WordPress.org

Plugin Directory

Force Strong Passwords

Forces users to enter something strong when updating their passwords.

The user profile editor includes a JavaScript-powered password strength indicator. However, there is nothing currently built into WordPress core to prevent users from entering weak passwords. Users changing their password to something weak is one of the most vulnerable aspects of a WordPress installation.

With Force Strong Passwords activated, strong passwords are enforced for users with publish_posts, upload_files & edit_published_posts capabilites. Should a user with these capabilities (normally an Author, Editor or Administrator) attempt to change their password, the strong password enforcement will be triggered.

To customize the list of capabilites Force Strong Passwords checks for, use the slt_fsp_caps_check filter.

IMPORTANT: As of WordPress 3.7, the password strength meter in core is based on the zxcvbn JavaScript library from Dropbox. Force Strong Passwords simply passes the results of the client-side zxcvbn check along for the server to decide if an error should be thrown. Be aware that a technically savvy user could disable this check in the browser.

Development code & issue tracking is hosted at GitHub. Pull requests are encouraged!

Filters

slt_fsp_caps_check (should return an array)

Modifies the array of capabilities so that strong password enforcement will be triggered for any matching users.

Ex: To make sure users who can update WordPress core require strong passwords:

add_filter( 'slt_fsp_caps_check', 'my_caps_check' );
function my_caps_check( $caps ) {
    $caps[] = 'update_core';
    return $caps;
}

Ex: To trigger strong password enforcement for all users:

add_filter( 'slt_fsp_caps_check', __return_empty_array() );

slt_fsp_error_message (should return a string)

Modifies the default error message.

slt_fsp_weak_roles (should return an array)

Modifies the array of roles that are considered "weak", and for which strong password enforcement is skipped when creating a new user. In this situation, the user object has yet to be created. This means that there are no capabilities to go by. Because of this, Force Strong Passwords has to use the role that has been set on the Add New User form.

The default array includes: subscriber and contributor.

Requires: 3.5 or higher
Compatible up to: 4.2.4
Last Updated: 2015-5-15
Active Installs: 7,000+

Ratings

4 out of 5 stars

Support

0 of 1 support threads in the last two months have been resolved.

Got something to say? Need help?

Compatibility

+
=
Not enough data

0 people say it works.
0 people say it's broken.

0,1,0
100,2,2
100,1,1
100,1,1 100,1,1 100,1,1
0,1,0
100,1,1
100,2,2
100,1,1