Skip to main content
WordPress made easy with the drag & drop Total WordPress Theme!Learn More

How to Enforce Strong Passwords in WordPress

Last updated on:
How to Enforce Strong Passwords in WordPress

One area of security many WordPress users neglect is passwords. Surely you’ve heard that using stronger passwords can help reduce the risk of your WordPress blog or user accounts becoming compromised. But do you know how to enforce strong passwords for all users?

If you  allow users to register for your WordPress blog you will you may have noticed that since WordPress 4.3 better passwords have been available. But while this makes it easy for users to create or reset their account with a strong password it doesn’t have any password strength requirements. This is where a plugin can come in handy to help improve WordPress security.

Enforce Strong Passwords in WordPress with iThemes Security

iThemes Security to Enforce Strong Passwords in WordPress

To enforce strong passwords in WordPress and to ensure users create stronger passwords from the beginning we recommend the iThemes Security plugin. It does a lot more than enforce strong passwords, but let’s focus in on just that one function for for now.

Configuring Enforce Stronger Passwords

First you’ll need to install the plugin. This is easily done from your WordPress dashboard by going to Plugins > Add New and searching for “iThemes security.” It should be the first result, so just click to install and activate the plugin.

iThemes Security Settings

With the plugin active click on the new Security menu item in your dashboard to access your iThemes Security settings. As mentioned there are a TON of awesome security options. But for now click on the “Configure settings” button for Password Requirements.

iThemes Security Password Requirements Settings

This will open a popup where you can check a box to enable the iThemes Security force strong passwords feature. You can also choose a minimum user role to apply this rule to. This is basically the role or higher that will enforce strong passwords.

Depending on your website you might want to force all users to use strong passwords, in which case you’d select the “subscriber” role. But if you require folks to signup for a subscriber account to download freebies you may not want to discourage them by requiring a strong password. In this case, it might be better to simply apply the requirement to contributors and above.

Just save your settings and you should be good to go. Now when users register or go to update their password they’ll be forced to select a strong password.

iThemes Security Password Notice

If a user attempts to use anything other than a strong password they should see the above warning. This informs them to essentially try again with something a bit stronger.

If you upgrade to iThemes Security Pro you’ll also have access to Malware scans, Google reCAPTCHA, user action logs, strong password generator, password expiration and the option to enable 2-factor authentication for WordPress. Basically an entire arsenal of security hardening features.

In Summary

By enforcing strong passwords in WordPress you reduce the chances of accounts being compromised by a brute force attack. It also helps keep guest and administrator accounts more secure for your WordPress blog.

Thankfully this is easy when you use a plugin like iThemes Security, WordFence or even Force Strong Passwords. Implementing any of these plugins applies to new accounts or passwords going forward, and is a great way to reinforce your site security. Just be sure to remind authors or existing users to also give their password and update.

Do you have any tips for stronger passwords? Or do you have a different plugin you’d recommend? Leave us a comment below.

Subscribe to the Newsletter

Get our latest news, tutorials, guides, tips & deals delivered to your inbox.

3 Comments

  1. Remi

    Hey Justin, this is really important to have strong password, i fully agree and i think that in combination to the plugin you mentioned, another great plugin is “Limit Login Attenpts” http://wordpress.org/extend/plugins/limit-login-attempts/

  2. John L Webster

    Justin,

    Do you know of a plugin or script that will make the default password strength indicator, stronger. For example WP thinks that long dictionary words are strong.

    • AJ Clarke | WPExplorer

      I am not aware. Is there any reason why you would need this? I don’t really understand why you would use it, you can just use a third party plugin to create your strong passwords – http://strongpasswordgenerator.com/

      Is it a member site? In which case, I wouldn’t worry too much, if a user doesn’t choose a strong password it’s their fault.

Leave a Reply

Your email address will not be published. Required fields are marked *

Learn how your comment data is processed by viewing our privacy policy here.