We’re thrilled to announce a major addition to WP Password Policy PRO: the new HaveIBeenPwned integration is now available, blocking passwords that have been exposed in known data breaches before they ever reach your database. Both the free (3.6.3) and PRO (3.13.0) versions also ship a set of refinements to wording, notice behavior, and internal dependencies.
PRO-Only Updates (3.13.0)
- New password policy rule – block breached passwords: WP Password Policy PRO now checks every new or changed password against the HaveIBeenPwned Pwned Passwords database, which catalogues passwords exposed in real-world data breaches. If a user attempts to set a password that has appeared in a known breach, the policy rule blocks it before the credential is ever stored.
- Privacy-preserving by design: The integration uses the k-anonymity API model. Only the first five characters of the SHA-1 hash of the password ever leave your server, and the full password itself is never transmitted – not even in hashed form. The check runs at signup, password change, and password reset. Read the full feature breakdown for more details.
Shared Updates (Free 3.6.3 & PRO 3.13.0)
- Clearer wording for the “minimum unique characters” rule: The label and helper text for this setting have been refined so the requirement is easier to understand at a glance.
- Improved notice display: Validation feedback shown to users now renders as an “error” notice rather than an informational “message”, making it clearer when a password fails to meet a policy rule.
- Updated dependencies: Internal libraries and build tools have been refreshed.
- General code improvements: Minor cleanups and refactoring to keep the codebase stable and maintainable.
You can download the latest versions of the WP Password Policy plugin directly from WordPress.org (free version) or the Customer Portal (PRO version).
For questions and help about this release, please get in touch with our support team.