Description
WP Password Policy lets you define and enforce password policies for all users on your WordPress site.
Set rules for password length, complexity (uppercase, lowercase, digits, special characters), restricted characters, password expiration, and more. The plugin validates passwords on login, registration, password changes, and during active sessions — automatically redirecting users to reset non-compliant passwords.
Key benefits:
- Enforce password length and complexity rules from a single settings page.
- Set password expiration to ensure users update their passwords regularly.
- Require users to confirm their current password before making changes.
- Compatible with WordPress multisite networks.
Whether you manage a personal blog, a membership site, or a multisite network, WP Password Policy helps you maintain consistent password standards across all user accounts.
Learn more at wppasswordpolicy.com.
Why password policies matter
Weak passwords remain one of the most common entry points for unauthorized access to WordPress sites. Enforcing password rules helps reduce this risk and supports compliance with security best practices.
Features
Free Features
- Minimum password length — Set and enforce the minimum number of characters for user passwords.
- Maximum password length — Limit password length to prevent denial-of-service attacks caused by hashing very long passwords.
- Password complexity rules — Require a mix of uppercase letters, lowercase letters, digits, special characters, and a minimum number of unique characters.
- Consecutive username symbols — Restrict how many consecutive characters from the username can appear in the password.
- Restricted characters — Block specific characters from being used in passwords.
- Maximum password age — Force users to update their passwords periodically (e.g., every 30 days).
- Minimum password age — Prevent users from changing their password too frequently, discouraging rapid cycling back to an old password.
- Require current password — Add a “Current Password” field to the user profile screen and validate it before allowing password changes.
- Custom password hints — Replace the default WordPress password hint with a policy-specific hint based on active rules.
- Site Health integration — A Site Health test reports whether your plugin settings are properly configured.
- Multisite/network support — Works with both standard and multisite WordPress installations.
- AI integration — On WordPress 6.9+ with the MCP Adapter plugin, list, configure, and delete password policies through natural language commands from any connected AI provider.
- Translation-ready — Localize the plugin into any language.
PRO Features
- Prevent password reuse — Block users from reusing their previous passwords, encouraging new, unique passwords every time.
- Custom password policies per role or user — Assign different password rules for administrators, editors, WooCommerce customers, or specific users.
- Block common, weak passwords — Over 100,000 common passwords are blocked, preventing users from choosing easy-to-guess passwords.
- Integrations:
- WooCommerce integration — Enforce password policies on WooCommerce login, registration, checkout account creation (including Store API), account details, password change, and password reset forms. Replaces WooCommerce’s built-in password strength meter with your policy rules.
- Ultimate Member integration — Enforce password policies within Ultimate Member registration, login, password reset, and password change forms. Disables Ultimate Member’s built-in password strength option to avoid conflicts.
- Tutor LMS integration — Enforce password policies on Tutor LMS student and instructor registration, login, password change, and password reset forms.
- LifterLMS integration — Enforce password policies on LifterLMS registration (including checkout), account password change, and password reset forms. Replaces LifterLMS’s built-in password strength meter with your policy rules.
- LearnPress integration — Enforce password policies on LearnPress registration, login, and password change forms.
- Priority support and updates — Get premium email support and updates.
Learn more about the PRO version at wppasswordpolicy.com/pricing.
Video Tutorial
See the plugin in action:
Related Plugins
Looking for a way to force users to reset their passwords immediately? Check our Password Reset Enforcement plugin — it lets you require password resets site-wide, by role, or for individual users, with WP-CLI support for automation.
Screenshots
Password policy configuration overview. 
Customizable password policy rules. 
Password policy rules can be adjusted as needed. 
Enforcement on user password forms.
Installation
- Upload the
password-requirementsdirectory to/wp-content/plugins/, or install the plugin through the WordPress plugins screen directly. - Activate the plugin through the “Plugins” menu in WordPress.
- Go to “Settings” > “WP Password Policy” to configure your password policy.
- Enable the rules you need, adjust their settings, and save. Your password policy is now active.
FAQ
-
How do I access the settings?
-
After activation, go to “Settings” > “WP Password Policy” in the WordPress admin. The settings page lets you enable or disable individual rules and configure their values.
-
What happens when a user’s password does not meet the policy?
-
On login, the user is redirected to the password reset form. On password change or registration, a clear error message explains which rules the password does not meet.
-
Does this plugin work with WooCommerce?
-
WooCommerce integration is available in the PRO version. It enforces password policies on WooCommerce login, registration, checkout account creation (including Store API), account details, password change, and password reset forms. It also replaces WooCommerce’s built-in password strength meter with your policy rules.
-
Does it work with LMS plugins like LifterLMS, Tutor LMS, or LearnPress?
-
Yes. The PRO version includes integrations for LifterLMS, Tutor LMS, and LearnPress. Password policies are enforced on registration, login, and password change forms within these plugins. See the integrations page for details.
-
Is the plugin compatible with WordPress multisite?
-
Yes. WP Password Policy supports both standard WordPress installations and multisite networks.
-
Can I set different password rules for different user roles?
-
Yes, with the PRO version you can create multiple password policies and assign them to specific user roles or individual users.
-
What is the difference between the free and PRO versions?
-
The free version provides a single global password policy with length, complexity, age, restricted characters, and current password requirements. The PRO version adds per-role and per-user policies, password reuse prevention, a blocklist of over 100,000 common passwords, and integrations with WooCommerce, Ultimate Member, LifterLMS, Tutor LMS, and LearnPress. See the pricing page for details.
Reviews
Contributors & Developers
“WP Password Policy” is open source software. The following people have contributed to this plugin.
Contributors
Translate “WP Password Policy” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
3.6.1 (2026-03-20)
- Plugin icon and assets updated
- Security hardening – added missing escaping
- Dependencies updated
3.6.0 (2026-03-14)
- Abilities API implemented: password policies are now available in WordPress MCP server
- Direct access protection added to all PHP files
- Dependencies updated
- Formatting updates
- Unnecessary translation files removed since these are loaded from WordPress.org
- Do not hardcode
wp-login.phppath for login form - Code improvements
3.5.0 (2026-01-28)
- Support for restricting certain characters in passwords implemented
- Dependencies updated
- Code improvements
3.4.1 (2026-01-12)
- Harden handling of the “allow_password_reset” filter to improve compatibility with third-party plugins
3.4.0 (2025-11-28)
- Compatibility with WordPress 6.9 confirmed
- Dependencies updated
- Code improvements
3.3.0 (2025-09-19)
- New feature: require users to provide their current password before changing it
- New feature: added the ability to exclude certain users from being covered by the password policy (through PHP filter); this is useful when certain users are managed externally and we don’t want to enforce the password policy on them (for example: users who log in through an SSO provider)
- Compliance checks against the password policy refactored to avoid having duplicated logic in various modules
- Dependencies updated
- Code improvements
3.2.2 (2025-07-24)
- Dependencies updated
- Code improvements
3.2.1 (2025-07-04)
- Plugin’s readme.txt file updated
3.2.0 (2025-07-01)
- Network activation process improved
- Password expiry check on user interaction improved
- Automated, conditional logout after plugin settings changes are saved implemented for current user affected by the new policy
- Plugin container loader optimized to avoid duplicated instantiations
- Plugin name updated to avoid confusion, now matching the project’s name
- Dependencies updated
- Code improvements
3.1.1 (2025-04-25)
- Issue with nonce in the password reset form on password expiry fixed
- Settings screen style improvements
- Dependencies updated
- Code improvements
(For older records, see the changelog.txt file).