Skip to main content
WordPress made easy with the drag & drop Total WordPress Theme.Learn More

Enforcing Stronger Passwords in WordPress

May 23, 2014

One area of security many WordPress users don’t think about is enforcing stronger passwords in WordPress which can reduce the risk of your WordPress blog or user accounts becoming compromised. If you happen to allow users to register for your WordPress blog you will find out that WordPress doesn’t have any password strength requirements built in by default.  It shows you the password strength via a colored bar, but it will not actually enforce stronger passwords without a separate plugin.


WordPress Strong Password


WP Better Security Plugin

To enforce stronger passwords in WordPress and to ensure users create stronger passwords I recommend the WP Better Security plugin. It does a lot more than just enforce stronger passwords, but let’s focus in on just that one function for this plugin for now.

Configuring Enforce Stronger Passwords

1. After you install the plugin WP Better Security, go to System Tweaks:


WP Better Sucurity Plugin

2. Scroll down to Strong Password Tweaks

Strong Password Tweaks


Check mark to enable strong password enforcement then select the strong password role.  This is basically the role or higher that will enforce strong passwords. You can make it so only Administrators require strong passwords, or all contributors –> administrators, but in my case I select Subscriber. This means that every account from Subscriber to Administrator requires a strong password to be set for the account.

Automatically Creating Strong Passwords for Users

There is another WordPress plugin called WP Password Generator which I recommend using if you need to create a new user account for your WordPress blog.  This allows you to instantly generate a strong password that will also be enforced by Better WP Security so that you don’t have to manually create one and send it to the new user.

Here is a video demonstration of the WP Password Generator plugin for WordPress.

The plugin adds a “generate password” button in the new user profile screen where you can generate a password, view it or re-generate if it didn’t create a strong one (occasionally it will generate medium ones).

In Summary

Making sure you are enforcing stronger passwords in WordPress reduces the chances of accounts being compromised by a brute force attack and helps keep guest accounts and administrator accounts more secure for your WordPress blog.  It is highly recommended you enforce strong password policies for your WordPress blog. Implementing either of these plugins applies to new accounts or passwords going forward, and won’t enforce passwords updates for existing accounts (so you don’t have to worry about a negative user experience or interrupting your normal WordPress users).  It is recommended that you remind all your authors to use strong passwords and recreate a new password if needed.

Article by Justin Germino Guest Author
Published on: November 13, 2012
Last updated on: May 23, 2014
Subscribe to the Newsletter

Get our latest news, tutorials, guides, tips & deals delivered to your inbox.


  1. Remi says:

    Hey Justin, this is really important to have strong password, i fully agree and i think that in combination to the plugin you mentioned, another great plugin is “Limit Login Attenpts”

  2. John L Webster says:


    Do you know of a plugin or script that will make the default password strength indicator, stronger. For example WP thinks that long dictionary words are strong.

    • AJ Clarke | WPExplorer says:

      I am not aware. Is there any reason why you would need this? I don’t really understand why you would use it, you can just use a third party plugin to create your strong passwords –

      Is it a member site? In which case, I wouldn’t worry too much, if a user doesn’t choose a strong password it’s their fault.

Leave a Reply

Your email address will not be published. Required fields are marked *

Learn how your comment data is processed by viewing our privacy policy here.