Enforcing strong WordPress passwords security

Last updated on January 18th, 2023 by Mark Grima. Filed under WordPress Security Tutorials & Tips

Force strong passwords

It is impossible to ignore security when it comes to managing WordPress sites and blogs. In fact many business site administrators choose a secure WordPress web host for their sites. On top of that, they install a WordPress firewall plugin or service, and keep a log of what is happening one their site with a comprehensive WordPress activity log plugin.

Though no software or online service solution can protect your WordPress website from your users’ weak passwords! And they do use weak passwords; statistics show that the 35% of users use weak passwords, such as password123 and qwerty123, and the majority of the rest use passwords that can be cracked.

Therefore as a WordPress site owner it is your duty to implement strong WordPress password security policies to force strong passwords on users in order to improve the WordPress password security level of your site. In this post we will explain how you can easily do this with a plugin and a few mouse clicks. Though before, let’s see why you need to use a plugin such as WPassword.

Why Do You Need a WordPress Password Policies Plugin?

By default WordPress recommends a strong password whenever you forget your password, create a new user or simply want to reset your password.

WordPress recommends strong passwords

Though users can and will still use weak passwords, since they are given the option. They can simply type in their weak password password123 and tick the option Confirm use of weak password, as highlighted in the below screenshot.

Users can easily use weak passwords in WordPress

The only way you can force your WordPress users to use strong password for better WordPress password security is to use a plugin that allows you to enforce WordPress password policies.

How to Configure Policies for Strong WordPress Password Security

You can configure policies to enforce strong passwords on your WordPress users with the plugin WPassword. In this section we will explain how to get started and configure the policies within just seconds.

Configuring WordPress Password Policies

Once you install the WordPress password policies plugin navigate to the Password Policies node in the Settings menu.

Configuring WordPress password policies in plugin

In this section you can configure the following password policies to enforce your users to use strong WordPress passwords:

  • Password minimum length
  • Use of both lowercase and uppercase letters in passwords
  • Use of numbers in passwords
  • Use of special characters in passwords

You can also configure how long can a password be used from the Password Expiration Policy, also known as password age. When passwords automatically expire users have to change them and avoid using the same password for months and years. You can also configure the password history policy in the plugin. The password history setting determines the number of unique new passwords users have to use before they can reuse an old password.

WordPress Password Policies Plugin Features Highlight

Apart from the password policies, WPassword also allows you to:

  • Exempt specific users or roles from the password policies
  • Specify when users’ session are terminated upon password expiry
  • Reset all passwords with just a single mouse click.

The last feature is definitely handy, especially in the unfortunate event of a malicious WordPress hack. When you reset all passwords with the plugin, an email is sent to all the users alerting them to reset their WordPress password.

Ensure Stronger WordPress Password Security with Policies

Help your WordPress site and multisite network users use strong passwords and harden the security of your WordPress site at the same time. Configure WordPress password policies so you can enforce strong passwords on your users. You can get started and improve WordPress password security within just seconds, with WPassword.

Bonus tip: disable dormant users

Dormant and unused WordPress users are an easy target for malicious attackers. Regardless of the policies you enforce, if users are not being used they will always have the same password and if they are hijacked no one notices. Hence why they are a prime target.

To safeguard your website and not let inactive users jeopardize the security of your WordPress website, enable the dormant WordPress users policy on WPassword so inactive users are locked and cannot be hijacked.


Alice 29/12/2019

Strong passwords can help prevent brute force attacks and improve site security. However, my concern is that it’s difficult for users to remember these passwords.

Robert Abela 07/01/2020

As recommended in the article, users should use Password Managers 🙂

Mohammed Faisal 04/04/2021

Will this password policy be applicable to woocommerce login pages also ?

Radostin Angelov 07/04/2021

Hi Mohammed,

Thank you for reaching out.

Yes, you can enforce password policies on WooCommerce login pages with WPassword.

If you use WooCommerce, or any other solution that has its own custom user profile and other pages, you have to integrate the plugin to enforce the password policies.

To learn how to do it, read How to enforce password policies on custom login, password reset & other pages.

Best wishes,

unvxpe 21/11/2021

Good day

How does one prevent users from registering with weak passwords?

I’m able prevent logging with a weak password but cannot prevent the registration.


Radostin Angelov 22/11/2021

Hello there,

Thanks for reaching out.

Indeed, this is a good question. We are currently working on implementing such features that will allow you to set registration password policies. This will be available in some of the next updates of our WPassword.

Stay tuned to our blog page!

Leave a Reply

Your email address will not be published. Required fields are marked *

Our other plugins