Pwned Password Protection, Force Password Change, and More Available With Defender
Our free plugin, Defender, beefs up your WordPress site’s security with Pwned password protection, force password change, and other enhanced features!
Defender will secure your site against password leak attacks and block logins from users entering known compromised passwords that exist in Pwned database breach records.
You can choose the user roles for who you want to enable password checks and force a password change if a password is compromised.
Need to force a password reset for users? Now that can be done in an instant with Defender’s force bulk password reset!
Let’s take a quick look around at what’s new with Defender. They include:
- Pwned Passwords
- Force Password Change
- Force Bulk Password Reset for All Users and New Features Coming Soon
With this release (and more coming soon), your WordPress site’s security game just got better.
Pwned Passwords are over 613 million real-world passwords that were previously exposed in data breaches. This makes them unsuitable for ongoing use since they are at a much greater risk of being used to overtake other accounts.
Passwords entered by your users in default login and registration forms are checked against the publicly accessible database breach records found at Have I Been Pwned.
If a password is entered by a user and that password is found in the database, well, it will make them change it. Simple as that!
User passwords never leave the site, because it’s an important part of security. Passwords are hashed and only a part of hashed passwords are being checked.
To get set up with Pwned Passwords, it’s as easy as going to Tools > Pwned Passwords. Once here, Defender can get this feature set up by clicking Activate.
Then, you determine User Roles. This will decide the user roles you want to enable pwned password checks for.
Choose as many roles as you’d like.
You can select or deselect user roles at any time (except for Administrator, which can’t be disabled). Just be sure to click Save Changes once configured, then your Pwned Passwords feature is all set.
When a user is forced to change their password, they won’t have access to any other pages until the password change is complete. They’ll be redirected to a password reset page right away to change it.
Force Password Change is a part of the Pwned Password and is enabled by default when Pwned Passwords is activated.
They’ll also be greeted with a message about the password needing to be changed if the user tries to add a Pwned password. The message can be customized however you like in the Force Password Change area.
In the login area, the message will appear like this:
Once the user enters a Username or Email Address, they can get it changed immediately. Once logged in, they’ll have access to their normal user roles.
And, of course, it’s as easy as ever to disable this feature, if you’d like. Just click Deactivate.
It’s also worth noting that if a user adds a password that has already been pwned, the password won’t be saved and will show a custom message.
With this latest addition to Defender, you and your users won’t have to worry about a compromised password being used.
Defender now has a force a password reset for all users. If there’s a login breach, this feature will ensure that passwords are reset and secure.
From the dashboard, simply go to Tools>Password Reset. Then, you click on the Force Password Reset button.
After clicking on this button, it will confirm that you want to do this and ensure you have the right user roles for the reset.
You can select the role(s) of users who will be automatically logged out in this same area. Simply click on who’d you’d like the reset for. Pick from:
- Shop Manager
Also, add a custom message for these users so they know why there’s a reset.
It’s also worth noting that this feature also includes WP CLI support.
And that’s it! Forced password resets are as easy as ever to implement, and a great security measure to include on your site.
There’s also going to be an integration with our popular (and free!) image optimizing plugin, Smush. Soon, Defender will exclude images that have been optimized by Smush from Malware Scanning reports.
Plus, you’ll be able to deactivate Malware Scanning when all scan options are unselected.
And, coming soon Defender will also have a ReCaptcha feature.
The Best Defense Doesn’t Stop There…
Defender is constantly beefing up his security. These new updates are just an inkling of what’s to come, thanks to his awesome team of developers. You can always check out our Roadmap to see what’s on the horizon.
If you’re not using Defender yet, you’re missing out on the security protection that we just talked about. Plus he includes 404 Detection, Geolocation IP Lockout, ability to disable trackbacks & pinbacks, Core and Server Update Recommendations, and other features. All for free!
For a detailed look, be sure to read our article on getting the most out of Defender security.