordPress blog you will you may have noticed that since WordPress 4.3 better passwords have been available. But while this makes it easy for users to create or reset their account with a strong password it doesn’t have any password strength requirements. This is where a plugin can come in handy to help improve WordPress security.
Enforce Strong Passwords in WordPress with Solid Security
To enforce strong passwords in WordPress and to ensure users create stronger passwords from the beginning we recommend the Solid Security plugin. It does a lot more than enforce strong passwords, but let’s focus in on just that one function for for now.
Configuring Enforce Stronger Passwords
First you’ll need to install the plugin. This is easily done from your WordPress dashboard by going to Plugins > Add New and searching for “solid security.” It should be the first result, so just click to install and activate the plugin.
With the plugin active click on the new Security menu item in your dashboard to access your Solid Security settings. As mentioned there are a TON of awesome security options. But for now click on the “Configure settings” button for Password Requirements.
This will open a popup where you can check a box to enable the Solid Security force strong passwords feature. You can also choose a minimum user role to apply this rule to. This is basically the role or higher that will enforce strong passwords.
Depending on your website you might want to force all users to use strong passwords, in which case you’d select the “subscriber” role. But if you require folks to signup for a subscriber account to download freebies you may not want to discourage them by requiring a strong password. In this case, it might be better to simply apply the requirement to contributors and above.
Just save your settings and you should be good to go. Now when users register or go to update their password they’ll be forced to select a strong password.
If a user attempts to use anything other than a strong password they should see the above warning. This informs them to essentially try again with something a bit stronger.
If you upgrade to Solid Security Pro you’ll also have access to Malware scans, Google reCAPTCHA, user action logs, strong password generator, password expiration and the option to enable 2-factor authentication for WordPress. Basically an entire arsenal of security hardening features.
In Summary
By enforcing strong passwords in WordPress you reduce the chances of accounts being compromised by a brute force attack. It also helps keep guest and administrator accounts more secure for your WordPress blog.
Thankfully this is easy when you use a plugin like Solid Security, WordFence or even Force Strong Passwords. Implementing any of these plugins applies to new accounts or passwords going forward, and is a great way to reinforce your site security. Just be sure to remind authors or existing users to also give their password and update.
Do you have any tips for stronger passwords? Or do you have a different plugin you’d recommend? Leave us a comment below.
Hey Justin, this is really important to have strong password, i fully agree and i think that in combination to the plugin you mentioned, another great plugin is “Limit Login Attenpts” http://wordpress.org/extend/plugins/limit-login-attempts/
Justin,
Do you know of a plugin or script that will make the default password strength indicator, stronger. For example WP thinks that long dictionary words are strong.
I am not aware. Is there any reason why you would need this? I don’t really understand why you would use it, you can just use a third party plugin to create your strong passwords – http://strongpasswordgenerator.com/
Is it a member site? In which case, I wouldn’t worry too much, if a user doesn’t choose a strong password it’s their fault.