Enforce strong passwords in WordPress, optimize password strength estimator

Steven     03.06.2021

Enfore strong passwords

A very easy way to enforce strong passwords in WordPress, is to disable the ‘confirm weak password’ checkbox. This way, all users, by default, will have to enter a strong password before they can continue. That is, in case they want to change (e.g. forgot) their passwords. Existing passwords are not enforced to change in this way. Code to be added in your theme’s function.php:

function hide_weak_password() {
  // remove the 'confirm weak password' link from the password reset dialog ?>
  <script>
    document.addEventListener("DOMContentLoaded", function(event) { 
      var elements = document.getElementsByClassName('pw-weak');
      var requiredElement = elements[0];
      if(requiredElement){
        requiredElement.remove();
      }
    });
</script>
<?php }
add_action( 'login_enqueue_scripts', 'hide_weak_password' );

Optimize password strength estimator

WordPress uses the popular zxcvbn password strength estimator to indicate password strength. As this add-on is not so lightweight, it makes sense to disable it on all pages, except login and user profile screens. Add below code in functions.php as well:

// disable default loading of password strength script, except on profile and login pages
function deregister_password_script() {
  if ($GLOBALS['pagenow'] != 'wp-login.php' && $GLOBALS['pagenow'] != 'profile.php') {
    wp_dequeue_script('zxcvbn-async');
    wp_deregister_script('zxcvbn-async'); 
  }
}
add_action('wp_print_scripts', 'deregister_password_script', 100);

Comment

Related

How to host font files locally and preload them

Custom fonts are a great way to improve your online visual appearance. In order to make sure that custom fonts don't slow down your website, make sure you (i) host the font files locally and (ii) preload them. This article describes the process of obtaining and serving font files from your own server, as well as preloading the right font file for faster website loading.

WordPress 403 Forbidden after using WordPress app

Wordpress 403 Forbidden errors typically happen with corrupt .htaccess or faulty file/folder permissions. A third common cause is often overlooked: the use of the Wordpress app through XML-RPC.

Fontawesome performance 2 tips: better host locally and include only icons you actually use

Choose the right way to load and use Fontawesome icons. In this article we explain how to host the icons locally to minimize the number of external requests. Also, we optimize performance by only including used icons.