Home Blog WordPress Security WordPress Password Policy: Enforcing Strong Passwords

WordPress password policy

WordPress Password Policy: Enforcing Strong Passwords

Having a WordPress password policy for all WordPress user accounts, especially the admin account, is crucial for improving your WordPress website security. A strong password is harder for bad actors to crack, reducing the likelihood of compromised accounts.

Unfortunately, people don’t always use strong passwords for their accounts. This could be because they have trouble remembering strong passwords or because they’re not aware of how easy it is to crack a weak password.

In this guide, we will discuss different password rules you should enforce to ensure users create strong passwords. We will also show you how you can enforce strong passwords and combine them with strong login policies to further strengthen your WordPress security.

Which password rules should you enforce?

There are a few password rules your users can follow to make their account passwords more secure.

It is important to keep in mind that you don’t have to apply all these rules to all your WordPress users. The appropriate password strength requirement for a user should be determined by their role on your website.

User roles with more privileges or permissions should have stricter password requirements compared to user roles with fewer privileges. For instance, you could set the minimum password length to 14 for administrators but 8 for subscribers.
Let’s go over some password policy recommendations now and learn how they help protect user accounts.

Set a minimum password length

In general, bad actors have a harder time cracking or guessing longer passwords. This is because increasing the password length by a single character will significantly increase the possible character combinations.

The recommended minimum password length varies depending on who you ask. For instance, Microsoft’s password guidelines recommend passwords should be at least 8 characters long. On the other hand, the Center for Internet Security (CIS) recommends a minimum password length of 10 characters while setting it to 14 if possible.

As we mentioned earlier, the appropriate minimum password length depends on the account you are trying to protect. In any case, you should enforce the password length to be at least 8 characters for all your WordPress user accounts. We recommend you make it at least 14 for WordPress admin accounts.

Use a mix of uppercase letters, lowercase letters, numbers, and special characters

A long password length requirement won’t help much if users can simply set their password to something like “aaaaaaaaaaaa”. Such passwords are fairly easy to crack with brute-force attacks.

Therefore, you should make sure users use:

  • At least one uppercase character.
  • At least one lowercase character.
  • At least one numeric character.
  • At least one special character such as [!@#$%^&*()_?£”-+=~;:€<>].

Using a mix of different types of characters makes it harder for attackers to guess your account password because the total number of possible combinations goes up.

Set a password expiration date

Having a password expiration policy in place makes sure that users change their password after regular intervals.

You should note that organizations like the National Institute of Standards and Technology (NIST) and Microsoft recommend that you don’t force users to periodically reset their passwords. You should only ask users to change passwords if the old passwords are compromised.

On the other hand, the Center for Internet Security (CIS) recommends that you change passwords every 60 days.

Whether you should enforce a password expiration policy and its aggressiveness (if you enforce it), depends on the role of the WordPress user accounts you are trying to protect.

For some user roles such as an administrator, you might want to set a password expiration date for the little bit of extra protection it provides.

For other user roles, setting a password expiration policy could be counterproductive. This is because they are likely to start using weaker and easy-to-remember passwords.

Prevent the use of old passwords

When you ask users to reset their passwords at regular intervals, some of them might simply reuse their old passwords. This nullifies the effect of setting a password expiration policy.

This isn’t just relevant to your password expiration policy, however.

When a password is compromised or might be compromised, you need to reset it. If you don’t know how then our post on how to change or reset a WordPress password might be an interesting read. 

However, if a user can reuse this same password again, it defeats the purpose of the password reset.

One easy solution to this problem is to disallow the use of old passwords on reset. CIS’s recommendation is to not let users use any of their last 24 passwords.

Some caveats regarding password policies

Enforcing the password policies discussed in the previous section will help your users create strong passwords. However, there is also a possibility that users will choose the path of least resistance and try to creatively meet any password requirements you have set on your website.

Let’s take a look at an example. We will assume that you have set the minimum password length to 8 characters and enforced the use of lowercase, uppercase, numeric, and special characters. Users could use passwords like “pa$$w0rD_” or “h0rr!fiEd_” to meet these password requirements.

Both these passwords are longer than 8 characters while containing a mix of all the required character types. Unfortunately, hackers are well aware of users’ tendency to do these kinds of substitutions. They are likely to try out such substitutions when trying to crack user passwords.

Some companies like Microsoft recommend that you don’t require the use of special characters in a password for this specific reason.

A similar situation can arise with password expiration requirements. Someone whose last password was “h0rr!fiEd_” could set their next password to be “h0rr!fiEd_1”.

One of the primary reasons users use such weak passwords is that these passwords are easy to remember.

Use a password manager

A password manager is an online service or software client that securely stores and manages user credentials across multiple websites and services. This information is accessed with a single master password and options for multi-factor authentication.

Popular examples include 1Password and KeePass.

Using a password manager will allow your users to create and store complicated passwords without the hassle of remembering them.

Enforce password policies and rules

Hopefully, you now know which password policies you should enforce. 

However, there is a problem. 

How do you go about enforcing password policies?

That’s what we’re going to show you next.

Login security plugins like Melapress Login Security can help you enforce strong password policies for all your user accounts.


This plugin is extremely easy to use and lets you configure login security policies on a role-by-role basis, offering you maximum flexibility.

This means that you can have a strict password policy in place for admin accounts while relaxing the rules a bit for other users. This ability to tweak password policy settings allows you to strike the perfect balance between your WordPress website security measures and user-friendliness.

Sounds good, right?

Let’s dive in!

Set site-wide password policies

First, download and activate the plugin. You will find it by clicking on Our plugins > Melapress Login Security in the main menu of this page.

Next, navigate to Login Security > Login Security Policies from the WordPress admin dashboard to configure and enforce password policies.

You will see two tabs on the plugin page. The first tab, Site-wide policies, allows you to enable and set up password policies for all users at once.

As you can see, the password policies we have applied globally are based on Microsoft’s recommendations. They will usually work well for user accounts with subscriber roles.

Set administrator password policy

Ideally, you should enforce stronger password policies for accounts with administrator privileges. You can do so by hovering over the second tab titled Role-based policies.

This will open a dropdown where you can select Administrator. You will see two options here.

The second option, Inherit login security policies, is checked by default. This means that the administrator role will inherit our global password policies by default. 

Uncheck this option to enforce specific password policy rules for this role.

In this case, we have set the minimum password length to 14 characters based on CIS recommendations. We have also made it compulsory to have at least one special character in the password.

You might also want to enforce changing passwords every 60 days and not using old passwords for admin accounts. If you scroll down, you will find the following settings to set a password expiration duration.

More password policy recommendations to follow

There are a few more password policy recommendations you can follow or encourage your users to follow to improve account security.

These recommendations are hard to enforce through a security plugin. However, educating your users and employees about cyber security and the importance of strong and unique passwords can help.

Here are some of the most important ones you should know:

Don’t use the same password across multiple websites and services

People often use the same password across multiple websites and services because they don’t want to deal with the hassle of remembering so many passwords.

Unfortunately, this creates a vulnerability in their account security. If a security breach happens on one of those websites, all other websites where they use the same password could be compromised.

Therefore, it’s important to have unique passwords for all your accounts.

Don’t use a common password

People also tend to use common passwords for their accounts because they are easy to remember. The top five most common passwords, according to Wikipedia, are:

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. 123456789

Weak passwords like this are easy to crack.

You should also avoid using words and proper names or personal information in passwords. This makes it easier for people to guess a password using information they find about you on social media or elsewhere online.

Again, you should consider encouraging your users to use password managers to create and store all their account passwords.

Using strong login policies to further strengthen security

Enforcing strong password policies will make sure that user accounts are less vulnerable to brute-force attacks. Unfortunately, they provide little protection against stolen passwords.

Bad actors can employ a variety of phishing techniques to steal user account passwords instead of trying to guess them. 

For example, they could create a fraudulent website that looks exactly like your WordPress site to trick you into entering your password. Or they could pose as employees of your organization to trick people into revealing their user passwords. 

In order to combat phishing, a combination of education and strong login policies is a must.

Strong login policies can also help prevent unauthorized access to user accounts, even if their credentials are leaked or stolen. They can also help minimize the impact of brute force attacks by limiting the number of login attempts or asking users for an authentication code to log in.

Here’s how you can set up strong login policies on your WordPress site:

Disable inactive user accounts

User accounts with administrative or editor roles usually log in at frequent intervals to manage the website and its content. However, they could become inactive due to a change in job roles, or a move to a different company.

You should consider disabling such accounts if they stay inactive for prolonged periods of time. Inactive users are also less likely to notice if their accounts are hacked. Disabling or locking such accounts will prevent unauthorized access.

As you can see, Melapress Login security allows you to automatically lock inactive users after the specified number of days have passed. In this case, we have set the threshold at 30 days.

Limit failed login attempts

A brute force attack often involves numerous login attempts through the WordPress login page using various username/password combinations. You can contain the impact of such attacks by limiting the total number of failed login attempts before locking a user account.

Use two-factor authentication

Strong password and login policies won’t help you in case of stolen WordPress passwords. As we mentioned earlier, bad actors could try to steal passwords through phishing attacks or via other means.

Strong WordPress passwords won’t protect an account in such situations but having properly configured two-factor authentication will. With two-factor authentication in place, users will have to authenticate their WordPress login requests with another authentication factor such as a passcode sent through email or SMS.
You can easily configure and use two-factor authentication on your WordPress site with the help of a 2FA plugin.


In this post, we discussed the importance of enforcing strong password policies in WordPress. We also covered the importance of user education when it comes to WordPress password security.

Using strong login policies together with strong password policies can further improve the security of your user accounts.

Frequently Asked Questions

How do I turn off weak passwords in WordPress?

WordPress doesn’t natively support the ability to block the use of weak passwords for user accounts. However, you can configure and enforce strong password policies using login security plugins like Melapress Login Security.

How do I set a strong password policy?

You can use a login security plugin like Melapress Login Security to set and enforce strong password policies. The plugin gives you the option to enforce a minimum password length and use mixed character types like lowercase, uppercase, numeric, and special characters.

Posted inWordPress Security
Nitish Kumar
Nitish Kumar

Nitish is a freelance web developer and technical writer with experience in various web development technologies, including WordPress. He specializes in developing eCommerce websites and likes to spend his free time working on personal projects or going out with friends.

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay in the loop

Subscribe to the Melapress newsletter and receive curated WordPress management and security tips and content.

Newsletter icon

It’s free and you can unsubscribe whenever you want. Check our blog for a taste.

Envelope icon