Why force new WordPress users to reset their password?

There are quite a few reasons why you would want to force new users to reset their password upon logging in to your WordPress website for the first time.

New users are prone to using weak passwords. Given the option, users always use weak passwords. So when they receive the user registration email with a password reset link, they will use a weak password. Very few users are security-savvy and use a password manager to store strong passwords.

Another password security problem, is that passwords are typically sent over email. For example, when you register as a customer on a WooCommerce store or membership platform, you receive the password over email. So it is recommended to force new users to reset their password the first time they login since emails are sent as clear text.

How to force new users to change their password the first time they login to your WordPress website

1. Install the Password Policy Manager for WordPress plugin.
2. Navigate to the Password Policies section.
3. Enable the policy Reset password on first login. Once this policy is enabled, when a user logs in for the first time their password has to meet all the policies for it to be accepted.