Password Policy

Overview

WordPress does NOT enforce password strength by default. WordPress shows a “weak password” warning, but users can simply check “Confirm use of weak password” and proceed. This leaves your site vulnerable to brute force attacks and compromised accounts.

Guard Dog’s Password Policy feature enforces mandatory password requirements that cannot be bypassed. Weak passwords are rejected outright, ensuring all user accounts have strong, secure passwords.

WordPress Default Behavior vs Guard Dog

Standard WordPress Password Handling:

• ⚠️ Shows “weak password” warning
• ⚠️ Allows users to bypass with checkbox
• ⚠️ No minimum length enforcement
• ⚠️ No character requirement enforcement
• ⚠️ Users can set “password123”

With Guard Dog Password Policy:

• ✅ Enforces minimum password length
• ✅ Requires character types (uppercase, numbers, special chars)
• ✅ Blocks common/weak passwords
• ✅ Prevents username/email in password
• ✅ Enforces password history (no reuse)
• ✅ Real-time validation with user feedback
• ✅ Cannot be bypassed

Key Features

Mandatory Requirements

• Minimum Length – Set minimum character count (default: 12)
• Uppercase Letters – Require at least one uppercase letter
• Lowercase Letters – Require at least one lowercase letter
• Numbers – Require at least one digit
• Special Characters – Require at least one symbol (!@#$%^&*, etc.)

Advanced Protection

• Block Common Passwords – Reject commonly-used weak passwords
• Block Username – Prevent username from appearing in password
• Block Email – Prevent email address (or local part) in password
• Password History – Prevent reuse of recent passwords
• Role Exemptions – Exempt specific user roles from policy

User Experience

• Real-Time Validation – Password strength checked as user types
• Visual Feedback – Color-coded requirements (✓ green / ✗ red)
• Clear Error Messages – Specific guidance on what’s missing
• Password Match Indicator – Confirms password fields match
• AJAX Validation – No page refresh needed

Configuration

Navigate to Guard Dog → Settings → Password Policy to configure:

Basic Settings

Enable Password Policy:

• Default: Disabled
• Description: Enforce password strength requirements site-wide
• Applies to: Registration, password reset, profile updates
• Recommendation: Enable for all sites

Minimum Password Length:

• Default: 12 characters
• Range: 8 – 128 characters
• Recommendation:
• 12+ for standard sites
• 14+ for sites handling sensitive data
• 16+ for admin accounts (use role exemptions for users)

Character Requirements

Require Uppercase Letters:

• Default: Enabled
• Example: A, B, C, Z
• Recommendation: Enable

Require Lowercase Letters:

• Default: Enabled
• Example: a, b, c, z
• Recommendation: Enable

Require Numbers:

• Default: Enabled
• Example: 0, 1, 2, 9
• Recommendation: Enable

Require Special Characters:

• Default: Enabled
• Example: !@#$%^&*()_+-=[]{}|;:,.<>?
• Recommendation: Enable
• Note: Spaces count as special characters

Content Restrictions

Block Common Passwords:

• Default: Disabled
• Description: Reject passwords from list of 10,000 most common passwords
• Examples blocked: password, 123456, qwerty, admin, letmein
• Recommendation: Enable for high-security sites
• Performance: Minimal impact (uses efficient lookup)

Block Username in Password:

• Default: Enabled
• Description: Prevent username from appearing anywhere in password
• Example: Username “john” cannot use “john123”
• Recommendation: Enable
• Note: Case-insensitive check

Block Email in Password:

• Default: Enabled
• Description: Prevent email address (local part) from appearing in password
• Example: Email “[email protected]” cannot use “john456”
• Recommendation: Enable
• Note: Only checks local part (before @)

Password History

Prevent Password Reuse:

• Default: Disabled
• Description: Prevent users from reusing recent passwords
• Range: 0 (disabled) – 24 previous passwords
• Default Value: 5 passwords
• Recommendation:
• 5-10 for standard sites
• 12-24 for compliance requirements (HIPAA, PCI-DSS)
• Consider “password fatigue” with high values

How It Works:

• Stores hash of each password when changed
• Compares new password against history
• Users cannot reuse any of their last N passwords
• History stored securely in database

Role Exemptions

Exempt User Roles:

• Default: None
• Description: Specific user roles exempt from password policy
• Available Roles: Administrator, Editor, Author, Contributor, Subscriber
• Use Cases:
• Exempt administrators for flexibility
• Allow specific roles to use simpler passwords
• Gradual policy rollout

Recommendation:

• Do NOT exempt administrators (highest risk)
• Only exempt roles with no sensitive access
• Consider creating separate “trusted user” role for exemptions

Where Password Policy Applies

Password Policy is enforced in these locations:

1. New User Registration

Location: /wp-login.php?action=register

Experience:

• User fills in username, email, password
• Password requirements displayed in real-time
• Visual feedback as they type (✓ / ✗)
• Form submission blocked if requirements not met
• Clear error messages on what’s missing

Integration with Email Verification:

• Password Policy validates password strength
• Email Verification requires email confirmation
• Both work together seamlessly

2. Password Reset

Location: /wp-login.php?action=rp

Experience:

• User receives password reset link via email
• Clicks link, taken to reset form
• Sets new password meeting policy requirements
• Real-time validation during typing
• Cannot reset with weak password

3. User Profile Updates

Location: /wp-admin/profile.php or /wp-admin/user-edit.php

Experience:

• User edits their profile
• Changes password in password fields
• Policy validated when updating
• Shows requirements and current status
• Update blocked if password doesn’t meet policy

4. Admin-Created Users

Location: /wp-admin/user-new.php

Experience:

• Admin creates new user
• Sets initial password
• Password must meet policy requirements
• Admin cannot create users with weak passwords
• Unless admin’s role is exempted

User Experience

Registration Form

When typing a password, users see:

Password Requirements:
✓ At least 12 characters
✓ One uppercase letter
✓ One lowercase letter
✓ One number
✗ One special character

Password Strength: Medium

Requirements turn green (✓) as they’re met, red (✗) when not met.

Error Messages

Clear, specific feedback when validation fails:

Too Short:

❌ Password must be at least 12 characters long.

Missing Character Types:

❌ Password must contain at least one uppercase letter.
❌ Password must contain at least one number.

Content Violations:

❌ Password cannot contain your username.
❌ This password is too common. Please choose a different password.

Password Reuse:

❌ You cannot reuse any of your last 5 passwords.

Password Strength Meter

Enhanced WordPress password strength meter:

• Very Weak – Red (doesn’t meet requirements)
• Weak – Orange (meets some requirements)
• Medium – Yellow (meets minimum requirements)
• Strong – Green (exceeds requirements)
• Very Strong – Dark Green (excellent password)

Security Implementation

Password Hashing

• Password history stores WordPress password hashes
• Uses wp_hash_password() (bcrypt)
• No plain text passwords ever stored
• History cannot be reversed to original passwords

Validation Process

1. Client-Side Validation (JavaScript)

• Real-time feedback as user types
• Prevents form submission if invalid
• Better user experience

1. Server-Side Validation (PHP)

• All passwords validated on server
• Client-side validation can be bypassed
• Server validation is authoritative
• Cannot be circumvented

Database Storage

Password history stored in: wp_guard_dog_password_history

Fields:

• id – Auto-increment primary key
• user_id – WordPress user ID
• password_hash – WordPress password hash (bcrypt)
• created_at – When password was set

Security:

• Indexed by user_id for fast lookups
• Old passwords automatically pruned
• Only stores configured number of passwords

Activity Logging

Password Policy events logged in Activity Log:

Logged Events:

• password_policy_violation – User attempted weak password
• password_policy_enforced – User successfully set compliant password

Log Details:

• User ID and username
• IP address
• Event context (registration, reset, profile update)
• Specific violation reasons

View logs in Guard Dog → Activity Log.

Integration with Other Features

Email Verification

Works seamlessly together:

Registration Flow:

1. User provides username, email, password
2. Password Policy validates password strength
3. Email Verification sends verification email
4. User verifies email
5. User can log in with strong password

Benefits:

• Verified email + strong password = secure account
• No weak passwords for verified accounts
• Reduced account compromise risk

Two-Factor Authentication

Complementary security layers:

• Password Policy – Ensures strong passwords
• 2FA – Requires second authentication factor
• Together – Defense in depth

Recommendation: Enable all three for maximum security:

1. Email Verification – Confirms identity
2. Password Policy – Strong first factor
3. Two-Factor Auth – Strong second factor

Custom Login URL

Works together to reduce attack surface:

• Custom Login URL – Hides login page from bots
• Password Policy – Prevents weak passwords when found
• Together – Reduced brute force attack success

Performance Considerations

Password Policy is designed for minimal performance impact:

Client-Side:

• JavaScript validation runs in browser
• No server requests during typing
• Optional AJAX validation for advanced checks

Server-Side:

• Validation only runs during password changes
• Fast regex-based checks
• Common password lookup uses hash table (O(1))
• Password history limited to configured number

Database Impact:

• One row per password change
• Automatic cleanup of old history
• Indexed queries for fast lookups

Compliance Requirements

Password Policy helps meet various compliance standards:

HIPAA (Healthcare)

Requirements:

• Minimum 8 characters (Guard Dog default: 12 ✓)
• Mix of character types ✓
• Regular password changes (manual enforcement)
• Password history to prevent reuse ✓

Guard Dog Configuration:

Minimum Length: 12+
All character types: Enabled
Password History: 10-12

PCI-DSS (Payment Cards)

Requirements:

• Minimum 7 characters (Guard Dog default: 12 ✓)
• Mix of character types ✓
• Password history of at least 4 ✓
• 90-day password expiration (manual enforcement)

Guard Dog Configuration:

Minimum Length: 12+
All character types: Enabled
Password History: 4+
Block common passwords: Enabled

NIST Guidelines

Recommendations:

• Minimum 8 characters (Guard Dog default: 12 ✓)
• Check against breach databases (common passwords ✓)
• No complexity requirements (optional in Guard Dog)
• No mandatory rotation (avoid password fatigue)

Guard Dog Configuration:

Minimum Length: 12-16
Block common passwords: Enabled
Character requirements: Optional
Password History: 5-10

GDPR (Data Protection)

Requirements:

• “Appropriate technical measures”
• Strong authentication
• Access control

Guard Dog Helps:

• Strong password requirements ✓
• Prevents unauthorized access ✓
• Protects personal data ✓

Troubleshooting

Users Can’t Register

Symptom: Registration form shows password errors

Common Causes:

1. Password Too Short

• Check minimum length setting
• Tell users exact character requirement

2. Missing Character Types

• Password missing uppercase/lowercase/number/special
• Show users the specific requirements list

3. Username/Email in Password

• Users trying passwords like “john2024”
• Explain they need more creative passwords

Solution: Display clear requirements on registration page. Users will see real-time feedback.

Users Can’t Reset Password

Symptom: Password reset fails with policy errors

Common Causes:

1. Reusing Old Password

• User trying to set same password as before
• Password history preventing reuse

2. Browser Auto-Fill

• Browser suggesting old weak password
• User accepting suggestion

Solution:

• Explain password history in error message
• Tell users to create completely new password
• Disable browser auto-fill suggestions

Admin Can’t Create Users

Symptom: Admin cannot create new users in WordPress admin

Cause:

• Admin trying to set weak password for new user
• Password policy applies to admin-created users too

Solutions:

1. Meet Requirements

• Use password generator in WordPress
• WordPress generator creates policy-compliant passwords

2. Exempt Administrator Role

• Go to Password Policy settings
• Add “Administrator” to exempt roles
• Only if absolutely necessary

Password History False Positive

Symptom: User claims they’re not reusing password, but policy blocks it

Cause:

• User may have forgotten they used similar password before
• OR passwords are genuinely different but hashes match (extremely unlikely)

Solutions:

1. Admin Override

• Admin can reset user’s password directly
• Sets new password manually
• Bypasses user’s history

2. Clear Password History

• Direct database access (advanced)
• Delete from wp_guard_dog_password_history
• Only if certain it’s a false positive

Policy Not Enforcing

Symptom: Users able to set weak passwords

Check These:

1. Feature Disabled

• Go to Password Policy settings
• Ensure “Enable Password Policy” is checked

2. Role Exempted

• Check exempt roles setting
• User’s role may be in exempt list

3. JavaScript Disabled

• User has JavaScript turned off
• Server-side validation should still work
• Check server error logs

4. Plugin Conflict

• Another plugin may be interfering
• Temporarily disable other plugins
• Test in isolation

Real-Time Validation Not Working

Symptom: Password requirements not updating as user types

Causes:

1. JavaScript Error

• Check browser console for errors
• JavaScript file may not be loading

2. Theme Conflict

• Theme may be stripping scripts
• Test with default WordPress theme

3. Cache Plugin

• Cached old JavaScript file
• Clear all caches

Solution:

• Even without real-time validation, server-side validation still enforces policy
• Clear browser cache and WordPress cache
• Check for JavaScript errors in console

Best Practices

Start with Reasonable Requirements

• 12 characters minimum (not 20+)
• Enable all character types
• Don’t make users hate passwords

Enable Common Password Blocking

• Minimal performance impact
• Significant security improvement

Set Appropriate Password History

• 5-10 for most sites
• Higher for compliance requirements
• Consider user experience

Don’t Exempt Administrators

• Admins are highest-value targets
• They should have strongest passwords
• Only exempt if absolutely necessary

Combine with Other Security Features

• Email Verification
• Two-Factor Authentication
• Limit Login Attempts
• Defense in depth

Test User Experience

• Create test account
• Go through registration flow
• Ensure requirements are clear

Communicate Policy to Users

• Add password requirements to help pages
• Explain why strong passwords matter
• Provide password manager recommendations

Monitor Activity Log

• Watch for repeated violations
• Identify users struggling with policy
• Provide assistance if needed

Review Policy Periodically

• Adjust based on user feedback
• Follow current security best practices
• Balance security with usability
• Document Your Policy
  • Create user guide
  • Include in Terms of Service
  • Explain benefits

Password Manager Recommendations

Strong password policies work best when users have password managers. Recommend these to your users:

Free Options:

• Bitwarden (open-source, cross-platform)
• Browser built-ins (Chrome, Firefox, Safari)
• KeePass/KeePassXC (local storage)

Paid Options:

• 1Password (user-friendly, family plans)
• LastPass (established, feature-rich)
• Dashlane (premium features)

Benefits:

• Users can meet complex requirements easily
• No password memorization needed
• Unique passwords for every site
• Automatic strong password generation

FAQ

Q: Does WordPress enforce password strength by default?
A: No. WordPress shows a “weak password” warning, but users can simply check a box to bypass it. Guard Dog enforces mandatory requirements that cannot be bypassed.

Q: Can I make passwords easier for users?
A: Yes. Lower the minimum length (8-10 characters), disable some character requirements, or exempt certain user roles. Balance security with usability.

Q: What if users forget their complex passwords?
A: They can use the password reset function. The new password will also need to meet policy requirements. Recommend password managers to users.

Q: Does this work with WooCommerce?
A: Yes. Works with WooCommerce, BuddyPress, and most plugins that use WordPress’s standard user registration and password change functions.

Q: Can administrators bypass the policy?
A: Only if you add “Administrator” to the exempt roles list. Not recommended – admins are high-value targets and should have strong passwords.

Q: How many passwords should I store in history?
A: 5-10 for most sites. Higher (12-24) if you have compliance requirements. Consider user experience – very high values cause “password fatigue.”

Q: What are “common passwords”?
A: A list of the 10,000 most commonly used passwords (like “password”, “123456”, “qwerty”). These are the first passwords attackers try.

Q: Does this slow down my site?
A: No. Validation only occurs during password changes (infrequent). Real-time validation runs in the browser. Minimal server impact.

Q: Can I customize the password requirements message?
A: Yes. Requirements are displayed dynamically based on your settings. Users see exactly which requirements they need to meet.

Q: What if a user keeps violating the policy?
A: They cannot proceed until they meet requirements. Check Activity Log to see violation attempts. Provide user support if they’re struggling.

Q: Does this prevent brute force attacks?
A: Partially. Strong passwords are harder to crack, but combine with Limit Login Attempts feature to prevent brute force attacks entirely.

Q: How secure is password history storage?
A: Very secure. Passwords are stored as bcrypt hashes (same as WordPress uses for login). Cannot be reversed to original passwords.