While you can try to make your website as safe as possible with security plugins, they will all be meaningless if your visitors select a weak password. However, did you know that you can force strong passwords in WordPress?
A strong password makes it harder for a hacker to use brute force attacks to gain access to an account. On top of this, a visitor cannot select a common password like 123456, which can be easily guessed by anyone.
Today, I will demonstrate how to force strong passwords in WordPress with the No Weak Password plugin.
Why A Strong Password Is Vital
Account theft is a serious problem nowadays. Unfortunately, a lot of these cases are not the website or platform’s fault, but the visitor themself. Selecting a weak password makes it easy for hackers to get into your account. However, hackers are not your only concern.
Angry siblings, nosey parents or friends, and plenty of other situations can lead someone to try and enter your account. When you select a password, you need to make sure it is strong and does not include your information.
For example, one of the more infamous passwords or codes is using your birthday. With social media platforms like Facebook, this information can be viewed publicly, which makes it a terrible choice.
Instead, you want a password that contains upper and lower-case letters, numbers, and symbols. The longer the better.
It is also imperative that every password you use is unique. If one account is compromised, you do not want a domino effect to occur.
Thus, your passwords need to be strong and unique.
How to Force Strong Passwords in WordPress
The No Weak Passwords plugin will force visitors to select a strong password in WordPress. This is done by cross-referencing if the password a user enters is on a list of the most common passwords.
The plugin does not have any settings to configure. Instead, once you activate the plugin it begins enforcing stronger passwords. As such, users with accounts will be impacted.
If an existing user has a password that is considered common, they will have to reset it by using the Lost Password feature in WordPress. They will receive an error message with the instructions when they attempt to log in.
As such, it is highly recommended that you inform users in advance about this change, and possibly create instructions for what to do if you see an error message when they attempt to log in.
With all of this said, the plugin is as easy as it gets since you just need to install it.
Note: Despite the plugin’s name, it is still possible for users to create a weak password by WordPress’s standard. This just prevents users from picking common passwords that are easily cracked like 123456.
Step 1: Installing No Weak Passwords
To begin, click on Plugins and select the Add New option on the left-hand admin panel.
Search for No Weak Passwords in the available search box. This will pull up additional plugins that you may find helpful.
Scroll down until you find the No Weak Passwords plugin and click on the “Install Now” button and activate the plugin for use.
Unlike other plugins in WordPress, this one works out of the box. Thus, there are no settings to configure. The moment this is activated, users who try to log in that are using one of the 3546 passwords this plugin blocks and will be asked to create a new one.
Step 2: Understanding the Visitor’s View
While the plugin is working without any additional input, you may want to familiarize yourself with how it looks when creating a new account. If you were to pick a password on the list, like let’s say 123456, you would see this message:
The password they entered will not be set as the new password, and they will have to enter a new one. It is a good idea to make it clear what a password must include to avoid frustration.
To help you create a strong password you have plenty of options. The most convenient would be directly in WordPress. It will actually automatically generate a strong password that you can use when you create an account.
It will also tell you if a password is weak or strong.
If a user chooses to create their own password, that is fine, but they are technically still allowed to use a weak password. They will just be forced to check a box that acknowledges they chose a weak password like so:
This may help dissuade some users from choosing such a password. Of course, this is just for creating a new user. What about existing ones? Well, if they try to log in using their old password, they will be prompted to reset their password.
And that covers everything this plugin does.
Step 3: Announce the Changes
Due to the nature of these changes, existing users may panic when they see a big error message forcing them to change their password. In fact, they might think it is a phishing scam or an attempt to get into their account.
As such, you should really have an official announcement on your website.
There are several ways to send out such a notification and some of them include:
- Notification on the Home Page
- Announcement on Social Media
- Send Out Emails Explaining the Change
It is very important for users to understand this is an official change and that their account is secure. Even with an announcement in place, you will probably want to inform your customer support and prepare them for an influx of calls or requests regarding the change.
As long as you take these steps, you can help reduce the impact on users.
What About Other Password Generators?
Password generators are a dime a dozen. They simply generate a random string of letters, numbers, and symbols that you can use as a password. They have no discernable patterns and are truly random. Thus, they will not be randomly guessed.
WordPress includes one when creating a password, thus it is really unnecessary to use another tool.
However, if we had to recommend one, well we would recommend our own. We offer a free password generator that you can use to create passwords for your site or just online accounts in general.
You can access our password generator by visiting our site tools.
You can use the slider to determine the length of the password you want to generate, and toggle if you want it to include numbers, symbols, uppercase, or lowercase letters. By default, all options are selected, which is recommended for the best passwords.
You can then just copy the password and use it for your account. You should also take a moment to add that password to your password manager, or if you don’t have one, write it down and store it in a secure location.
These passwords are not intended to be memorized. We strongly suggest using a password manager for the best results.
Force Strong Passwords in WordPress Today
Unfortunately, because WordPress allows weak passwords, visitors are likely to pick one. Instead, forcing WordPress to only accept strong password requirements is a great way to boost your website’s security.
Here is the bad news. If an account on your website is compromised, the user will always blame your website. This includes the individuals who pick 123456 as a password. By preventing this behavior, you are protecting yourself from a range of issues.
Do you think the list of common passwords is large enough? Should WordPress only accept strong passwords?