Password Policy
Enforce strong password requirements across your WordPress site with configurable complexity rules, breach detection via Have I Been Pwned, password expiration, and per-role policy overrides.
Overview
The VistoShield Password Policy plugin ensures that every user on your WordPress site uses a strong, uncompromised password. It intercepts password creation and change events, validates them against your configured rules, and optionally checks them against known data breaches using the Have I Been Pwned API.
Key capabilities include:
- Configurable minimum length and character complexity requirements
- Password expiration with configurable intervals per role
- Breach detection using HIBP k-anonymity (no full passwords are ever transmitted)
- Password history to prevent reuse of recent passwords
- Per-role policy overrides for granular control
- Compliance dashboard showing password health across all users
Installation & Activation
- Upload the
vistoshield-password-policyfolder towp-content/plugins/ - Navigate to Plugins → Installed Plugins in your WordPress admin
- Click Activate next to VistoShield Password Policy
- Go to VistoShield → Password Policy to configure your settings
Global Settings
Configure the baseline password requirements from VistoShield → Password Policy → Settings:
| Setting | Default | Description |
|---|---|---|
| Minimum Length | 12 | Minimum number of characters required for any password |
| Require Uppercase | Yes | At least one uppercase letter (A–Z) must be present |
| Require Lowercase | Yes | At least one lowercase letter (a–z) must be present |
| Require Numbers | Yes | At least one numeric digit (0–9) must be present |
| Require Special Characters | Yes | At least one symbol (e.g., !@#$%^&*) must be present |
| Expiration (days) | 90 | Number of days before a password must be changed. Set to 0 to disable. |
| History Count | 5 | Number of previous passwords stored to prevent reuse |
Per-Role Overrides
Different user roles can have different password policies. Navigate to VistoShield → Password Policy → Role Overrides to configure per-role settings.
| Role | Min Length | Expiration | Breach Check |
|---|---|---|---|
| Administrator | 16 | 60 days | Required |
| Editor | 14 | 90 days | Required |
| Author | 12 | 90 days | Optional |
| Subscriber | 10 | 180 days | Optional |
Role overrides always take precedence over global settings. If no override is configured for a role, the global policy applies.
Breach Detection
VistoShield uses the Have I Been Pwned (HIBP) Pwned Passwords API to check whether a password has appeared in known data breaches. The check uses k-anonymity, which means:
- The password is hashed using SHA-1 on the server
- Only the first 5 characters of the hash are sent to the HIBP API
- The API returns all hash suffixes matching that prefix
- The plugin checks locally whether the full hash appears in the returned list
This approach ensures that the full password hash is never transmitted to any external service.
api.pwnedpasswords.com is permitted.
Password History
The plugin stores hashed versions of each user’s previous passwords (up to the configured history count). When a user sets a new password, it is compared against stored hashes to prevent reuse.
- Password history entries are stored as bcrypt hashes in the
wp_usermetatable - Older entries beyond the configured count are automatically purged
- Administrators can clear a user’s password history from the user profile screen
User Management
The Compliance Dashboard at VistoShield → Password Policy → Users provides an overview of password health across your site:
- Compliant — Password meets all current policy requirements
- Expiring Soon — Password will expire within the next 14 days
- Expired — Password has exceeded the expiration interval
- Non-Compliant — Password was set before current policy and does not meet requirements
From this dashboard you can:
- Force Reset — Immediately expire a user’s password, requiring them to set a new one on next login
- Bulk Force Reset — Select multiple users and force a password reset for all of them
- Export Report — Download a CSV report of all users and their compliance status
WP-CLI Commands
If WP-CLI is available, the following commands are registered:
| Command | Description |
|---|---|
wp vistoshield password-policy status | Show current policy settings and compliance statistics |
wp vistoshield password-policy force-reset --user=<id> | Force a password reset for a specific user |
wp vistoshield password-policy force-reset --role=<role> | Force a password reset for all users with a given role |
wp vistoshield password-policy audit | Run a compliance audit and output results as a table |
FAQ
Does this plugin work with WooCommerce registration forms?
Yes. The plugin hooks into WordPress core password validation, so any form that uses the standard password change mechanism (including WooCommerce My Account) will enforce the configured policy.
What happens when a user’s password expires?
On their next login attempt, the user will be redirected to the password reset screen and must set a new compliant password before accessing the site.
Can I disable breach detection for performance reasons?
Yes. Uncheck the Enable Breach Detection option under global settings. The HIBP check typically completes in under 200ms, but you can disable it if your server has limited outbound connectivity.
Are passwords stored in plain text for history comparison?
No. All password history entries are stored as bcrypt hashes, the same algorithm WordPress uses for its own password storage. Plain text passwords are never written to the database.