Today we’re publishing new updates for both the free and PRO versions of WP Password Policy. This release adds new ways to keep weak and predictable passwords out of your site, warns users before their passwords expire, and surfaces risky default accounts – alongside a security-hardening pass across both editions.
Shared Updates (Free 3.7.0 & PRO 3.14.0)
- Restricted words and phrases list: You can now define site-wide words and phrases that passwords may not contain, with a per-policy on/off toggle. This is the practical way to block predictable terms – your brand or company name, a product name, or generic choices like “admin” – that attackers try first.
- Bookmarkable settings tabs: The settings page tabs are now reflected in the URL, so a specific tab can be bookmarked and shared directly with a teammate.
- Server requirements notice: A clear admin notice now appears when your environment does not meet the minimum PHP or WordPress version, or is missing a required extension, so configuration problems surface early instead of failing silently.
- Security hardening: We tightened REST error responses and policy-context role validation as a defense-in-depth follow-up to our security audit. The PRO edition additionally folds in plugin-updater robustness improvements.
- Dependencies and code improvements: Internal libraries have been refreshed and the codebase cleaned up to keep the plugin fast and reliable across environments.
PRO-Only Updates (3.14.0)
- Password expiry warning emails: A configurable series of reminder emails is now sent to users in the days before their password expires, giving them time to update it on their own terms instead of being locked out at the next login.
- Vendor-default account scanner: A recurring scan flags default or admin-style usernames and unchanged display names, surfaced through a dashboard widget and a dedicated settings tab. It is an easy way to catch the leftover accounts that commonly slip through site handovers and staging clones.
- Leetspeak-aware matching: The restricted words and phrases list can now optionally catch obfuscated variants, so a blocked term like “password” also rejects “p4ssw0rd” and similar character substitutions.
You can download the latest versions of the WP Password Policy plugin directly from WordPress.org (Free version) or the Customer Portal (PRO version).
For questions and help about this release, please get in touch with our support team.