Enforcing Strong User Passwords In WordPress

If your WordPress website allows for any kind of user accounts – be they additional content authors, users with access to password protected content, or ecommerce customers – setting up enforcement of strong passwords in WordPress is an invaluable tool in helping keep your website and your users protected and it can be done in minutes!

This article is part of a series on WordPress security essentials. Be sure to check out additional articles in the series for additional valuable information.

What Makes A Strong Password?

In the absolute simplest terms, strong passwords consist of two things – the number of characters and variety of types of characters. We’ve all heard the mantra about using a combination of numbers, upper and lowercase letters, and symbols in our passwords but many people don’t consider just how important the length of their password is.

Every few years, the folks over at Hive Systems put out an updated chart showing the maximum – not minimum – amount of time it takes a would-be hacker to crack a password using a desktop computer with a top-of-the line graphics card – they’re excellent at the kind of math required to generate password hashes. The latest update to this chart was released in March 2022 and is shown below.

Hive Systems "Time To Hack 2022" Table
Hive Systems “Time To Hack 2022” Table

In their blog post announcing the latest chart, Hive Systems discusses their methodology in calculating these results and how applying more horsepower to the equation as well as different password encryption methods affects these results. I encourage you to give it a read sometime.

A pretty common standard for passwords is a minimum length of 8 characters. Having a look at the chart above, though, you’ll notice that even with a combination of upper and lowercase letters, numbers, and symbols that the maximum amount of time it would take a determined attacker to crack a password that short is just 5 hours.

Simply put, longer passwords are better passwords. When deciding on what password standards to enforce on your website, keep this table in mind. On my own websites I enforce a minimum password length of 14 characters – which would take an attacker on a desktop PC at most 118 million years to crack. Many of my own personal passwords are 30 characters or more.

Using a password manager to handle passwords like this is essential for sanity sake – especially because remembering every password for every site I have access to would be a near impossible task for most people … because you’re not supposed to re-use passwords. You ARE using different passwords everywhere, right? Strong passwords are also unique passwords.

Now that we’ve talked briefly on what makes a strong password, let’s discuss a few ways you can go about improving your WordPress password security.

Profile Builder Plugin

The first of two free plugins I’m going to mention in this article is one called Profile Builder by Cozmoslabs. This particular plugin is useful for creating WordPress sites that have password protected content and has additional features for creating pages to handle user registration and profiles.

Even if you choose not to use the additional features the plugin provides, the General Settings tab of the plugin settings allows you to define a minimum password length and adjust the minimum password strength allowed on your website. This password strength is based on WordPress’ own functions for determining password strength – which in my opinion aren’t necessarily the best but they’re better than not having any method of enforcing a more difficult password.

Profile Builder Plugin - General Settings
Profile Builder Plugin – General Settings

Password Policy Manager Plugin

If you’d prefer something more purpose built with more control over password settings, have a look at Password Policy Manager by miniOrange. The free version of this plugin gives you the ability to choose what character requirements you want to enforce – I highly suggest using them all – as well as the password length.

Additionally, you can decide if you want users to have to change their password after their first login and if you want passwords to expire after a period of time – forcing users to pick a new password.

Strong Passwords In WordPress - Password Policy Manager Plugin
Password Policy Manager Plugin

Lastly, in the event of an emergency, with a single click of the Reset Password button you can log out all users and reset all passwords. After exercising this option, users are forced to use the site’s reset password link to get their password changed and get logged back in.

What If Your Password Is Discovered

An extra bit of related advice – security is best implemented like an onion in layers. Yes I made a Shrek joke. But it’s true. I highly recommend adding another layer of security to your WordPress login by implementing two-factor authentication. I even wrote a tutorial on how to set up two-factor authentication in WordPress. It only takes a few minutes of your time. This way, even if your password is cracked or otherwise discovered by someone else you’ll still be able to prevent them from gaining access to your website.

Making Things Even Harder On Password Hackers

Another bit of related advice – if you want to slow down your would-be password hacker, another security layer you can add to your website is limiting how many login attempts users are allowed before they’re forced to wait to attempt logging in again. This feature can be found in some WordPress firewall plugins – including my personal preference NinjaFirewall. However, if yours doesn’t have this feature you can implement it with the Limit Login Attempts Reloaded plugin.

This plugin works extremely well – at sometimes too well in fact. I’ve had instances in the past with sites that make use of this plugin preventing legitimate logins resulting in WordPress maintenance clients asking me to get them back into their sites. Keep this in mind if you choose to implement this plugin.


Congratulations! With enforcement of strong passwords, your WordPress website is already more secure against attackers. Consider checking out other articles such as Protecting WordPress Logins & Forms With hCaptcha or how to Setup Two-Factor Authentication On WordPress for additional ways to help protect your website that are easy-to-implement.

If you found this tutorial helpful or have any questions, I encourage you to please share it with others and/or leave a comment below. If you would like to support our efforts to create additional resources like this, please consider making a donation. Your support is greatly appreciated!

Leave a Comment

Your email address will not be published. Required fields are marked *

I accept the Privacy Policy

Scroll to Top