📌 What You’ll Learn
- How to configure password strength requirements
- How to set password expiration policies
- How to enforce password history rules
- How to customize password validation messages
- Best practices for enterprise password security
✅ Before You Begin
- Attributes User Access Pro installed and activated
- Valid Pro license key
- Administrator access to WordPress
- Understanding of your organization’s security requirements
Why Password Policies Matter
Strong password policies are essential for:
- 🛡️ Preventing unauthorized access
- 📋 Meeting compliance requirements (HIPAA, GDPR, PCI-DSS)
- 🔒 Protecting sensitive data
- 👥 Enforcing organizational security standards
- ⚠️ Reducing risk of brute force attacks
📘 Industry Standards: NIST recommends minimum 8-character passwords with complexity requirements for systems handling sensitive data.
Accessing Password Policy Settings
- Navigate to User Access → Security
- Click the “Password Policies” tab
- Toggle “Enable Password Policies” to ON
Password Strength Requirements
Minimum Length
- Recommended: 12 characters minimum
- Standard: 8 characters minimum
- High Security: 16 characters minimum
💡 Best Practice: Longer passwords (12+) are more secure than complex shorter passwords.
Character Requirements
| Requirement | Description | Recommendation |
|---|---|---|
| Uppercase Letters | A-Z | ✅ Enable (at least 1) |
| Lowercase Letters | a-z | ✅ Enable (at least 1) |
| Numbers | 0-9 | ✅ Enable (at least 1) |
| Special Characters | !@#$%^&* | ✅ Enable (at least 1) |
| No Spaces | Block whitespace | ⚪ Optional |
| No Common Words | Block dictionary words | ✅ Enable for high security |
Configuration Example
Minimum Password Length: 12
Require Uppercase: Yes (at least 1)
Require Lowercase: Yes (at least 1)
Require Numbers: Yes (at least 1)
Require Special Characters: Yes (at least 1)
Block Common Passwords: Yes
Block Username in Password: Yes
Block Email in Password: YesPassword Expiration Policies
Enable Password Expiration
- Toggle “Password Expiration” to ON
- Set “Expiration Period” in days
- Configure “Grace Period” for warnings
Recommended Settings:
| Security Level | Expiration Period | Grace Period |
|---|---|---|
| Low (Public Site) | Never expires | N/A |
| Medium (Members) | 180 days (6 months) | 14 days |
| High (Business) | 90 days (3 months) | 7 days |
| Critical (Finance/Health) | 60 days (2 months) | 5 days |
⚠️ Important: Too frequent password changes can lead to weaker passwords. Balance security with usability.
Expiration Warning Notifications
- Email Reminders: Send warnings before expiration
- Login Notices: Display banner when password expires soon
- Dashboard Widget: Show expiration status
Password History Rules
Prevent Password Reuse
- Enable “Password History”
- Set “Remember Previous Passwords” count
- Recommended: Remember last 5-10 passwords
Password History Settings:
Remember Last: 10 passwords
Minimum Password Age: 1 day
(Prevents changing password multiple times to bypass history)Role-Based Password Policies
Apply different policies to different user roles:
| Role | Min Length | Complexity | Expiration |
|---|---|---|---|
| Administrator | 16 chars | All requirements | 60 days |
| Editor | 12 chars | All requirements | 90 days |
| Author | 10 chars | 3 of 4 types | 120 days |
| Subscriber | 8 chars | 2 of 4 types | 180 days |
Blocked Password Lists
Common Password Blocking
- Block top 10,000 common passwords
- Block passwords from data breaches (HaveIBeenPwned integration)
- Block custom organizational terms
Add Custom Blocked Passwords:
- Go to Password Policies → Blocked List
- Add terms one per line:
companyname
company123
office2025
[your-organization-name]
[product-names]
[common-internal-terms]Password Reset Policies
Reset Requirements
- Require Password Change on First Login: Force new users to set unique password
- Admin Password Resets: Require users to change after admin reset
- Suspicious Activity: Force reset after detected security events
Self-Service Password Reset
- Enable “Password Reset Link” on login page
- Configure “Reset Email Template”
- Set “Reset Link Expiration” (default: 24 hours)
- Limit “Reset Attempts” (recommended: 3 per hour)
User Experience Considerations
Password Strength Meter
- ✅ Enable real-time password strength indicator
- ✅ Show requirement checklist
- ✅ Provide helpful suggestions
Custom Validation Messages
Customize error messages for better user experience:
Default: "Password must contain at least one uppercase letter"
Custom: "Please include a capital letter (A-Z) in your password"
Default: "Password too short"
Custom: "Your password needs at least 12 characters for security"Testing Your Password Policies
Test Checklist:
- ✅ Try weak password (should be rejected)
- ✅ Test minimum length requirement
- ✅ Verify complexity requirements work
- ✅ Test password history (try reusing old password)
- ✅ Verify blocked passwords are rejected
- ✅ Test expiration warnings appear
- ✅ Confirm different roles have correct policies
- ✅ Test password reset flow
Compliance & Security Standards
NIST Guidelines (800-63B)
- Minimum 8 characters (12+ recommended)
- Check against breach databases
- No composition rules that reduce entropy
- No mandatory periodic password changes without reason
PCI-DSS Requirements
- Minimum 7 characters (complex)
- Change every 90 days
- Cannot reuse last 4 passwords
- Lock account after 6 failed attempts
HIPAA Recommendations
- Unique user identification
- Emergency access procedures
- Automatic logoff
- Encryption of passwords
Advanced Configuration
Developer Hooks
// Custom password validation
add_filter('attrua_password_strength', function($is_valid, $password, $user) {
// Add custom validation logic
if (strpos($password, 'custom_term') !== false) {
return new WP_Error('weak_password', 'Password contains restricted term');
}
return $is_valid;
}, 10, 3);
// Modify password expiration
add_filter('attrua_password_expiry_days', function($days, $user) {
if (in_array('administrator', $user->roles)) {
return 60; // Admins: 60 days
}
return $days; // Others: default
}, 10, 2);
// Custom blocked passwords
add_filter('attrua_blocked_passwords', function($blocked_list) {
$custom_terms = ['company2025', 'office123'];
return array_merge($blocked_list, $custom_terms);
});Troubleshooting
Issue: Users complain passwords are too complex
Solution:
- Review requirements – may be too strict
- Provide clear guidelines and examples
- Suggest password managers
- Adjust based on user feedback
Issue: Password history not working
Solution:
- Check database storage of password hashes
- Verify “Remember Passwords” count is set
- Clear user meta cache
- Test with fresh user account
Issue: Expiration warnings not appearing
Solution:
- Check email configuration (SMTP)
- Verify cron jobs are running
- Check notification settings enabled
- Test email templates
Best Practices Summary
✅ Implementation Checklist:
- ☑️ Set minimum 12-character password length
- ☑️ Require mix of character types
- ☑️ Block common and breached passwords
- ☑️ Enable password history (5-10 passwords)
- ☑️ Set appropriate expiration (90-180 days)
- ☑️ Apply stricter policies to admin accounts
- ☑️ Provide user education and documentation
- ☑️ Test thoroughly before full deployment
- ☑️ Monitor user feedback and adjust
- ☑️ Review policies quarterly
💡 Pro Tip: Balance security with usability. Overly complex policies can lead to password fatigue and workarounds that reduce security.
Monitoring & Auditing
Track password policy effectiveness:
- Review password change logs
- Monitor failed login attempts
- Track policy violation attempts
- Analyze password reset frequency
- Generate compliance reports
Navigate to User Access → Audit Logs → Password Events to view detailed reports.