This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.

Download

Forbid Pwned Passwords

By Michael Veenstra

Description

Protect your WordPress site’s users from using breached passwords!

With Forbid Pwned Passwords, your site’s users will receive errors if they attempt to set their password to one found in a known breach, forcing them to choose a new one.
This can help to mitigate credential stuffing attacks against your site and its users.

This plugin makes use of Troy Hunt’s Have I Been Pwned? API. Using k-anonymity methods, only a partial SHA-1 hash of the password
is sent to the API in order to produce a list of hashes for local testing. This means no passwords are ever sent to third parties.

You can learn more about the Have I Been Pwned API here.

Reviews

Awesome plugin!

August 24, 2018
This is great - it is a very nice and simple plugin to force users to select passwords that are not typically hacked le. Would be nice to have a customisable message but I love it none-the-less. Nice work!
Read all 1 review

Contributors & Developers

“Forbid Pwned Passwords” is open source software. The following people have contributed to this plugin.

Contributors

Translate “Forbid Pwned Passwords” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

0.1.1

  • Improved error handling in the event of an API failure.

Meta

Ratings

See all

Contributors

Support

Issues resolved in last two months:

1 out of 1

View support forum

Donate

Would you like to support the advancement of this plugin?

Donate to this plugin