Force Strong Passwords adds a configurable password policy to WordPress. Set a minimum and maximum length, decide which character classes are required, and AdminEase enforces the policy on user registration, password resets, and profile updates.
What this feature does
WordPress encourages strong passwords with a strength meter, but it doesn’t actually require them. Users can save weak passwords by ignoring the warning. Force Strong Passwords closes that gap by validating the password server-side at the three places where a password can change:
- Front-end user registration (when registration is open).
- The password reset form, both from the lost-password flow and from the admin user editor.
- The profile screen when an existing user changes their own password.
If the chosen password fails the policy, AdminEase returns a WP_Error with a clear, specific message (e.g. “Password must contain at least one number.”) so the user knows what to fix.
How to enable it
- Open AdminEase › Users. Click AdminEase in the WordPress admin menu, then switch to the Users tab.
- Toggle Force strong passwords on. The settings panel expands to reveal the length fields and four character-class checkboxes.
- Set lengths. Enter a minimum and maximum password length. Defaults are 8 and 64 respectively, which work for most sites.
- Pick required character classes. Tick or untick the four character-class requirements based on your policy. The defaults require all four.
- Save settings. The new policy applies immediately to every future password change. Existing passwords are not invalidated retroactively.
AdminEase enforces sensible bounds on the policy itself: minimum length must be at least 8, maximum length must be at most 64. These are validated when you save the settings; you’ll see an error if you try to set values outside that range.
Settings reference
| Setting | What it does | Default |
|---|---|---|
| Force strong passwords | Master switch. Off means WordPress’s default behaviour applies and any password is accepted. | Off |
| Minimum length | Smallest password length permitted. Range: 8 to 64. | 8 |
| Maximum length | Largest password length permitted. Range: 8 to 64. Cap exists so password hashing doesn’t become a denial-of-service vector. | 64 |
| At least one uppercase letter | Requires the password to contain an uppercase A–Z character. | On |
| At least one lowercase letter | Requires the password to contain a lowercase a–z character. | On |
| At least one number | Requires the password to contain a 0–9 digit. | On |
| At least one special character | Requires the password to contain at least one non-alphanumeric character (e.g. !@#$%^&*). |
On |
Choosing a sensible policy
Modern guidance from NIST and most security teams suggests favouring length over complexity rules. A 16-character passphrase is almost always stronger and easier to remember than an 8-character mix of symbols. A few practical configurations:
What happens behind the scenes
Force Strong Passwords plugs into three WordPress hooks: registration_errors (front-end registration), validate_password_reset (lost-password flow), and user_profile_update_errors (profile screen). Each hook runs the same internal check_password_strength() routine, so policy enforcement is identical across all three entry points.
Validation runs server-side, so users can’t bypass the policy by editing the form HTML or scripting around the strength meter.
Troubleshooting
Existing users have weak passwords
This feature only validates new password changes. Existing weak passwords stay valid until the user resets them. To force everyone to reset, you can use a plugin that expires all passwords, or send a bulk “please update your password” email and wait.
I can’t save the settings: “Password minimum length must be larger than 8”
Set Minimum length to 8 or higher. Anything below 8 is rejected to prevent dangerously weak policies.
My membership/subscription plugin lets users register with weak passwords
Most third-party registration plugins use the standard registration_errors hook, so AdminEase’s validation runs automatically. If a specific plugin bypasses the standard hook, the password policy won’t apply on that flow. Contact the plugin author or check whether they expose their own password-policy filter.
The error message is being suppressed by a custom theme
Some themes hide WordPress error notices on the registration or password-reset pages. AdminEase returns a standard WP_Error, so any properly written theme will render it. If yours doesn’t, the messages are still in the response; check the underlying form’s error container in the page HTML.