Disallow WordPress and WooCommerce users using pwned passwords
Spoiler Alert: User passwords never leave your server, not even in hashed form.
Although reusing passwords is solely users' fault but when evil attackers brute forced users' passwords, and stole all their personal information or spent users' hard earn money through your site. Those lazy users blame you, the site owner/developer.
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example,...
- Passwords obtained from previous breach corpuses
This plugin's solely purpose is to disallow WordPress and WooCommerce users reusing passwords listed in Have I Been Pwned database.
Users aged older than five could learn more from:
$ composer require itinerisltd/disallow-pwned-passwords
$ wp plugin install disallow-pwned-passwords --activate
Download the plugin zip file from https://wordpress.org/plugins/disallow-pwned-passwords/ Then, follow https://codex.wordpress.org/Managing_Plugins#Installing_Plugins
Activate and forget.
This plugin intercepts when:
/wp-admin/user-new.php
/wp-admin/user-edit.php
/wp-admin/profile.php
/wp-login.php?action=rp
Additional interceptions if WooCommerce is installed:
WC_Form_Handler::process_reset_password
on Home » My account » Lost passwordWC_Form_Handler::save_account_details
on Home » My account » Account detailsWC_Form_Handler::process_registration
on Home » My accountWC_Checkout::validate_checkout
on Home » CheckoutBy default, this plugin caches Have I Been Pwned API responses for 1 week using WP Object Cache.
If you don't have a persistent cache plugin, it has no effect and doesn't cache anything.
In rare cases, persistent cache plugins might not be compatible, you can disable by:
<?php
use Itineris\DisallowPwnedPasswords\HaveIBeenPwned\ClientInterface;
use Itineris\DisallowPwnedPasswords\HaveIBeenPwned\Client;
use League\Container\Container;
add_action('i_dpp_register', function (Container $container): void {
$container->add(ClientInterface::class, Client::class);
});
No. User passwords never leave your server, not even in hashed form.
Curious users can learn more from:
Paranoia users should check the plugin implementation.
Troy Hunt is a well-kown security expert. You should trust him more than me (the plugin author). Anyways, you can replace the default API client with yours:
<?php
use Itineris\DisallowPwnedPasswords\HaveIBeenPwned\ClientInterface;
use League\Container\Container;
class YourCustomClient implements ClientInterface
{
// Your implementation.
}
add_action('i_dpp_register', function (Container $container): void {
$container->add(ClientInterface::class, YourCustomClient::class);
});
This plugin uses league/container. Learn more from its documents.
Good question! You shouldn't blindly trust any random security guide/plugin from the scary internet - including this one!
Review the plugin implementation.
No website is unhackable.
To have a secure WordPress site, you have to keep all these up-to-date:
Strongly recommended:
Yes. Example:
For testing only, use at your own risk!
add_action('wp_print_scripts', function () {
wp_dequeue_script('wc-password-strength-meter');
}, 10000);
Never! This plugin will only works on actively supported PHP versions.
Don't use it on end of life or security fixes only PHP versions.
Note: Current version supports PHP 7.0 because wordpress.org svn pre-commit hook rejects PHP 7.1+ syntax. However, you should not use PHP 7.0 because it has reached end of life since 10 January 2019.
Thanks! Glad you like it. It's important to let my boss knows somebody is using this project. Please consider:
$ composer test
$ composer phpstan:analyse
$ composer style:check
Pull requests without tests will not be accepted!
Please provide feedback! We want to make this library useful in as many projects as possible. Please submit an issue and point out what you do and don't like, or fork the project and make suggestions. No issue is too small.
Please see CHANGELOG for more information on what has changed recently.
If you discover any security related issues, please email [email protected] instead of using the issue tracker.
Disallow Pwned Password is a Itineris Limited project created by Tang Rufus.
Full list of contributors can be found here.
Special thanks to Troy Hunt whose Have I been pwned database makes this plugin possible. Also, the k-Anonymity validation is an awesome work of Junade Ali from Cloudflare.
Disallow Pwned Password is licensed under the GPLv2 (or later) from the Free Software Foundation. Please see License File for more information.