Require Strong Passwords

Protect your membership site and member accounts by preventing members from using a weak or otherwise insecure password during Membership Checkout.

This Add On is a free drop-in and has no settings. Once enabled, your new member accounts are instantly more secure. Password checks include a variety of common security tests, including:

• Checks against the password length and usage of lowercase or uppercase letters.
• The presence of numbers and special characters.
• Known insecure values, like common password names, years, and passwords that include or match the username or email address.

The Add On includes a strength meter, so members can see in real-time just how strong their password is.

There are a variety of action and filter hooks available for developers to alter the password requirements or display different interactive elements on the checkout page.

Video Demo

.

Installation

You must have the Paid Memberships Pro plugin installed and activated to use this Add On.

1. Navigate to Memberships > Add Ons in the WordPress admin.
2. Locate the Add On and click “Install Now“.
   • Or, to install this plugin manually, download the .zip file above.
   • Upload the compressed directory (.zip) via the Plugins > Add New > Upload Plugin screen in the WordPress admin.
3.  Activate the plugin through the Plugins screen in the WordPress admin.

Settings

The Strong Passwords Add On does not have any settings. Once installed and activated, your Membership Checkout form will immediately begin requiring members to use more secure passwords.

By default, the Add On will enforce a level 2 secure password by validating the user-entered value in the bundled zxcvbn-php library by @bjeavons on GitHub. In the strength meter, this shows up as “Medium” strength. You can adjust the security level using the pmprosp_minimum_password_score hook.

Scores are integers from 0 to 4. Below is a list of the minimum password scores and their meanings:

• 0 means the password is extremely guessable (within 10^3 guesses), dictionary words like ‘password’ or ‘mother’ score a 0.
• 1 is still very guessable (guesses < 10^6), an extra character on a dictionary word can score a 1.
• 2 is somewhat guessable (guesses < 10^8), provides some protection from unthrottled online attacks.
• 3 is safely unguessable (guesses < 10^10), offers moderate protection from offline slow-hash scenario.
• 4 is very unguessable (guesses >= 10^10) and provides strong protection from offline slow-hash scenario.

Screenshots

Action and Filter Hooks

Below is a list of optional action and filter hooks that can be used to further customize the Require Strong Passwords Add On.

apply_filters( 'pmprosp_display_password_tooltip', bool '__return_false' );

Hide the tooltip that appears on hover after the word “Password”.

apply_filters( 'pmprosp_display_password_strength', bool '__return_false' );

Hide the words “Very weak”, “Weak”, “Medium”, “Strong”, “Mismatch” password strength indicator.

apply_filters( 'pmprosp_display_progressbar', bool '__return_false' );

Do not show the password strength bar.

apply_filters( 'pmprosp_progressbar_bg_color', '#aaaaaa' );

Adjust the background color of the progress bar.

apply_filters( 'pmprosp_enable_verbose_password_validation', false );

Enable more verbose validation.

apply_filters( 'pmprosp_minimum_password_score', 2, $password_strength );

Adjust the minimum password score when validating a password. Note that the default score of 2 means that a “medium” strength password will pass. We know this is someone confusing given the name of the Add On. You should adjust this to 3 to enforce the strength meter to equal “strong” if desired for your site.

apply_filters( 'pmprosp_minimum_password_score_message', implode( " ", $password_strength['feedback']['suggestions'] ), $password_strength ), 'pmpro_error' );

Filter to adjust the minimum password score message shown to the user.