Security May 7, 2026

Password policy in WordPress: why the strength meter is not enough

WordPress shows a strength meter but does not enforce - users can tick 'confirm weak password'. Real enforcement, step by step.

WordPress shows a green/red password strength meter when an account is created or a password changed - but it does not enforce it. Users can tick 'Confirm use of weak password' and continue with '123456'. Without an enforcement plugin, only the most security-conscious admin actually picks something strong.

Why this matters

The critical weak point is that even if the administrator picked a 24-character password, every author, contributor or subscriber who registers is a soft target - if the weak account is compromised and privileges escalate (via a plugin vulnerability, or even just used as a pivot for XSS on your site), the whole site falls. Breach statistics back this up: 81% of web application breaches in 2023 involved weak or leaked passwords. Enforcing minimum complexity stops most credential stuffing and brute force before it begins. A side benefit: strong passwords nudge users towards a password manager, which itself reduces password reuse across sites.

How to detect

The audit scans active plugins for enforcement signatures: 'Password Policy Manager', 'Force Strong Passwords', WPVivid Password Policy, Wordfence Login Security (its protection includes enforcement). If none is installed, the check is red. Manually: create a test user with the password '123456'. If WordPress accepts it (even after a 'confirm weak' tickbox), there is no enforcement.

How to fix

  1. Install Password Policy Manager or Force Strong Passwords (both free).
  2. Set minimums: 12 characters, upper and lower case, one digit, one special character.
  3. If you use Wordfence: go to Wordfence > Login Security > Settings and enable 'Enforce strong passwords for'. Pick at least Administrators, ideally editors and shop managers too.
  4. Enable Have I Been Pwned checks: Wordfence Premium does this automatically, blocking passwords known to be leaked. A free alternative: 'WP Password Policy Manager' with a companion plugin.
  5. Set password expiry: via the plugin, require admin and editor users to rotate the password every 90-180 days. Warning: too-frequent rotation produces weaker passwords - users append '1', '2', '3'. NIST in 2017 recommended ending periodic expiration except after suspected compromise.
  6. Mark all admins and editors with 'Force password reset on next login' to push them onto a policy-compliant password.
  7. Enable 2FA for every administrator account - it is the strongest protection if a password leaks.
  8. Document the policy in an mu-plugin or internal page so future developers know the rules.

Common mistakes

Do not enforce overly complex passwords without a password manager - users who do not use one will write the password on a sticky note on the monitor. Prefer a high length minimum (16+) over special-character requirements. Do not enable 30-day expiration - it leads to 'Pass1!' becoming 'Pass2!' becoming 'Pass3!'. Do not assume the WordPress strength meter is enough - it displays, it does not enforce. Do not enable enforcement without warning users - you will receive a flood of frustrated emails.

Verifying the fix

Create a test user with a weak password ('password123') - it should be rejected with a clear message. Try a known-leaked password (from haveibeenpwned). Re-run the audit. After two weeks, check how many users had to reset and did - if most did not, you may need to remind them by email.

Tip: A long password (16+ characters) is stronger than a short complex one. Enforce a high length minimum rather than convoluted character rules that push users to sticky notes. NIST SP 800-63 recommends passphrases of 4-5 random words.
More in this category ← Back to all docs