Hello, im trying to figure out how to enforce a strong password policy on user creation but im a bit confused because on How to Secure a WordPress Directory Website | HivePress Blog
there is a point about “Strong Password Policies” but in the meantime it seems there is now way to configure it throught the Hivepress plugin directly?
Iv tried some addons that are suposed to enforce a strong policy like Password Policy Manager but it dosnt work with Hivepress so i suposed Hivepress dosnt use the basic wordpress registration form but a custom one?
So im wondering if someone could have a php snippet compatible with hivepress to share with me for adding inside functions.php
// Hook to validate the password during registration or login
add_filter(
'hivepress/v1/forms/user_login/errors',
function( $errors, $values ) {
// Check if the password is set
if ( isset( $values['password'] ) ) {
$password = $values['password'];
$password_errors = validate_password_complexity($password);
// If there are password errors, merge them into the $errors array
if ( $password_errors ) {
$errors = array_merge( $errors, $password_errors );
}
}
return $errors;
},
10,
2
);
// Function to validate password complexity
function validate_password_complexity( $password ) {
$errors = [];
if ( strlen( $password ) < 8 ) {
$errors[] = "Password must be at least 8 characters long.";
}
if ( !preg_match( "#[0-9]+#", $password ) ) {
$errors[] = "Password must include at least one number.";
}
if ( !preg_match( "#[a-z]+#", $password ) ) {
$errors[] = "Password must include at least one lowercase letter.";
}
if ( !preg_match( "#[A-Z]+#", $password ) ) {
$errors[] = "Password must include at least one uppercase letter.";
}
if ( !preg_match( "#\W+#", $password ) ) {
$errors[] = "Password must include at least one special character.";
}
return $errors;
}
but i can still create an user with 12345678 password for exemple
I recommend using the hivepress/v1/forms/user_register/errors filter hook, this way you can check the password length and complexity, and if it doesn’t match the requirements you can add a custom error to the filtered array of $errors. Another approach would be also adding an indicator using JS, but back-end validation via this hook is needed anyway. We also plan to add password strength indicator in future updates.
If i’m using REST APi for the front end can i just do the checks of a strong password in the front end. to make sure the user uses a word containing number, letter, character and upper case?
Please note that it does not matter whether you use the REST API or not, since the indicator itself is made using JS on the frontend, but validation is still performed through a hook on the backend. You need to usehivepress/v1/forms/user_login/errorsbecause JS can always be disabled in the browser and skip the requirements, so the backend is like a safety net.