Integrating password policies in WooCommerce account forms

Last updated on October 15th, 2021 by Daniel Jones. Filed under WordPress Security Tutorials & Tips

Featured image *WooCommerce Password Policies*

Ensuring your team and also customers use strong passwords is one of the most effective tools in keeping your WordPress website, sensitive customer information and WooCommerce store secure. With WooCommerce typically having more public-facing login pages, this becomes orders of magnitude more important to maintain a secure environment.

So, how can you be certain that your customers are using strong passwords to protect their sensitive, private account details?

Introducing the Password Policy Manager plugin

The easiest way to accomplish this is to use the Password Policy Manager plugin and enforce strong WooCommerce password policies without deterring customers.
While Password Policy Manager is WooCommerce ready, we can supplement the functionality that comes straight out-of-the-box by adding additional code to include the password policy checks in the password reset and password edit pages in the My Account pages in WooCommerce.

This additional code will not only help us make sure that passwords comply with any defined policies, but also provides a better user experience for users and customers alike.

Furthermore, by using the following code, you can make sure that any custom login pages are also covered by the password policy you configure.

The code to enforce password security on WooCommerce

The code is split into two parts; the client-side code and the server-side code. Therefore, this job includes the following steps:

  1. We will begin with the client-side code. Here, we will add the Password Policy Manager plugin’s custom JavaScript (JS) to your WooCommerce forms so when users are entering a new password, they can see which policies are being met or not.
  2. Then we will move to the server-side, where we will add our functions to ensure passwords that don’t meet configured policies can’t be saved and used.

When it comes to adding custom code, you can choose one of two options. You can either edit the functions.php file or create a custom plugin. Refer to how to add custom code snippets in WordPress for an easy to follow how-to guide on how you can any of the above.

The Client-side code

This is the client-site code that you need to add to your themes’ functions.php file or in a custom plugin:

function example_ppm_enable_custom_form( $args ) {
$args = array(
'element' => '#user_password',
'button_class' => '#submit_password',
);
return $args;
}
add_filter( 'ppm_enable_custom_form', 'example_ppm_enable_custom_form' );

The code is fairly simple and is fully documented in how to enforce password policies in custom forms. However, put simply, the ‘element’ array is the jQuery selector for the form input you wish to apply our JS to. Meanwhile, the “button_class” is the selector for the “submit” button.

The Server-side code

Now we have the JS in place. At this point, you might notice that although users will receive a warning if their password does not match your policies, no server-side checks take pace.

To have the Password Policy Manager plugin check submitted passwords, you will need to add the following code. Just like the client-side code, add the code to your themes functions.php or a site-specific plugin.

/* WooCommerce Password Edit */
add_filter( 'woocommerce_save_account_details_errors', 'ppmwp_detect_pw_errors', 10, 2 );

function ppmwp_detect_pw_errors( $errors, $user ) {
if ( isset( $user->ID ) ) {
$ppmwp = new \PPM_WP_Password_Check();
$password_errors = new \WP_Error;

// Get input value for password we want to check.
$password = $user->user_pass;

// Fire off validity check.
$is_valid = $ppmwp->validate_for_user( $user->ID, $password, 'reset-form', $password_errors );

if ( $password_errors->errors ) {
// If we have errors, it means the PW did not meet policy requirements.
// $errors contains simple array of useful messages/reasons for failure.
foreach ( $password_errors->errors as $key => $message ) {
$errors->add( $key, $message[0] );
}
}
}
return;
}

/* WooCommerce Password Reset */
add_filter( 'validate_password_reset', 'ppmwp_validate_wc_password_reset', 10, 2 );

function ppmwp_validate_wc_password_reset( $errors, $user ) {
if ( isset( $user->ID ) ) {
$ppmwp = new \PPM_WP_Password_Check();
$password_errors = new \WP_Error;

// Get input value for password we want to check.
$password = isset( $_POST[ 'password_1' ] ) ? $_POST[ 'password_1' ] : false;

// Fire off validity check.
$is_valid = $ppmwp->validate_for_user( $user->ID, $password, 'reset-form', $password_errors );

if ( $password_errors->errors ) {
// If we have errors, it means the PW did not meet policy requirements.
// $errors contains simple array of useful messages/reasons for failure.
foreach ( $password_errors->errors as $key => $message ) {
$errors->add( $key, $message[0] );
}

}
}
}

Now that we have added both client and server-side code, the job is done, and you’re good to go.

Keeping your WooCommerce password security spot on

Enforcing password security on your WooCommerce or another e-commerce store can be tricky. While keeping your customers’ data safe is always going to be a priority, you don’t want to frustrate them with complex rules. To this end, here are four policies that you might want to consider for your online store:

  • Set a minimum password length, but keep it shorter for customers than store managers.
  • Require multiple character types, with special characters reserved for store manager passwords
  • Implement an expiration policy, but don’t pester customers with password reset notifications more than twice a year
  • Disallow password reuse within certain time frames, extending that period for store managers while keeping it shorter for customers

Securing WooCommerce is just one part of the security of your WordPress website. Follow our WordPress security hardening guide, where we share a number of tips and strategies to help you harden your WordPress website.

Leave a Reply

Your email address will not be published. Required fields are marked *

Our other plugins