The latest version of iThemes Security Pro, our WordPress security plugin, includes a new update to the Passwords Requirements settings module. You can now refuse compromised passwords and force users to use passwords which do not appear in any password breaches tracked by the Have I Been Pwned API.
Refuse Compromised Passwords with Have I Been Pwned Integration
Themes Security Pro now uses a service by Have I Been Pwned to detect whether passwords have appeared in a data breach. A data breach is typically a list of usernames, passwords and often other personal data that was exposed after a site was compromised.
Have I been Pwned keeps track of the passwords compromised in many data breaches and makes them available via an API. To check if a password is included in a data breach, we send the first 5 characters of a hashed (sha1) version of the password.
Has Your Password Been Found in a Data Breach?
If your password was found in a data breach, iThemes Security will require you to update your account’s password immediately. This does not mean that the website you are visiting is compromised, only that the password you use has been found in one or more data breaches of popular websites.
If you are reusing this password for other accounts, you should choose a new unique password for each of them. (We recommend using a password manager like LastPass to generate and store strong random passwords.)
Attackers often use compromised passwords as a starting point for cracking accounts because it is faster than brute forcing all possible password combinations. If your password is exposed and you’re reusing your credentials across multiple websites, attackers could compromise your account in just one or two attempts instead of millions.
Enabling the Refuse Compromised Passwords Setting in iThemes Security Pro
- 1. After updating to iThemes Security Pro 5.3, navigate to the iThemes Security > Settings page.
- 2. From here, navigate to the Password Requirements module. Click the Configure Settings button.
- 3. Next, scroll to the bottom of this module until you find the Refuse Compromised Passwords section.
- 4. Check the box to enable the setting. You can also select the minimum role at which a user’s password must not appear in a breach.
- 5. Click the Save Settings button.
Warning Users of Compromised Passwords + New Password Prompt
After the Refuse Compromised Passwords setting has been enabled, users who attempt to log in with a compromised password will see this notice on their WordPress login screen, prompting them to update their password using a strong password generator.
Once the password has been updated, the user can now successfully log in using a secure password.
Secure & Protect Your WordPress Site from Compromised Passwords with iThemes Security Pro
The new Refuse Compromised Passwords setting with Have I Been Pwned integration is just another way you can secure and protect your WordPress website with better WordPress password security. Along with other Pro features such as WordPress two-factor authentication, WordPress malware scan, WordPress brute force protection and more, you can rest a little easier, knowing your website is protected by iThemes Security Pro.
Get iThemes Security Pro
Kristen has been writing tutorials to help WordPress users since 2011. You can usually find her working on new articles for the iThemes blog or developing resources for #WPprosper. Outside of work, Kristen enjoys journaling (she’s written two books!), hiking and camping, cooking, and daily adventures with her family, hoping to live a more present life.
Hi Kristen,
This is a super function. I will activate it right away.
I do wonder how passwords can be safe when they are stored? How come most sites with “good” security can tell me that I reused a certain password?
If I was a hacker I would get that DB that holds all that info!! And track the traffic of that person – they are bound to use the same password on other sites as well?
Anyway … I trust iThemes enough to add this and expire passwords as well 🙂
Have a great day
Peter