iThemes Security Password Requirements

For more information on WordPress roles and capabilities, please see the Roles and Capabilities article in the WordPress Codex.

You’ll now find all of the User Security Check settings in the Security Dashboard on the User Security Profiles card.

The Force Password Change button was also added to the User Security Profiles card. You will find the rest of the Password Requirement options in Security > Settings > User Groups to configure per User Group.

Force Password Change

Clicking the Force Password Change for All Users button will require all of your users to reset their password the next time they log into your site. To take this action, go to Security > Dashboard > User Security Profiles.

force_password_change.png

Strong Passwords

You can determine which User Groups this is applied to in Security > Settings > User Groups / Password Requirements.

strong_passwords.png

Warning: If your site invites public registrations, setting the role too low may annoy your members.

Password Age

The Password Age setting will force your users to reset their password at a fixed interval which you determine. 

You can choose to force a periodic password change and even set the number of days a password can be in use before requiring a new one.

It’s a best practice to change passwords every 120 days, or 4 months.

You can determine which User Groups this is applied to in Security > Settings > User Groups / Password Requirements.

password_age.png

Once enabled on your desired User Groups, then you can choose the length of time in Security > Settings > Configure > Password Requirements.

 

password_age_two.png

Any users with a password older than the set Password Age will be required to reset their password on their next login.

 

image__1_.png

Refuse Compromised Passwords

With the Refuse Compromised Passwords feature enabled, the passwords that your users create will be checked against a list of known compromised passwords.  If the password is shown to have been compromised, they will not be allowed to use that password and will have to create another.

You can determine which User Groups this is applied to in Security > Settings > User Groups / Password Requirements.

compromised_passwords.png

 

After the Refuse Compromised Passwords setting has been enabled, users who attempt to log in with a compromised password will see this notice on their WordPress login screen, prompting them to update their password using a strong password generator.

Once the password has been updated, the user can now successfully log in using a secure password.

Note:  Passwords are checked against the list created by Have I Been Pwned. Plaintext passwords are never sent to Have I Been Pwned. Instead, 5 characters of the hashed password are sent over an encrypted connection to their API. Read the technical details here.

Have more questions? Submit a request
Powered by Zendesk