Password strength indicator script is loaded on all pages

obtrusive170 · June 4, 2026, 9:32am

https://gtmetrix.com , free user account, Structure (tab):

It tested my homepage, which does not require password strength indicator (zxcvbn.min.js), which file size is concerning high (300kB+ seems questionable size even on a rarely used registration form, to my taste absolutely unacceptable on slow internet connections).

grep -Rial zxcvbn .

./wp-admin/js/user-profile.min.js
./wp-admin/js/password-strength-meter.min.js
./wp-admin/js/user-profile.js
./wp-admin/js/password-strength-meter.js
./wp-includes/js/zxcvbn-async.js
./wp-includes/js/zxcvbn-async.min.js
./wp-includes/js/zxcvbn.min.js
./wp-includes/script-loader.php

So there is one way to disable it, using Code snippets plugin:

// disable 300kB+ large zxcvbn.min.js password strength indicator in wordpress
// https://stackoverflow.com/a/51840450
add_action('wp_print_scripts', 'remove_password_strength_meter');
function remove_password_strength_meter() {
    // Deregister script about password strenght meter
    wp_dequeue_script('zxcvbn-async');
    wp_deregister_script('zxcvbn-async');
}

(this may still make WP return “Function WP_Scripts::add was called incorrectly. The script with the handle “password-strength-meter” was enqueued with dependencies that are not registered: zxcvbn-async. (This message was added in version 6.9.1.)”)

Would you consider fixing this by default for everyone so it is loaded only when registration form is called? Or not used at all considering its size? Maybe you can make a fork of that .js which would not contain phrases considered weak (significantly reducing the .js file size).

ChrisB · June 4, 2026, 11:44am

Hi @obtrusive170,

I’ve been testing performance on my own site recently, as well, and I similarly seen reports of the password strength indicator file you mentioned above causing bottlenecks.

From my understanding, the issue with unloading it is that by default Users are able to trigger the login/registration pop-up modal window from various actions/pages, which in turn means the password strength indicator would be required on most pages.

I’m not at my computer at the moment, and I can’t remember if/what changes I ended up keeping regarding the JS file, but I think deferring it didn’t seem to cause any broken functionality.

Cheers,
Chris

kseniia · June 4, 2026, 3:26pm

Hi,

Thanks for the feedback.

We’ll take a closer look at this before the next release. At the moment, this script is required for the registration flow and should only be loaded for guest users (it should not be loaded for logged-in users). It is currently available site-wide because the registration modal can be opened from any page.

We’ll review whether we can optimize this further by ensuring the script is loaded in a deferred manner and in the footer so that it has no measurable impact on page performance. Alternatively, we’ll consider moving the registration form to a dedicated page while keeping the modal only for the login form.