WP Password Policy

|

Plugin for WordPress

Get Started

Documentation \ Configuring the Plugin

Configuring the Plugin

Now as you have the plugin installed, you can access the plugin settings page and configure the password policy for your users.

By default, there’s no any password policy defined. After activating the plugin, you need to configure the password policy to match your needs, and then enable it.

When Are the Settings Saved?

Settings configured in the plugin settings page are not saved automatically; you need to click on the blue “Save all settings” button (at the bottom of the settings section) in order to save the settings.

Adding a New Password Policy

You can add as many password policies as you need. Policies can be reordered using the drag-and-drop functionality, and should be ordered from the most specific to least specific.

For example – if you create a “generic” policy for all users, and “specific” policy for contractors, the “specific” policy should be higher in the list of policies – otherwise, the “all users” policy with resolve first.

In order to create a new password policy, click on the “Add new policy” button. New policies are always added at the top of the policies list.

Activating and Deactivating the Password Policy

Each new password policy is deactivated by default, which gives you time to configure it properly prior to enforcing its rules to your users.

In order to activate or deactivate the policy, find the policy you want to update in the list of your password policies, and click on the “General settings” panel of it.

After opening the “General settings” panel, you’ll see a toggle with the “Activate this policy” label. Click on that toggle to change the policy activation status.

Besides the toggle, you’ll see if a policy is active or not at the top of the policy panel. Active policy name is preceded with a “Policy” word, and inactive policy is preceded with an “Inactive Policy” phrase.

Changing the Password Policy Name

If you plan to use more than one password policy, it’s a good idea to give them a meaningful, descriptive names, so that they can be easily recognized, and their scope can be understood immediately.

You can have a “Generic policy” that covers all users, and “Policy for administrators” that enforce stronger passwords for the site admins. You can have a “Policy for freelancers” that enforce freelancers you work with to use strong passwords. These are just examples – it’s up to you how you define and name each of the password policy.

In the list of your password policies, find the policy whose name you want to update, and click on the “General settings” panel of it. You’ll see a text input field under the “Policy name” label, where you can change the name of the policy.

Deleting the Password Policy

You can delete password policy if you no longer want to use it. To do that, in the list of your password policies, find the policy you want to delete, and click on the “General settings” panel of it.

You’ll see a red-bordered button with a “Delete policy” label – click on it, then click on the blue “Save all changes” button at the bottom of the settings section.

Enabling and Disabling the Rules of the Policy

Each password policy can be configured differently, depending on the use case. Click on the “Enabled rules” panel of the policy you want to configure – you’ll see a list of toggles that allows you to enable or disable certain rules. Click on the toggle near the rule name to change the rule status between “enabled” and “disabled”.

Enforcing the Minimum Password Length

Once enabled, the users’ password length must equal or exceed the defined value, which is set to 10 characters by default.

Enforcing the Minimum Password Age

Once enabled, users can only change their passwords if the current password has been used for at least a defined period (set to 2 days by default). This is meant to prevent users from resetting their password repeatedly to circumvent the “Prevent users from reusing their past passwords” setting and reuse a favorite password immediately.

Enforcing the Maximum Password Age

Once enabled, users will have to change their passwords if the current password has been in use for a defined period (set to 30 days by default).

Enforcing the Password Complexity Requirements

Once enabled, users’ password must meet the complexity requirements.

Preventing Users from Reusing Their Past Passwords

Once enabled, users will not be able to set a new password if that password was already used by them in the past.

Adjusting the Rule Settings

Each rule settings can be adjusted to better suit your specific needs. Click on the “Rule settings” panel of the policy you want to configure – you’ll see a bunch of options that will allow you to adjust the rules behavior.

Note: each of the rule settings applies to specific rules as described below. Associated rule needs to be enabled (see the section above for details), otherwise the setting does not apply.

Minimum Password Length

This field allows you to define the minimum length of the password, which applies to “Enforce the minimum password length” rule.

This is set to 10 by default, which means the user’s password must equal or exceed 10 characters.

A valid value of this field is an integer between 1 and 50.

Maximum Password Length

This field allows you to define the maximum length of the password, which applies to “Enforce the maximum password length” rule.

This is set to 256 by default, which means the user’s password must be equal or less than 256 characters.

Minimum Password Age

This field allows you to define the minimum password age, which applies to the “Enforce the minimum password age” rule.

This value represents days, and is set to 2 by default, which means that user can not set a new password if their current password was set within the last 2 days.

As mentioned above, this is meant to prevent users from resetting their password repeatedly to circumvent the “Prevent users from reusing their past passwords” setting and reuse a favorite password immediately.

A valid value of this field is an integer between 1 and 1000.

Maximum Password Age

This field allows you to define the maximum password age, which applies to the “Enforce the maximum password age” rule.

This value represents days, and is set to 30 by default, which means that user must set a new password if their current password has been in use for 30 days.

A valid value of this field is an integer between 1 and 1000.

Password Complexity Requirements

This field allows you to select the password complexity rules, which will be applied to the “Enforce the password complexity requirements” rule.

Possible complexity rules:

  • Uppercase letter(s) required” – at least one uppercase letter is required in user’s password.
  • Lowercase letter(s) required” – at least one lowercase letter is required in user’s password.
  • Base digit(s) (0 through 9) required” – at least one base digit is required in user’s password. Base digit is an integer between 0 and 9.
  • At least X unique (non-repeated) characters required“, where “X” is an integer defined in the Minimum number of unique (non-repeated) characters in password field below. For example, in the “aabc” password, three characters are unique (non-repeated): a, b, c.
  • Up to X consecutive symbols from the user’s name or display name allowed“, where “X” is an integer defined in the Number of consecutive symbols of the user’s name or display name allowed in the password field below. If “0” (zero) is chosen, all characters used in user name or display name will not be allowed in user’s password; if “2” is chosen and user name and display name is “Bart”, password can contain “ba”, “ar”, and “rt”, but not “bar” or “art”.
  • Special character(s) required” – at least one special character is required in user’s password. Special character is understood as a one of punctuation characters that are present on standard US keyboard. See: Password Special Characters for more details.

Minimum Number of Unique (Non-Repeated) Characters in a Password

This field allows you to define a minimum number of unique, non-repeated characters allowed in user’s password, which will be used by one of the password complexity rules.

For example, in the “aabc” password, three characters are unique (non-repeated): a, b, c. Default value of this field is set to “6”. A valid value of this field is an integer between 1 and 50.

Number of Consecutive Symbols from the User’s Name or Display Name Allowed in a Password

This field allows you to define the number of consecutive symbols of the user’s name or display name allowed in the user’s password, which will be used by one of the password complexity rules.

For example, if “0” is chosen, all characters used in user name or display name will not be allowed in user’s password; if “2” is chosen and user name is “Bart”, password can contain “ba”, “ar”, and “rt”, but not “bar” or “art”.

Default value of this field is set to “4”. A valid value of this field is an integer between 0 and 50.

Defining User Coverage for Each Password Policy

Each password policy can be applied to a different set of users, depending on your unique needs. Click on the “User coverage” panel of the policy you want to configure to review the available options.

By default, a new password policy applies to all users. Turn the toggle off to see the option to apply that password policy based on the user roles, and/or to specific users.

Each policy can be applied to a different group of users. Policies should be ordered from the most specific to least specific.

Only one policy apply to a single user. If user match conditions of more than one password policy, the policy that is higher in order defined in this settings page applies, and remaining policies are ignored for that user.

Configuring the Recent Passwords Storage

One of the objectives of a strong password policy is to ensure that users will regularly change their password to a new, strong, and unique password. This can be achieved with enabling these rules altogether:

  • Enforce the minimum password age – once enabled, users will have to change their passwords if the current password has been in use for a defined period.
  • Prevent users from reusing their past passwords – once enabled, users will not be able to set a new password if that password was already used by them in the past.
  • Enforce the maximum password age – once enabled, users can only change their passwords if the current password has been used for at least a defined period. This is meant to prevent users from resetting their password repeatedly to circumvent the “Prevent users from reusing their past passwords” setting and reuse a favorite password immediately.

User’s past passwords are stored in the user meta table, secured using the same hashing technique that WordPress use for “regular” passwords.

By default, 24 past passwords are stored. Combined with the minimum password age, this will prevent your users from reusing their past passwords; otherwise, they might reset their passwords multiple times to continue using their “favorite” password.

A valid value of this field is an integer between 0 and 1000. To turn this feature off, set the value to “0” (zero).