By default WordPress does not require strong or complex passwords but it is easy to add the functionality. Here is a great article explaining why strong passwords are so important. The first thing to do is define what your password complexity requirements are going to be. Are you requiring a password length, capital letters, numbers, special characters, no dictionary words, etc. Once you have defined the requirements it’s time to get coding!
Actions and Filters
There are a few actions that update a user’s password: registration, profile update, and password reset on the login form. To have a chance to validate the password fields we need a few hooks. The registration_errors filter is used upon user registration. The user_profile_update_errors action is triggered on profile updates. Finally, the validate_password_reset action is pretty self explanatory.
Force a Strong Password
Using these actions and filters we can validate the user’s password and render an error message if the password does not meet our requirements. Simply add this to functions.php
// functions.php add_action( 'user_profile_update_errors', 'validateProfileUpdate', 10, 3 ); add_filter( 'registration_errors', 'validateRegistration', 10, 3 ); add_action( 'validate_password_reset', 'validatePasswordReset', 10, 2 ); /** * validate profile update * * @author Joe Sexton <joe.@webtipblog.com> * @param WP_Error $errors * @param boolean $update * @param object $user raw user object not a WP_User */ public function validateProfileUpdate( WP_Error &$errors, $update, &$user ) { return validateComplexPassword( $errors ); } /** * validate registration * * @author Joe Sexton <joe.@webtipblog.com> * @param WP_Error $errors * @param string $sanitized_user_login * @param string $user_email * @return WP_Error */ function validateRegistration( WP_Error &$errors, $sanitized_user_login, $user_email ) { return validateComplexPassword( $errors ); } /** * validate password reset * * @author Joe Sexton <joe.@webtipblog.com> * @param WP_Error $errors * @param stdClass $userData * @return WP_Error */ function validatePasswordReset( WP_Error &$errors, $userData ) { return validateComplexPassword( $errors ); } /** * validate complex password * * @author Joe Sexton <joe.@webtipblog.com> * @param WP_Error $errors * @param stdClass $userData * @return WP_Error */ function validateComplexPassword( $errors ) { $password = ( isset( $_POST[ 'pass1' ] ) && trim( $_POST[ 'pass1' ] ) ) ? $_POST[ 'pass1' ] : null; // no password or already has password error if ( empty( $password ) || ( $errors->get_error_data( 'pass' ) ) ) return $errors; // validate if ( ! isStrongPassword( $password ) ) $errors->add( 'pass', '<strong>ERROR</strong>: Your password must contain at least 8 characters.' ); // your complex password error message return $errors; } /** * isStrongPassword * * @author Joe Sexton <joe.@webtipblog.com> * @param string $password * @return boolean */ function isStrongPassword( $password ) { return strlen( $password ) >= 8; // your complex password algorithm }
Here all of the hooks and filters end up calling the validateComplexPassword function. We essentially verify that a user has POSTed a password and check to see if there are no other password errors before validating complexity. I have the strong password algorithm broken out into another function which is where you can substitute your own validation algorithm. Note the error message we add if the password is not complex, substitute your own message here.
Hey there, we’ve attempted to make use of this code but the validate_password_reset action doesn’t seem to kick in at all? We cant find any mention of it on the wordpress codex either?
We’ve given more details here:
http://wordpress.stackexchange.com/questions/149413/enforcing-password-complexity
If you have a moment, please could you have a look into this?
Thank you
Have a look here: http://wphooks.info/actions/validate_password_reset/ which shows where the action is called.
I think there’s a typo in this article. (Or, maybe the WordPress developers have just changed the way things work since you wrote it).
Specifically, I think the first argument to the “user_profile_update_errors” action is passed by value, not by reference. Your example shows it being passed by reference.
Thanks for providing the article anyway.
Have a nice day,
Some dude on the internet
(I’m too privacy-concerned to put my real email address here… or name, for that matter)
This is what I needed, thanks a lot