Plugin Directory

Force Strong Passwords

Forces users to enter something strong when updating their passwords.

The WordPress user profile includes a JavaScript-powered indicator as a guide to the strength of a password being entered. However, there is nothing to stop users entering weak passwords. Often, users changing their password to something very weak is the most vulnerable aspect of a WordPress installation.

IMPORTANT: As of WordPress 3.7, the password strength meter is based on the Dropbox "zxcvbn" script. This is a far better check, but extensive and quite a job to port to PHP, which is the way this plugin worked prior to 3.7. For 3.7 and above, this plugin simply passes the results of the client-side zxcvbn check for the server to decide if an error should be thrown. Beware that a tech-savvy user could disable this check in the browser.

Strong passwords are enforced for all users who have any of a specified array of capabilities. The default list is: publish_posts, upload_files, edit_published_posts (see Roles and Capabilities). If the user whose password is being edited holds any of these capabilities, the strong password enforcement will be triggered. To customize this list, use the slt_fsp_caps_check filter (see below).

Development code hosted at GitHub.


slt_fsp_caps_check (should return an array) Modifies the array of capabilities that, if any one is held by the user whose password is being edited, the strong password enforcement will be triggered.

To make sure users who can update the core require strong passwords:

add_filter( 'slt_fsp_caps_check', 'my_caps_check' );
function my_caps_check( $caps ) {
    $caps[] = 'update_core';
    return $caps;

To trigger the strong password enforcement for all users:

add_filter( 'slt_fsp_caps_check', __return_empty_array() );

slt_fsp_error_message (should return a string) Modifies the default error message.

slt_fsp_weak_roles (should return an array) Modifies the array of roles that are considered "weak", and for which the strong password enforcement is skipped when creating a new user. In this situation, the user object has yet to be created, so there are no capabilities to go by, just the role that has been set on the New Users form. The default array includes: subscriber and contributor.

Requires: 3.5 or higher
Compatible up to: 4.2.1
Last Updated: 2015-4-28
Active Installs: 7,000+


4 out of 5 stars


Got something to say? Need help?


Not enough data

0 people say it works.
0 people say it's broken.

100,1,1 100,1,1 100,1,1