🔑 Password Policy
Enforce strong password policies per user role with expiration, breach detection, and password history. Keep every account on your WordPress site secure without relying on users to choose good passwords.
Key Features
Role-Based Password Rules
Set different password requirements per user role. Enforce 16-character minimum for administrators, 12 for editors, 10 for authors, and 8 for subscribers. Require uppercase, lowercase, numbers, and special characters per role.
Password Expiration & Forced Reset
Configure password expiration intervals per role — 30 days for admins, 60 for editors, 90 for others. Users receive email reminders before expiry and are redirected to the password change screen on next login.
Breach Detection (HIBP)
Check new passwords against the Have I Been Pwned database using the k-anonymity API. Only the first 5 characters of the password hash are sent, so the full password never leaves your server.
Password History
Prevent users from reusing their last N passwords (configurable per role). Password hashes are stored securely and compared on every password change to enforce rotation.
Compliance Dashboard
At-a-glance overview of password health across your site. See the percentage of users compliant with current policy, accounts with expired passwords, and users who have never changed their password.
Grace Period Before Lockout
Give users a configurable grace period after their password expires. During the grace period, users can still log in but see a persistent warning. After the grace period, login is blocked until the password is changed.
How It Works
Password Policy hooks into WordPress password validation, user registration, profile updates, and password resets to enforce your configured rules at every entry point. Policies are evaluated in real time, so changes take effect immediately.
Policy Enforcement Flow
Every password change goes through a multi-step validation pipeline:
- Strength Check — validates minimum length, character classes (uppercase, lowercase, digits, symbols), and prohibits common patterns like sequential characters or keyboard walks
- History Check — compares the new password hash against stored history for the user to prevent reuse of recent passwords
- Breach Check — queries the HIBP API using k-anonymity to verify the password has not appeared in known data breaches
- Role Validation — applies the specific requirements configured for the user’s role, since admin accounts need stricter rules than subscriber accounts
If any check fails, the user receives a clear error message explaining exactly what needs to change.
Expiration & Grace Periods
Password expiration works on a per-role schedule:
- Admins are prompted to change passwords every 30 days by default
- Editors and authors rotate every 60 days
- Subscribers and contributors rotate every 90 days
- 7-day email reminders are sent before expiration
- A configurable grace period (default: 3 days) allows login with a warning banner
- After the grace period, the user is redirected to the password change form on every login attempt
All intervals are fully configurable and can be disabled per role if expiration is not needed for lower-privilege accounts.
Breach Detection via Have I Been Pwned
The HIBP integration uses the range search API with k-anonymity. Only the first 5 hex characters of the SHA-1 hash are sent to the API, which returns all matching hash suffixes. The comparison happens locally on your server, so the full password hash is never transmitted. This approach is recommended by security experts and used by major organizations worldwide.
If a password is found in the breach database, the user is shown the number of times it has appeared in known breaches and required to choose a different password. Breach checks can be configured as blocking (default) or advisory (warning only).
Screenshots
Compliance dashboard — policy health overview and user compliance stats
Role-based password rules configuration
Password expiration and grace period settings
Breach detection settings and HIBP integration
User password status list with expiration dates
Free vs Pro
Get more with VistoShield Pro Bundle
| Feature | Free | Pro Bundle |
|---|---|---|
| Role-Based Rules | ✓ | ✓ Enhanced |
| Breach Detection | ✓ | ✓ + Real-time alerts |
| Compliance Reports | Basic | PDF export + scheduled |
| Support | Community | Priority 24h |
| Updates | Standard | Priority + Early Access |
Ready to Enforce Strong Passwords?
Install Password Policy from the WordPress plugin directory and start enforcing role-based password rules in minutes.
Get Started Free