How to Force Users to Change Passwords in WordPress – Expire Password

Making your WordPress site more secure is always a smart move.

One effective way to do this is by requiring users to change their passwords regularly. This simple step can make it much tougher for hackers to break in.

Regular password changes protect your data and your users’ information. They also add an extra layer of security to your site. By expiring passwords after a certain period, you help keep everyone safer.

In this guide, we’ll walk you through how to force users to change passwords in WordPress.

When and Why Force WordPress Users to Change Passwords?

80% of data breaches involve weak or stolen passwords. Luckily, regular password changes disrupt hackers’ attempts.

Hackers will try to repeatedly access your account regularly over a period of time. In this case, you’ll prevent brute-force attacks made by people with malicious intent.

Most new users are prone to using weak passwords or the same password as their other accounts since they’re easy to remember. If a hacker gets into your WordPress site, it can compromise the security of all other users.

But forcing password changes shouldn’t just apply to admin users. It should also apply to membership users and returning customers. For example, when customers register on your WooCommerce store or membership site, they receive the password via email. Forcing regular password changes can help reduce the risk of phishing attempts made through email.

Also, if you run a multi-user WordPress site, then you should ask users to update passwords after a specific amount of time.

On the other hand, if you recently noticed suspicious activity on your WordPress site, then you should immediately expire all existing user passwords and ask everyone to update their passwords.

With that in mind, let’s see how you can expire passwords and force users to change passwords in WordPress.

Force Users to Change Passwords in WordPress

The best way to force users to change passwords in WordPress is by using the Password Policy Manager plugin. It allows you to easily create and enforce strong and secure password policies.

To get started, you’ll need to install and activate the Password Policy Manager plugin. For more details, check out our tutorial on how to install a WordPress plugin.

From here, you’ll need to head over to the Password Policy Manager » Password Policy Manager page. Then, under the Policy Settings » For All Users tab, you’ll see various password policy settings that you can set.

First, let’s ensure that you turn on the big toggle button that says ‘Enable all settings.’ Below that, you can check off all the password policy rules that you want to enforce every time a new user needs to create a new password.

The options include:

• Must contain lower and uppercase letters
• Must contain numeric digits
• Must contain special characters
• Length of password between 8 and 25

We recommend keeping these boxes checked off since these are best practices for having a strong password. You may also want to read our guide on how to add a simple user password generator in WordPress.

Below that, you’ll need to check the box that says ‘Force Reset Password on first login.’ This helps to prevent new users from using the same password as their other online accounts and ensures they set up a strong password right off the bat.

Then, you’ll need to turn on the ‘Enable Password Expiry’ option so that you set a specific expiration time that forces all site users to change their password. Next to that, you can set the number of weeks you’d like to force the change.

Once done, you can hit the ‘Save Settings’ button.

Underneath the save settings, you’ll see an option to reset your password with one click. If you or your users haven’t reset your password in a while, it’s a good idea to click the ‘Reset Password’ button.

This will automatically terminate all logged-in sessions from users and force them to reset their passwords.

Then, all users will receive an email with a link to reset their passwords.

All they have to do is just click the link in the email.

This will open the WordPress login screen, where you enter your current and new password.

We recommend using a secure password generator instead of trying to create one you can memorize. You can then use a password manager like 1Password to store it.

From here, you can click ‘Change Password.’

This will take you back to your WordPress login page, where you can enter your new credentials.

You can go to the Password Policy Manager » Reports page to track all the login attempts made by users. We recommend checking it periodically to see if any suspicious attempts have been made to your WordPress site. If so, you can easily perform the one-click reset we’ve just mentioned.

To see data, you’ll need to toggle the ‘Enable Report Entry’ tab.

And that’s it! You’ve now successfully set up your WordPress site so that it forces all users to change passwords after the expiration date.

Troubleshooting Tips

Sometimes, things don’t go as smoothly as planned. Here are some troubleshooting tips to help you navigate any issues that might come up.

What If My Users Never Receive Their Emails?

In case your users are not receiving email notifications to reset their passwords, then any number of things could be happening. Please take a look at our guide on how to fix WordPress not sending email issue.

What If I Can’t Get Into the WordPress Admin Area To Reset My Password?

If you somehow can’t get inside the WordPress admin area, then take a look at our guide on what to do when you are locked out of the WordPress admin area.

We hope this article helped you learn how to force users to change passwords in WordPress. You may also want to see our ultimate WordPress security guide to help improve your website security or our list of the most common WordPress errors and how to fix them.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.