WP White Security will soon be rebranding to Melapress. As part of this change, www.wpwhitesecurity.com will no longer be available and will be redirected to melapress.com.

Strong WooCommerce passwords – enforcing policies without deterring customers

Last updated on April 14th, 2023 by Robert Abela. Filed under WordPress Security Tutorials & Tips


Keeping your eCommerce store secure is a must. Not only is it an important source of income for your business, but it also contains sensitive customer information, such as billing details and credit card numbers. Strong passwords can prevent many cyber attacks, but you’ll need a way to enforce them without deterring customers.

By creating thoughtful password policies, and using intuitive software you can help your staff and customers craft secure passwords for their WooCommerce store accounts. This also applies to any other eCommerce store on WordPress. At the same time, you can avoid annoying them with tedious requirements that often result in unwanted customer friction.

In this post, we’ll dive into password security and discuss why it’s vital to your eCommerce store. Then we’ll show you how to configure strong passwords for your WooCommerce, or any other WordPress eCommerce store without increasing friction for your shoppers.

Introduction to password security

Passwords are meant to protect user accounts from hackers. However, many use weak passwords, rendering them ineffective. The simpler the password is, the easier it will be to guess. Hackers have an arsenal of tools and methods they can use to automatically guess easy passwords. They may also capture traffic data in order to acquire users’ credentials, hence why it is important to use HTTPS on your WordPress website.

Once attackers gain access to your customers’ accounts, they can make any transaction that customers can. This includes making purchases, changing details of existing orders and accessing their personal data. They can also steal and leak business and customer data. This leads to a loss of your customers’ trust, and therefore a loss in revenue and business.

Plus, store manager and administrator accounts are vulnerable as well. Hackers who succeed in breaking into those kinds of accounts can gain control of your store and products, and wreak havoc.

So Password security is really important to avoid any of these and other similar scenarios. By simply following a few best practices, customers and employees can use strong passwords. By doing so, the also decrease the chances of a successful attack.

The challenges of enforcing strong passwords on WooCommerce stores

Strict password policies

There are several difficulties that come with getting your WooCommerce customers to use secure passwords for their accounts. First, requiring strict password standards can cause friction, discouraging the customers completing the registration and/or checkout processes.

Plus, your customers are also likely to have a lot of passwords to remember. If you require them to come up with a new 20-character combination that includes lowercase and capital letters, numbers, and symbols every month, they may decide that your products aren’t worth the effort and close their accounts.

Ineffective recommendations (counter intuitive solutions)

The second issue is ineffective recommendations. As an example, let’s take a look at the WordPress’ strength meter, which is also used in WooCommerce:

The counter intuitive WordPress password strength meter

This gives users no indication of what requirements their passwords need to meet in order for it to be considered strong. This can become frustrating, and may even deter customers who don’t want to bother with guessing at your password policies.

4 smart password policies for WooCommerce stores

When it comes to enforcing strong passwords, clearly state your policies and avoid making them too harsh. Instead of throwing every rule in the book at shoppers, be selective. You need to find a balance between keeping accounts secure without increasing friction.

It’s clear there are some challenges to creating password policies for WooCommerce customers. With that in mind, we’ve provided some guidelines for setting up yours. Here are some ideas for what you might include in your requirements for both shoppers and store managers.

1. Set a minimum password length

Longer passwords are harder to guess, but they’re also more difficult to remember. For customers, eight to ten characters is usually manageable, while retaining a good level of security. They’ll be used to coming up with combinations of this length for sites such as Facebook and Amazon.

You may want to require longer passwords for store managers and employees for peace of mind. Their accounts hold more sensitive information and have more privileges. Consider setting the minimum between 12 and 20 characters.

To help your employees and also customers, you may also recommend a password manager they can use to securely store their credentials.

2. Require multiple character types

Most customers are used to using upper- and lower-case letters, and also numbers in their passwords. Since this is standard practice across popular platforms, you can include these stipulations in your policies without increasing user friction.

Insisting on using special characters (such as !, @, &, or *) can make passwords more difficult to guess. However, this policy is a little more troubling for users. If you want to play it safe you can reserve this for store manager passwords.

3. Implement an expiration policy

Having customers and store managers reset their passwords periodically makes it almost impossible for attackers to guess a password. However, some may consider this task tedious, so you might want to consider longer expiration periods for customers.

Expiration policies aren’t terribly common on social media or e-commerce sites. You see them more often on websites belonging to organizations that gather highly-personal user information, such as Google and banks.

Since shoppers may be less accustomed to this requirement, you might forego it altogether. However, you can likely require new passwords once or twice a year without too much protest. It would also be a good excuse to get in touch with our customers.

However, store manager accounts contain much more sensitive information. So enforcing an expiration period of four to six weeks isn’t unreasonable. For store managers you should also consider enabling the dormant WordPress users policy, so inactive user accounts do not jeopardize the security of your e-commerce store and business website.

4. disallow password reuse

This policy prevents users from recycling their previous passwords after they expire. Again, some may find this requirement annoying, so give customers a little more leniency than store managers.

Preventing customers from reusing their two most recent passwords is well within reason. For store managers, you might increase that limit to the last five or six combinations they’ve used.

How to implement passwords policies for Your WooCommerce customers

Before you can start enforcing password policies on your WooCommerce store, you’ll need a means of doing so. This is where MelaPress Login Security comes in.

MelaPress Login Security

This plugin uses WordPress’ own secure mechanism to reset and store passwords. It also clearly displays the password policies. Customers don’t have to attempt to figure out what your standards are. They have clear guidelines that any non-tech savvy can understand.

Clearly shown password policies that need to be met

Plus, you can create policies based on user roles, enabling customers to use simpler passwords than store managers. Refer to configuring different password policies per role for more information on how you can do this:

Configure different password policies per user role

Once you have configured the strong password policies, users will be prompted to follow them any time they create new accounts or change their passwords. One of our plugin’s strengths is that it shows the users the requirements. By taking the guesswork out of the equation, you make password and customer account security less of a hassle.

Do you use custom login pages?

Most eCommerce solutions on WordPress, including WooCommerce use custom user portal login pages. If this is the case, you can still enforce strong password policies. Refer to enforcing strong password policies on custom login pages for more information on how you can easily achieve this.

Keeping your eCommerce customers’ accounts safe

Enforcing password security on your WooCommerce or other eCommerce store can be tricky. You want to keep your customers’ data safe. However, you don’t want to frustrate them with complex rules. To recap, here are four policies to consider for your online store:

  1. Set a minimum password length, but keep it shorter for customers than store managers (about eight characters).
  2. Require multiple character types, with special characters reserved for store manager passwords.
  3. Implement an expiration policy, but don’t pester customers with password reset notifications more than twice a year.
  4. Disallow password reuse within certain time frames, extending that period for store managers while keeping it shorter for customers.

You can do all of the above with MelaPress Login Security. On top of all this, it also guides the users with effective recommendations when setting up an account or resetting their password.

Bonus Tip: Implement two-factor authentication

Apart from the strong password policies, you should also implement two-factor authentication (2FA), at least for your your team, such as other administrators, editors, and shop manager. Configuring and enabling 2FA can be done within just seconds, with the right two-factor authentication plugin for WordPress.


Alice 15/12/2019

I agree with you that we should increase WooCommerce store security by enforcing strong passwords. However, this sometimes discourages customers. I think we can also try other passwordless login or authentication methods.

Robert Abela 07/01/2020

Thank you for your comment Alice. That is exactly the message we are trying to convey with this article: we should help users use strong passwords but not overdo it, and we should educate them about password managers. At this stage this is the only option. Passwordless technologies are still in their very early days and they are actually more complex for end users to use than passwords and password managers.

Leave a Reply

Your email address will not be published. Required fields are marked *

Our other plugins