{"id":197581,"date":"2021-05-20T04:57:57","date_gmt":"2021-05-20T04:57:57","guid":{"rendered":"https:\/\/wpmudev.com\/blog\/?p=197581"},"modified":"2022-04-07T01:37:37","modified_gmt":"2022-04-07T01:37:37","slug":"pwned-password-protection","status":"publish","type":"post","link":"https:\/\/wpmudev.com\/blog\/pwned-password-protection\/","title":{"rendered":"Pwned Password Protection, Force Password Change, and More Available With Defender"},"content":{"rendered":"<p>Our free plugin, <a href=\"https:\/\/wordpress.org\/plugins\/defender-security\/\" rel=\"noopener\" target=\"_blank\">Defender<\/a>, beefs up your WordPress site&#8217;s security with Pwned password protection, force password change, and other enhanced features!<\/p>\n<p>Defender will secure your site against password leak attacks and block logins from users entering known compromised passwords that exist in Pwned database breach records.<\/p>\n<p>You can choose the user roles for who you want to enable password checks and force a password change if a password is compromised.<\/p>\n<p>Need to force a password reset for users? Now that can be done in an instant with Defender&#8217;s force bulk password reset!<\/p>\n<p>Let\u2019s take a quick look around at what&#8217;s new with Defender. They include:<\/p>\n<ul>\n<li><a href=\"#pwned\">Pwned Passwords<\/a><\/li>\n<li><a href=\"#force\">Force Password Change<\/a><\/li>\n<li><a href=\"#bulk\">Force Bulk Password Reset for All Users and New Features Coming Soon<\/a><\/li>\n<\/ul>\n<p>With this release (and more coming soon), your WordPress site\u2019s security game just got better.<\/p>\n<h2><a name=\"pwned\" target=\"_blank\"><\/a>Pwned Passwords<\/h2>\n<p>Pwned Passwords are over 613 million real-world passwords that were previously exposed in data breaches. This makes them unsuitable for ongoing use since they are at a much greater risk of being used to overtake other accounts.<\/p>\n<figure id=\"attachment_197582\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-197582\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/05\/pwned-password-notification.png\" alt=\"New Pwned Passwords notification.\" width=\"600\" height=\"433\" \/><figcaption class=\"wp-caption-text\">Defender is here to protect your passwords!<\/figcaption><\/figure>\n<p>Passwords entered by your users in default login and registration forms are checked against the publicly accessible database breach records found at <a href=\"https:\/\/haveibeenpwned.com\/\" rel=\"noopener\" target=\"_blank\">Have I Been Pwned<\/a>.<\/p>\n<p>If a password is entered by a user and that password is found in the database, well, it will make them change it. Simple as that!<\/p>\n<p>User passwords never leave the site, because it&#8217;s an important part of security. Passwords are hashed and only a part of hashed passwords are being checked.<\/p>\n<p>To get set up with Pwned Passwords, it\u2019s as easy as going to Defender&#8217;s dashboard to <strong>Tools &gt; Pwned Passwords<\/strong>. Once here, Defender can get this feature set up by clicking <strong>Activate.<\/strong><\/p>\n<figure id=\"attachment_197583\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-197583\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/05\/activate.png\" alt=\"Where you click activate.\" width=\"600\" height=\"326\" \/><figcaption class=\"wp-caption-text\">One-click is all it takes for this extra security boost.<\/figcaption><\/figure>\n<p>Then, you determine <strong>User Roles<\/strong>. This will decide the user roles you want to enable pwned password checks for.<\/p>\n<video loop muted autoplay playsinline class='dev-html5-video'><source src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/05\/user-role.webm\" type=\"video\/webm\"><source src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/05\/user-role.mp4\" type=\"video\/mp4\"><\/video>\n<p style=\"text-align: center;\"><small>Choose as many roles as you&#8217;d like.<\/small><\/p>\n<p>You can select or deselect user roles at any time (except for Administrator, which can&#8217;t be disabled). Just be sure to click <strong>Save Changes<\/strong> once configured, then your Pwned Passwords feature is all set.<\/p>\n<h2><a name=\"force\" target=\"_blank\"><\/a>Force Password Change<\/h2>\n<p>When a user is forced to change their password, they won\u2019t have access to any other pages until the password change is complete. They&#8217;ll be redirected to a password reset page right away to change it.<\/p>\n<p><strong>Force Password Change<\/strong> is a part of the Pwned Password and is enabled by default when Pwned Passwords is activated.<\/p>\n<p>They\u2019ll also be greeted with a message about the password needing to be changed if the user tries to add a Pwned password. The message can be customized however you like in the <strong>Force Password Change<\/strong> area.<\/p>\n<figure id=\"attachment_197584\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-197584\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/05\/force-password-change.png\" alt=\"Where you enter a custom message for force password change.\" width=\"600\" height=\"268\" \/><figcaption class=\"wp-caption-text\">Add any custom message that you\u2019d like!<\/figcaption><\/figure>\n<p>In the login area, the message will appear like this:<\/p>\n<figure id=\"attachment_197585\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-197585\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/05\/message-when-logging-in.png\" alt=\"What the message looks like when a user logs in.\" width=\"600\" height=\"418\" \/><figcaption class=\"wp-caption-text\">What the message will look like.<\/figcaption><\/figure>\n<p>Once the user enters a Username or Email Address, they can get it changed immediately. Once logged in, they\u2019ll have access to their normal user roles.<\/p>\n<p>And, of course, it\u2019s as easy as ever to disable this feature, if you\u2019d like. Just click <strong>Deactivate<\/strong>.<\/p>\n<figure id=\"attachment_197586\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-197586\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/05\/deactivate.png\" alt=\"Where you deactivate the Pwned passwords.\" width=\"600\" height=\"114\" \/><figcaption class=\"wp-caption-text\">This is located at the bottom of the screen in the Pwned Password area.<\/figcaption><\/figure>\n<p>It&#8217;s also worth noting that if a user adds a password that has already been pwned, the password won&#8217;t be saved and will show a custom message.<\/p>\n<p>With this latest addition to Defender, you and your users won\u2019t have to worry about a compromised password being used.<\/p>\n<p>It\u2019s just one of many password security features that Defender has to offer. Defender also includes <a href=\"https:\/\/wpmudev.com\/blog\/how-to-get-the-most-out-of-defender-security\/#two\" target=\"_blank\" rel=\"noopener\">2FA<\/a>, <a href=\"https:\/\/wpmudev.com\/blog\/how-to-get-the-most-out-of-defender-security\/#login\" target=\"_blank\" rel=\"noopener\">Login Protection<\/a>, <a href=\"https:\/\/wpmudev.com\/blog\/how-to-get-the-most-out-of-defender-security\/#firewall\" target=\"_blank\" rel=\"noopener\">Firewall <\/a>&#8212; and much more!<\/p>\n<h2><a name=\"bulk\" target=\"_blank\"><\/a>Force Bulk Password Reset for All Users and Other New Features<\/h2>\n<figure id=\"attachment_197587\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-ratio-full wp-image-197587\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/05\/pwned-passwords2-1050x273.png\" alt=\"Image of Defender.\" width=\"1050\" height=\"273\" \/><figcaption class=\"wp-caption-text\"><em>Defender is about to force all of your users to reset their passwords, if needed.<\/em><\/figcaption><\/figure>\n<p>Defender now has a<strong> force a password reset<\/strong> for all users. If there\u2019s a login breach, this feature will ensure that passwords are reset and secure.<\/p>\n<figure id=\"attachment_197979\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-197979\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/05\/new-password-reset.png\" alt=\"password reset image.\" width=\"600\" height=\"431\" \/><figcaption class=\"wp-caption-text\">It&#8217;s easier than ever to use a force password reset on WordPress!<\/figcaption><\/figure>\n<p>From Defender&#8217;s dashboard, simply go to <strong>Tools&gt;Password Reset<\/strong>. Then, you click on the <strong>Force Password Reset<\/strong> button.<\/p>\n<figure id=\"attachment_197980\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-197980\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/05\/force-password-reset-button.png\" alt=\"the force password button\" width=\"600\" height=\"186\" \/><figcaption class=\"wp-caption-text\">It&#8217;s all done in a click.<\/figcaption><\/figure>\n<p>After clicking on this button, it will confirm that you want to do this and ensure you have the right user roles for the reset.<\/p>\n<figure id=\"attachment_197981\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-197981\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/05\/warning-sign.png\" alt=\"the confirmation sign about resetting password.\" width=\"600\" height=\"304\" \/><figcaption class=\"wp-caption-text\">This sign pops up to make sure you want to force a password change.<\/figcaption><\/figure>\n<p>You can select the role(s) of users who will be automatically logged out in this same area. Simply click on who&#8217;d you&#8217;d like the reset for. Pick from:<\/p>\n<ul>\n<li><strong>Administrator<\/strong><\/li>\n<li><strong>Editor<\/strong><\/li>\n<li><strong>Author<\/strong><\/li>\n<li><strong>Contributor<\/strong><\/li>\n<li><strong>Subscriber<\/strong><\/li>\n<li><strong>Customer<\/strong><\/li>\n<li><strong>Shop Manager<\/strong><\/li>\n<\/ul>\n<figure id=\"attachment_197982\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-197982\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/05\/user-roles.png\" alt=\"user roles.\" width=\"600\" height=\"616\" \/><figcaption class=\"wp-caption-text\">Select as few or as many roles as you&#8217;d like.<\/figcaption><\/figure>\n<p>Also, add a custom message for these users so they know why there&#8217;s a reset.<\/p>\n<figure id=\"attachment_197983\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-197983\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/05\/message.png\" alt=\"the custom message for the reset.\" width=\"600\" height=\"221\" \/><figcaption class=\"wp-caption-text\">Customize the message however you&#8217;d like.<\/figcaption><\/figure>\n<p>It&#8217;s also worth noting that this feature also includes <a href=\"https:\/\/wp-cli.org\/\" rel=\"noopener\" target=\"_blank\">WP CLI support<\/a>.<\/p>\n<p>And that&#8217;s it! Forced password resets are as easy as ever to implement, and a great security measure to include on your site.<\/p>\n<h3>Coming Soon&#8230;<\/h3>\n<p>There\u2019s also going to be an integration with our popular (and free!) image optimizing plugin, <a href=\"https:\/\/wordpress.org\/plugins\/wp-smushit\/\" rel=\"noopener\" target=\"_blank\">Smush<\/a>. Soon, Defender will exclude images that have been optimized by Smush from Malware Scanning reports.<\/p>\n<p>Plus, you\u2019ll be able to deactivate Malware Scanning when all scan options are unselected.<\/p>\n<p>And, coming soon Defender will also have a ReCaptcha feature.<\/p>\n<h2>The Best Defense Doesn\u2019t Stop There&#8230;<\/h2>\n<p><a href=\"https:\/\/wordpress.org\/plugins\/defender-security\/\" rel=\"noopener\" target=\"_blank\">Defender<\/a> is constantly beefing up his security. These new updates are just an inkling of what\u2019s to come, thanks to his awesome team of developers. You can always check out <a href=\"https:\/\/wpmudev.com\/roadmap\/\" target=\"_blank\" rel=\"noopener\">our Roadmap<\/a> to see what\u2019s on the horizon.<\/p>\n<p>If you\u2019re not using Defender yet, you\u2019re missing out on the security protection that we just talked about. Plus he includes <strong>404 Detection<\/strong>, <strong>Geolocation IP Lockout<\/strong>, the ability to <strong>disable trackbacks &amp; pinbacks<\/strong>, <strong>Core and Server Update Recommendations<\/strong>, and other features. All for free!<\/p>\n<p>For a detailed look, be sure to read our article on <a href=\"https:\/\/wpmudev.com\/blog\/how-to-get-the-most-out-of-defender-security\/\" target=\"_blank\" rel=\"noopener\">getting the most out of Defender security<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Our free plugin, Defender, beefs up your WordPress site&#8217;s security with Pwned password protection, force password change, and other enhanced features! Defender will secure your site against password leak attacks and block logins from users entering known compromised passwords that exist in Pwned database breach records. You can choose the user roles for who you [&hellip;]<\/p>\n","protected":false},"author":811449,"featured_media":199222,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"blog_reading_time":"4","wds_primary_category":0,"wds_primary_tutorials_categories":0,"footnotes":""},"categories":[263,11260],"tags":[],"tutorials_categories":[11231],"class_list":["post-197581","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tutorials","category-wpmu-dev-products","tutorials_categories-defender-pro"],"_links":{"self":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts\/197581","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/users\/811449"}],"replies":[{"embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/comments?post=197581"}],"version-history":[{"count":31,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts\/197581\/revisions"}],"predecessor-version":[{"id":197978,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts\/197581\/revisions\/197978"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/media\/199222"}],"wp:attachment":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/media?parent=197581"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/categories?post=197581"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/tags?post=197581"},{"taxonomy":"tutorials_categories","embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/tutorials_categories?post=197581"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}