I’m a big believer in generating unique credentials for all my accounts, which includes all of my WordPress logins. However, not everyone follows this practice. I’ve seen countless sites compromised through weak passwords. This WP Password Policy review takes a brand new plugin for a spin to examine whether it can live up to the task.
Having password enforcement built into WordPress would ensure every user – contractors, clients, or team members – can create secure credentials within the platform. With this in mind, let’s take a look at the plugin’s key aspects.
WP Password Policy Review: Fast Facts
- WP Password Policy enforces password complexity rules that WordPress doesn’t provide out of the box.
- The free version includes basic complexity requirements and password expiration for one site, while the premium version adds password reuse prevention plus blocks over 100,000 common passwords.
- The plugin supports role-based policies, which lets you set different rules for administrators versus regular users (for example.)
WP Password Policy Review: Pricing
Let’s start with the cost. The free version of WP Password Policy provides core enforcement for one website. This includes complexity rules, password expiration, and basic configuration options. It works for individual site owners and small businesses who need baseline password security.
However, for WP Password Policy’s premium version you get password reuse prevention, a restricted passwords list with over 100,000 entries, role-based policies, and WooCommerce integration.
This costs $59 per year for one website or $159 per year for no restrictions on licenses. It’s fantastic value and will suit agencies, e-commerce sites, and businesses that need control over password policies.
Given that there is only one premium tier (but with different license availability), the same core functionality for password complexity enforcement applies.
WP Password Policy Review: The Functionality on Offer
WP Password Policy centers on password enforcement that addresses WordPress’ lack of native password controls when logging in. By default, you can generate a strong password and not much else.
This plugin combines length settings, complexity requirements, and usage restrictions to create the whole password security system. Here’s where I think it stands out.
Password Complexity Rules
The password complexity enforcement system is at the plugin’s foundation. You can require uppercase letters, lowercase letters, numbers, special characters, and unique characters in any combination. The plugin also lets you set minimum and maximum password lengths and restrict consecutive characters from usernames.
The modern approach to password security favors length over complexity. In fact, this is something I reference a lot through the famous XKCD comic:
WP Password Policy supports this approach by allowing for minimum lengths up to 50 characters while making special character requirements optional.
Password Age and Retention
WP Password Policy’s retention controls let you set how often users must change their passwords.
Here, you can set a minimum password age to prevent users from cycling back to old passwords, and a maximum password age to force regular updates. With the right blend of settings, you can create a balanced approach that promotes security without frustrating your users with constant change requirements.
Pro Version Security Features
For premium users, the restricted passwords list blocks over 100,000 common passwords. This prevents users from choosing passwords such as “admin,” “password,” or “123456” that appear in breach databases:
What’s more, you can add custom entries to this list to block phrases such as your company name or industry-specific terms.
The password reuse prevention option stores hashed versions of previous passwords in the WordPress database. When users try to set a new password, the plugin checks against this history to ensure they create something new. You can configure how many previous passwords to remember, with the default set to 24.
Role-Based Policy Management
Dedicated policies let you create unique requirements for different groups. The plugin lets you assign policies by user role, specific username, or applies them to all users.
For example, you might enforce stricter rules for Administrators while keeping simpler requirements for Subscribers. This will be great if you chop and change team roles on a regular basis, use freelancers, or have to provide temporary access to external parties.
WP Password Policy Review: Who the Plugin Is For
Password security affects every WordPress site of course, but WP Password Policy targets scenarios where the native WordPress controls fall short. Consider it a bridge between WordPress’ minimal password requirements and real-world security needs.
In my opinion, WordPress administrators that manage multi-user sites will benefit the most. When you have editors, authors, and contributors accessing your site, you won’t be able to control their password habits without enforcement tools (trust me, I’ve tried!)
By the same token, web agencies can create template policies for different client types: stricter requirements for e-commerce sites, moderate rules for corporate blogs, and basic standards for simple brochure sites. The unrestricted number of site licenses means this approach will be cost-effective across your entire client portfolio.
For WooCommerce stores, the premium integration extends your password policies to customer accounts. This protects both your business and your customers from account takeovers that could lead to fraudulent orders or data breaches. I’d consider this essential for e-commerce.
Membership sites and online courses also store user data and premium content that needs protection, so enforcing password policies here is also valuable. The key difference is that strong passwords reduce the risk of account sharing and unauthorized access to paid content.
Finally, corporate intranets and internal tools built on WordPress will need protection. Employees will often reuse passwords across services or choose weak passwords for internal systems. The plugin ensures your internal WordPress sites maintain the same security standards as your external facing ones.
WP Password Policy Review: Installation and Setup
The installation process is typical, and regardless of whether you use the free or premium version, it will create a new Password Policy menu item in your WordPress dashboard.
The interface is clean and organized. However, this is in part because no password policies exist by default. Instead, you have to create and configure them based on your needs. This is important as another approach could lock out users with existing weak passwords and you want to give them the chance to change their ways!
Creating your first policy involves clicking the Add new policy button, which adds a panel to the settings page. The General settings section lets you name the policy and toggle its activation status. For greater organization, create policies with descriptive names such as Admin Policy or Customer Requirements but know that these titles won’t display to the end user.
Next, the Enabled rules section gives you toggle switches for each available restriction. You can enforce minimum lengths, ages, and complexity. You also get to enforce a maximum password age and prevent users from reusing past passwords.
If you take a look at the Rule settings section, you can configure the options for each enabled rule. Here you can set values such as a minimum length, the password age in days, and any complexity requirements.
Finally, the User coverage panel determines who each policy affects. By default, policies apply to all users, but you can restrict them to roles or individual users.
After configuring your policies, make sure you click Save all settings at the bottom of the page as there’s no auto-save! At this point, users will have to log back in and reset their passwords to gain site access.
WP Password Policy Review: the Support and Documentation Quality
I’m excited to be reviewing WP Password Policy as it’s a brand new plugin. This also means I’m casting my eye even harder over the quality of the documentation and support, given that there will be a lack of reviews and ratings to pore over.
For direct support, you contact the team through the website. The site doesn’t indicate response times or support hours, although premium users do have email support available alongside a Customer Portal. As is typical, the WordPress.org support forum provides community assistance for free version users.
For self-service support, you’ll head to the plugin documentation. So far, it covers installation and basic configuration, but I’d expect this to change as the plugin matures. Even so, there’s limited coverage of complex scenarios like multisite installations or handling existing users with non-compliant passwords. I’d like to see these additions in future.
The article on configuring the plugin is the most in-depth, which makes sense. In honesty, while the plugin does a lot of complex work behind the scenes, the developer is doing well to present a clean and intuitive interface. You might not need any of the support or documentation!
WP Password Policy Review: My Final Thoughts
WP Password Policy is a great way to take your WordPress password management from suggestion- to enforcement-based security. While I’m not going to stop using my third-party password manager for generating credentials, this plugin is going to be on my ‘want list’ to ensure every user (including me!) maintains security standards while poking around in my sites.
The free version could be enough for basic enforcement, but the premium version’s restricted passwords list and reuse prevention justify the $59 annual cost. Despite needing better documentation and clearer support communication, the plugin delivers essential security infrastructure that WordPress lacks by default.
Related Articles
Does this WP Password Policy review make you think twice about enforcing credentials on your site? Share your opinions in the comments below!