I’m quite concerned about the security of my site and content if I allow users to sign up with weak passwords. How can I enforce WordPress password requirements?
That’s something we hear a lot from website owners. Chances are, if you run a WordPress membership site that allows user registration, your primary security concern is to enforce WordPress password requirements so that users don’t sign up with weak passwords.
A short or weak password is one of the most used security breaches by people trying to hack your site, so you try to avoid that at all costs for the sake of WordPress security. Cracking one password may sometimes be enough to lose access to sections or even the whole website, which puts your content, revenue and work in danger.
In this post, you’re going to learn how to enforce minimum WordPress password requirements on your registration forms using the free Profile Builder plugin.
How to enforce WordPress password requirements with Profile Builder
To enforce WordPress password requirements, you can use the Profile Builder plugin. Profile Builder is a complete WordPress registration solution. In addition to enforcing strong passwords, it can also help you:
- Create custom WordPress user registration pages and WordPress login pages.
- Collect additional user profile information about users.
- Let users edit their user accounts from the front-end.
- Restrict access to your content.
Once you install and activate Profile Builder, you can go to Profile Builder -> General Settings to configure your WordPress password requirements.
You have two options for enforcing strong passwords:
- Minimum Password Length – the minimum number of characters needed for a password. This includes letters, numbers, and special characters.
- Minimum Password Strength – the minimum password strength, as measured by the native WordPress strength meter introduced in WordPress 3.7.
The really cool part is that once you set them up with Profile Builder, the password restrictions will apply on all user registration forms of your website and all user roles, whether we’re talking about front-end or back-end registration. This way, you’ll be fully covered.
The password restrictions will apply to all front-end user registration forms setup using Profile Builder shortcodes. This includes front-end:
- Registration Forms
- Edit Profile Forms
- Password reset page
…as well as the default WordPress back-end pages which allow you to enter a password:
- Back-end “Users”->”Add New User” tab – when adding users using the WP admin UI
- Back-end “Users”->”Your Profile” tab – when editing your profile from the WP back-end
- Default WordPress Password Recovery page
It also applies to any registration forms from other plugins on your WordPress website. For example, the WooCommerce registration form.
If a WordPress user resets their password, they’ll still need to enter a new password that meets your WordPress password requirements.
And if you’re still worried about WordPress security and brute force attacks, you can still set up two-factor authentication using another plugin for even more peace of mind.
Setting WordPress minimum password length
The minimum password length makes sure a user’s password doesn’t go under a certain number of characters. Once you define this under the General Settings tab in Profile Builder, the minimum password length notice and verification will be enabled on all registration forms.
The thing is a long password isn’t necessarily a strong one. The strength of a password is not simply based on the number of characters, but on much more complex factors.
Therefore it’s possible to have a password of 7-8 characters which is considered “strong”, and a password over 10 characters (including numbers and upper/lowercase) which is still considered weak!
Simply put, you shouldn’t oblige your users to set really long passwords because you’ll end up sacrificing user experience in the long term (though you can encourage them to user a password manager). The best option is to combine the minimum password length restrictions with a minimum password strength, for increased usability and better security.
This is where the WordPress password strength meter comes into play.
Enforcing WordPress minimum password strength
Currently WordPress by itself does not enforce any kind of password strength, it only shows you how your password scores.
We made sure to address this with our plugin, enforcing a minimum password strength on all registration forms. You’ll be able to choose the minimum level for password strength and enforce the desired level of security for your site.
We’re using the existing password strength meter from the WordPress core, based on Dropbox’s zxcvbn library, because it’s one of the most accurate in deciding what makes a strong password. Then we make sure all registration forms throw errors if the password restrictions aren’t met.
Once users try to register, edit their profile or change their password, they will be prompted with a password strength meter to make sure they choose a safe password.
Enforcing WordPress password requirements works also in the backend, for example when trying to edit your profile:
For example, if you have “Medium” as the minimum password strength and your password scores below, you’ll be prompted with an error message:
If you haven’t set a minimum password length and strength for your own site, do it now!
If you don’t already enforce a minimum password length and strength on your membership site, don’t wait any longer. Start enforcing WordPress password requirements today!
Using Profile Builder, it takes just a few clicks to make sure your users use strong passwords. And it’s totally worth it for long term peace of mind.