Enforcing Strong Passwords in WordPress with iThemes Security
One of the most overlooked areas of security for WordPress users is passwords. It is common knowledge that using stronger passwords can help reduce the risk of your WordPress blog or user accounts becoming compromised. However, not many users know how to enforce strong passwords for all users. If you allow users to register for your WordPress blog, you may have noticed that since WordPress 4.3, better passwords have been available. While this makes it easy for users to create or reset their account with a strong password, it doesn’t have any password strength requirements. This is where a plugin can come in handy to help improve WordPress security.
To enforce strong passwords in WordPress and ensure users create stronger passwords from the beginning, we recommend the iThemes Security plugin. It does a lot more than enforce strong passwords, but let’s focus on just that one function for now.
Configuring Enforce Stronger Passwords
First, you’ll need to install the plugin. This is easily done from your WordPress dashboard by going to Plugins > Add New and searching for “iThemes security.” It should be the first result, so just click to install and activate the plugin.
With the plugin active, click on the new Security menu item in your dashboard to access your iThemes Security settings. As mentioned, there are a ton of awesome security options. But for now, click on the “Configure settings” button for Password Requirements.
This will open a popup where you can check a box to enable the iThemes Security force strong passwords feature. You can also choose a minimum user role to apply this rule to. This is basically the role or higher that will enforce strong passwords.
Depending on your website, you might want to force all users to use strong passwords. In which case, you’d select the “subscriber” role. But if you require folks to sign up for a subscriber account to download freebies, you may not want to discourage them by requiring a strong password. In this case, it might be better to simply apply the requirement to contributors and above.
Just save your settings, and you should be good to go. Now when users register or go to update their password, they’ll be forced to select a strong password.
If a user attempts to use anything other than a strong password, they should see the above warning. This informs them to essentially try again with something a bit stronger.
If you upgrade to iThemes Security Pro, you’ll also have access to malware scans, Google reCAPTCHA, user action logs, strong password generator, password expiration, and the option to enable 2-factor authentication for WordPress. Basically, an entire arsenal of security hardening features.
By enforcing strong passwords in WordPress, you reduce the chances of accounts being compromised by a brute force attack. It also helps keep guest and administrator accounts more secure for your WordPress blog.
Thankfully, this is easy when you use a plugin like iThemes Security, WordFence, or even Force Strong Passwords. Implementing any of these plugins applies to new accounts or passwords going forward and is a great way to reinforce your site security. Just be sure to remind authors or existing users to also give their password and update.
Do you have any tips for stronger passwords? Or do you have a different plugin you’d recommend? Leave us a comment below.