Help secure your WooCommerce site by enforcing stronger passwords and taking additional control of your strength requirements.
Help secure your WooCommerce site by enforcing stronger passwords and taking additional control of your strength requirements.
WooCommerce has an integrated Password Strength Meter which forces users to use strong passwords. Sometimes this isn’t desirable – with this plugin, you can choose between five password levels ranging from “Anything Goes” to “Strong Passwords Only”. In addition, you can modify the colors and appearance of these custom messages, as well as modify or remove the password hint. For details on how the password strength is determined, please read the documentation here.
Version 3.0.0 is a bit of a rewrite to bring the plugin up to modern coding standards. Functionality should not be impacted, but if it is, please reach out on the support forums.
Version 3.0.1 is simply a hotfix declaring compatibility with WooCommerce HPOS. Since this plugin doesn’t touch anything with the orders or order metadata, it shouldn’t be impacted at all. However, if you notice any issues then please reach out via the contact form on my website.
While this does allow for user accounts to have weaker passwords, it’s a good idea to still encourage strong password use – especially for administrators!
wp-content/plugins
folder (or use the Plugins menu through the WordPress Administration section)A: The levels range from 0 (lowest) to 4 (highest). As passwords are typed, the strength meter will dynamically update – this will disable the “Sign Up” button until the requirements have been met. It should be noted that Level 0 accepts any password, so messaging isn’t shown (and therefore doesn’t have admin fields).
A: This should appear wherever the Password Strength Meter appears – in the “My Account” page or during Checkout.
A: The password strength is determined by code in WordPress core, more specifically using a library called “zxcvbn”, created by Dropbox. There’s a more in-depth description of how this works in the plugin documentation.
A: This plugin doesn’t allow for that functionality, because it’s not part of the built-in WordPress password strength algorithms. Those restrictions have also been proven to be ineffective and frustrating for users. See How Password Strength is Determined.
A: This is the most common question I get, and the short answer is I don’t know, but you can likely figure it out with the guide on How Password Strength is Determined.
A: This is unfortunately unavoidable. As of writing, WooCommerce doesn’t validate the password strength in the checkout page, so while the strength meter will show it doesn’t enforce it. This isn’t something I’m able to work around, so share that you want validation on the password strength requirements in the official WooCommerce Ideas Board – once it’s active in WooCommerce, it will automatically be active here. 🙂
A: No, this plugin does not create any vulnerabilities. It does create additional displays for the client-side (in the user’s browser), but not server-side where vulnerabilities are found. It is using the Password Strength Meter that is already in WordPress, and doesn’t store or handle any information – WordPress or WooCommerce are the only ones that see and manage passwords, not this plugin. For security advice, please check out this older but still valid security 101 guide I’ve written.
A: If you experience any issues, please let the developer know. If you have ideas for future features or improvements, head over to GitHub to see if something is in development or to help contribute.
A: You can check out the Danny’s personal site at DanielSantoro.com. He doesn’t keep up with it as much as he’d like, but it’s there.