By default WordPress does not require strong or complex passwords but it is easy to add the functionality. Here is a great article explaining why strong passwords are so important. The first thing to do is define what your password complexity requirements are going to be. Are you requiring a password length, capital letters, numbers, special characters, no dictionary words, etc. Once you have defined the requirements it’s time to get coding!

Actions and Filters

There are a few actions that update a user’s password: registration, profile update, and password reset on the login form. To have a chance to validate the password fields we need a few hooks. The registration_errors filter is used upon user registration. The user_profile_update_errors action is triggered on profile updates. Finally, the validate_password_reset action is pretty self explanatory.

Force a Strong Password

Using these actions and filters we can validate the user’s password and render an error message if the password does not meet our requirements. Simply add this to functions.php

// functions.php

add_action( 'user_profile_update_errors', 'validateProfileUpdate', 10, 3 );
add_filter( 'registration_errors', 'validateRegistration', 10, 3 );
add_action( 'validate_password_reset', 'validatePasswordReset', 10, 2 );



/**
 * validate profile update
 *
 * @author  Joe Sexton <joe.@webtipblog.com>
 * @param   WP_Error $errors
 * @param   boolean $update
 * @param   object $user raw user object not a WP_User
 */
public function validateProfileUpdate( WP_Error &$errors, $update, &$user ) {

	return validateComplexPassword( $errors );
}


/**
 * validate registration
 *
 * @author  Joe Sexton <joe.@webtipblog.com>
 * @param   WP_Error $errors
 * @param   string $sanitized_user_login
 * @param   string $user_email
 * @return  WP_Error
 */
function validateRegistration( WP_Error &$errors, $sanitized_user_login, $user_email ) {

	return validateComplexPassword( $errors );
}

/**
 * validate password reset
 *
 * @author  Joe Sexton <joe.@webtipblog.com>
 * @param   WP_Error $errors
 * @param   stdClass $userData
 * @return  WP_Error
 */
function validatePasswordReset( WP_Error &$errors, $userData ) {

	return validateComplexPassword( $errors );
}

/**
 * validate complex password
 *
 * @author  Joe Sexton <joe.@webtipblog.com>
 * @param   WP_Error $errors
 * @param   stdClass $userData
 * @return  WP_Error
 */
function validateComplexPassword( $errors ) {

	$password = ( isset( $_POST[ 'pass1' ] ) && trim( $_POST[ 'pass1' ] ) ) ? $_POST[ 'pass1' ] : null;

	// no password or already has password error
	if ( empty( $password ) || ( $errors->get_error_data( 'pass' ) ) )
		return $errors;

	// validate
	if ( ! isStrongPassword( $password ) )
		$errors->add( 'pass', '<strong>ERROR</strong>: Your password must contain at least 8 characters.' ); // your complex password error message

	return $errors;
}

/**
 * isStrongPassword
 *
 * @author  Joe Sexton <joe.@webtipblog.com>
 * @param   string $password
 * @return  boolean
 */
function isStrongPassword( $password ) {

	return strlen( $password ) >= 8; // your complex password algorithm
}

Here all of the hooks and filters end up calling the validateComplexPassword function. We essentially verify that a user has POSTed a password and check to see if there are no other password errors before validating complexity. I have the strong password algorithm broken out into another function which is where you can substitute your own validation algorithm. Note the error message we add if the password is not complex, substitute your own message here.