By default WordPress does not require strong or complex passwords but it is easy to add the functionality. Here is a great article explaining why strong passwords are so important. The first thing to do is define what your password complexity requirements are going to be. Are you requiring a password length, capital letters, numbers, special characters, no dictionary words, etc. Once you have defined the requirements it’s time to get coding!

Actions and Filters

There are a few actions that update a user’s password: registration, profile update, and password reset on the login form. To have a chance to validate the password fields we need a few hooks. The registration_errors filter is used upon user registration. The user_profile_update_errors action is triggered on profile updates. Finally, the validate_password_reset action is pretty self explanatory.

Force a Strong Password

Using these actions and filters we can validate the user’s password and render an error message if the password does not meet our requirements. Simply add this to functions.php

Here all of the hooks and filters end up calling the validateComplexPassword function. We essentially verify that a user has POSTed a password and check to see if there are no other password errors before validating complexity. I have the strong password algorithm broken out into another function which is where you can substitute your own validation algorithm. Note the error message we add if the password is not complex, substitute your own message here.

4 comments on “Force Password Complexity Requirements in WordPress

  1. Jordon says:

    Hey there, we’ve attempted to make use of this code but the validate_password_reset action doesn’t seem to kick in at all? We cant find any mention of it on the wordpress codex either?

    We’ve given more details here:

    http://wordpress.stackexchange.com/questions/149413/enforcing-password-complexity

    If you have a moment, please could you have a look into this?

    Thank you

    1. Joe Sexton says:

      Have a look here: http://wphooks.info/actions/validate_password_reset/ which shows where the action is called.

  2. Simon Cord says:

    I think there’s a typo in this article. (Or, maybe the WordPress developers have just changed the way things work since you wrote it).

    Specifically, I think the first argument to the “user_profile_update_errors” action is passed by value, not by reference. Your example shows it being passed by reference.

    Thanks for providing the article anyway.

    Have a nice day,
    Some dude on the internet
    (I’m too privacy-concerned to put my real email address here… or name, for that matter)

  3. Agustin says:

    This is what I needed, thanks a lot

Comments are closed.