Are you looking for a way to have mandatory password changes in WordPress? While this may be annoying to visitors on your website, it is for their own benefit. Passwords are half of the information that a visitor must input to access their account. The other half is usually an email address or username, which makes them easy to guess.
As you can imagine, figuring out the email address or username required is actually really easy. This makes passwords the real way to stop someone from entering your account and changing them regularly increases your account security.
Although passwords are relatively easy to change, keep in mind the changing the username in WordPress is a bit more convoluted.
Today, I will demonstrate how to enforce mandatory password changes in WordPress using the Expire Passwords plugin.
When is it Appropriate to Enforce Password Changes
While password changes are good for account security, they can be extremely annoying to visitors, especially if they are too frequent. It is important to know when it is appropriate to do this.
The first factor that should be considered is what someone could do with the account. For example, let’s consider the difference between a blogging website and a University account.
The worst thing that could happen on a compromised blogging website account is the hackers leave a nasty comment or change your account information around. It’s really not the end of the world if it happens.
The University account is much more dangerous. You could withdraw someone from classes, mess with financial aid, change what was submitted to a professor, and so much more. This account needs to be protected.
The second most important factor should be understanding how secure the login information is. Most accounts require an email address or username to login. Both of these are quite easy to get, but an institution may use a very easy system to log in. Let’s use the same example.
The standard WordPress login can use either an email or a username to login. This makes it as secure as the rest of the Internet.
Universities use different systems, but one of the most common one is making your username related to your name. For example, if your name is John Smith, your login name is probably JSmith or SmithJ. It’s actually really easy to figure it out and that makes it extremely dangerous considering how important the account is.
As you can probably guess, Universities are one of the many institutions that enforce mandatory password changes. Every website is unique and if you feel that you need to enforce them on your website, it’s really easy to do.
How to Enforce Mandatory Password Changes in WordPress
Today, I will demonstrate how to enforce mandatory password changes in WordPress using the Expire Passwords plugin. While you cannot completely control if your visitors will create strong passwords, changing them frequently will help. This plugin does exactly that, select the frequency that you want passwords to change and you’re done. All user roles that you select must change their password.
It is important to keep in mind that this can be extremely annoying to visitors if you force them to change it too frequently. My personal recommendation is a six month period, but the choice is completely up to you.
Installing Expire Passwords
Let’s start with clicking on Plugins and selecting the Add New option on the left-hand admin panel.
Search for Expire Passwords in the available search box. This will pull up additional plugins that you may find helpful.
Scroll down until you find the Expire Passwords plugin and click on the “Install Now” button and activate the plugin for use.
On the left-hand admin panel click on Users and select the Expire Passwords option. This will pull up the main settings page.
Creating Expiring Passwords
This plugin makes it extremely easy to implement password changes. All you need to do is enter how often you want the password to be changed and which user roles must change.
The first thing to select is the frequency. You can select how often it occurs in days. I recommend a six month period, which is 180 days, but you can pick the number that works best for your website.
All that’s left to do is to choose who must reset their password. You can have it affect every single account, including staff, or just affect visitors. The choice is up to you, but make sure you alert the accounts that will have to change their password.
Click on the “Save Changes” button when you are done.
Congratulations, you have successfully set up mandatory password changes in WordPress. You can change the settings at any time and can deactivate the plugin if you want to stop them completely.
Keep Your Accounts Safe
While no one likes to think of all the things that can go wrong when someone hacks another person’s account, it is important. While not every website will need a feature like this, extra security never hurts anyone, but it can annoy them. If accounts for your website require a lot of personal information, like credit card information and billing address, it can have serious implications if a hacker gets access.
Changing your password regularly ensures that visitors are using different passwords, which prevents password stacking. Password stacking means that a person is using the same password on multiple websites. That means if one website is compromised, it could affect all the others they use the same password for. Keep accounts safe by using other security plugins to prevent this from happening.
Why do you want to force password changes on your website? How frequently do they change?