I’m quite concerned for the security of my site and content if I allow users to sign up with weak passwords.
That’s something we hear a lot from website owners. Chances are, if you run a WordPress membership site that allows user registration, your primary security concern is NOT to allow users to sign-up with weak passwords.
A short or weak password is one of the most used security breach by people trying to hack your site, so you try to avoid that at all costs. Cracking one password may sometimes be enough to lose access to sections or even the whole website, which puts your content, revenue and work in danger.
After hours of research you’ve probably realized that most of the plugins available go only half way. While some offer increased security by allowing you to set a minimum password length, they do NOT posses all the features you would need from a user registration plugin.
On the other side, even though there is a significant list of plugins out there that can help you with some aspects of the user registration part, the big majority fall short when it comes to security.
Wouldn’t it be nice to have an all in one solution that can help you with both the front-end user registration part, but also be able to set security restrictions when it comes to registration forms?
Things like being able to set a minimum password length or enforcing a minimum password strength to eliminate weak passwords altogether?
An easy to use WordPress plugin that handles the user registration part, but also focuses on enforcing strong passwords.
We made the same mistake for a while with Profile Builder, focusing too much on adding new user registration features and not offering a built in verification for minimum password length and strength. That’s exactly why we made sure that was a top priority for the 2.0 release.
We strongly believe that having the option to set a minimum password length as well as enforce a minimum password strength should be available in all front-end user registration plugins, so we made sure to include this functionality in both free and premium versions of Profile Builder.
Setting a minimum password length and password strength with Profile Builder
Now, using Profile Builder’s admin interface you can easily setup a minimum password length for your users passwords as well as enforce a minimum password strength which is measured using the standard WordPress strength meter introduced in WordPress 3.7.
The really cool part is that once you set them up with Profile Builder, the password restrictions will apply on all user registration forms of your website, whether we’re talking about front-end or back-end registration. This way, you’ll be fully covered.
The password restrictions will apply to all front-end user registration forms setup using Profile Builder shortcodes:
- Front-end Registration Forms
- Front-end Edit Profile Forms
- Front-end Reset Password page
…as well as the default WordPress back-end pages which allow you to enter a password:
- Back-end “Users”->”Add New User” tab – when adding users using the WP admin UI
- Back-end “Users”->”Your Profile” tab – when editing your profile from the WP back-end
- Default WordPress Password Recovery page
Setting WordPress minimum password length
The minimum password length makes sure your users password doesn’t go under a certain number of characters. Once you define this under the General Settings tab in Profile Builder, the minimum password length notice and verification will be enabled on all registration forms.
The thing is a long password isn’t necessarily a strong one. The strength of a password is not simply based on the number of characters, but on much more complex factors.
Therefore it’s possible to have a password of 7-8 characters which is considered “strong”, and a password over 10 characters (including numbers and upper/lowercase) which is still considered weak!
Simply put, you shouldn’t oblige your users to set really long passwords because you’ll end up sacrificing user experience in the long term. The best option is to combine the minimum password length restrictions with a minimum password strength, for increased usability and better security.
This is where the WordPress password strength meter comes into play.
Enforcing WordPress minimum password strength
Currently WordPress by itself does not enforce any kind of password strength, it only shows you how your password scores.
We made sure to address this with our plugin, enforcing a minimum password strength on all registration forms. You’ll be able to choose the minimum level for password strength and enforce the desired level of security for your site.
We’re using the existing password strength meter from the WordPress core, based on Dropbox’s zxcvbn library, because it’s one of the most accurate in deciding what makes a strong password. Then we make sure all registration forms throw errors if the password restrictions aren’t met.
Once users try to register, edit their profile or change their password, they will be prompted with a password strength meter to make sure they choose a safe password.
Enforcing the minimum password strength works also in the backend, for example when trying to edit your profile:
If you have “Medium” as the minimum password strength and your password scores below, you’ll be prompted with an error message:
If you haven’t set a minimum password length and strength for your own site, do it now!
If you don’t already enforce a minimum password length and strength on your membership site, don’t wait any longer. Start now!
Using Profile Builder, it takes just a couple of clicks to make sure your users use strong passwords. And it’s totally worth it for long term peace of mind.
Subscribe to get early access
to new plugins, discounts and brief updates about what's new with Cozmoslabs!