Menu
iThemes
WordPress Backup, Security & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • Kadence WP
    • Restrict Content Pro
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Plugin Suite
    • WordPress Web Designer’s Toolkit
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Maintenance
  • WordPress Security
  • WordPress Training Webinars
  • WordPress Tutorials
  • WPprosper

New! Protect WordPress from Compromised Passwords with iThemes Security Pro

Written by Kristen Wright on June 13, 2018

Last Updated on June 13, 2018

The latest version of iThemes Security Pro, our WordPress security plugin, includes a new update to the Passwords Requirements settings module. You can now refuse compromised passwords and force users to use passwords which do not appear in any password breaches tracked by the Have I Been Pwned API.

Refuse Compromised Passwords with Have I Been Pwned Integration

Themes Security Pro now uses a service by Have I Been Pwned to detect whether passwords have appeared in a data breach. A data breach is typically a list of usernames, passwords and often other personal data that was exposed after a site was compromised.

Have I been Pwned keeps track of the passwords compromised in many data breaches and makes them available via an API. To check if a password is included in a data breach, we send the first 5 characters of a hashed (sha1) version of the password.

Note: iThemes Security never sends plaintext passwords to Have I Been Pwned. Instead, 5 characters of the hashed password are sent over an encrypted connection to their API. Read the technical details here.

Has Your Password Been Found in a Data Breach?

If your password was found in a data breach, iThemes Security will require you to update your account’s password immediately. This does not mean that the website you are visiting is compromised, only that the password you use has been found in one or more data breaches of popular websites.

If you are reusing this password for other accounts, you should choose a new unique password for each of them. (We recommend using a password manager like LastPass to generate and store strong random passwords.)

Attackers often use compromised passwords as a starting point for cracking accounts because it is faster than brute forcing all possible password combinations. If your password is exposed and you’re reusing your credentials across multiple websites, attackers could compromise your account in just one or two attempts instead of millions.

Enabling the Refuse Compromised Passwords Setting in iThemes Security Pro

  • 1. After updating to iThemes Security Pro 5.3, navigate to the iThemes Security > Settings page.
  • 2. From here, navigate to the Password Requirements module. Click the Configure Settings button.

  • 3. Next, scroll to the bottom of this module until you find the Refuse Compromised Passwords section.

  • 4. Check the box to enable the setting. You can also select the minimum role at which a user’s password must not appear in a breach.
  • 5. Click the Save Settings button.

Warning Users of Compromised Passwords + New Password Prompt

After the Refuse Compromised Passwords setting has been enabled, users who attempt to log in with a compromised password will see this notice on their WordPress login screen, prompting them to update their password using a strong password generator.

Once the password has been updated, the user can now successfully log in using a secure password.

Secure & Protect Your WordPress Site from Compromised Passwords with iThemes Security Pro

The new Refuse Compromised Passwords setting with Have I Been Pwned integration is just another way you can secure and protect your WordPress website with better WordPress password security. Along with other Pro features such as WordPress two-factor authentication, WordPress malware scan, WordPress brute force protection and more, you can rest a little easier, knowing your website is protected by iThemes Security Pro.

To take advantage of this update, you’ll need iThemes Security Pro (v 5.3). Current iThemes Security Pro, Plugin Suite and Toolkit customers will find the 5.3 update available now as an automatic update from the WordPress dashboard (for licensed sites) or as a manual download from the iThemes Member Panel. Save time updating all your sites at once from the iThemes Sync dashboard.

Get iThemes Security Pro

Kristen Wright
Kristen Wright

Kristen has been writing tutorials to help WordPress users since 2011. As marketing director here at iThemes, she’s dedicated to helping you find the best ways to build, manage, and maintain effective WordPress websites. Kristen also enjoys journaling (check out her side project, The Transformation Year!), hiking and camping, step aerobics, cooking, and daily adventures with her family, hoping to live a more present life.

Share via:

  • Facebook
  • Twitter
  • LinkedIn
  • More
Other related posts
WordPress Vulnerability Report
WordPress Vulnerability Report – May 25, 2022
Website security matters to your business
Why Website Security Matters to Your Business
wordpress vulnerability report
WordPress Vulnerability Report – May 18, 2022
wordpress-website-hacked
How Do Websites Get Hacked?

Comments

  1. Peter Netz Lassen says:
    June 14, 2018 at 8:10 am

    Hi Kristen,

    This is a super function. I will activate it right away.
    I do wonder how passwords can be safe when they are stored? How come most sites with “good” security can tell me that I reused a certain password?

    If I was a hacker I would get that DB that holds all that info!! And track the traffic of that person – they are bound to use the same password on other sites as well?

    Anyway … I trust iThemes enough to add this and expire passwords as well 🙂
    Have a great day

    Peter

    Reply

Respond

Click here to cancel reply.

Get updates on new themes & plugins plus special discounts

About iThemes

  • The Team
  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • WordPress Hosting
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2022 All rights reserved | Privacy Policy

© 2022 All Rights Reserved.

Share via
Facebook
Twitter
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap