Disallow WordPress and WooCommerce users using pwned passwords.
Spoiler Alert: User passwords never leave your server, not even in hashed form.
Although reusing passwords is solely users’ fault but when evil attackers brute forced users’ passwords, and stole all their personal information or spent users’ hard earn money through your site. Those lazy users blame you, the site owner/developer.
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example,…
- Passwords obtained from previous breach corpuses
This plugin’s solely purpose is to disallow WordPress and WooCommerce users reusing passwords listed in Have I Been Pwned database.
Activate and forget.
This plugin intercepts when:
/wp-admin/user-new.php
/wp-admin/user-edit.php
/wp-admin/profile.php
/wp-login.php?action=rp
Additional interceptions if WooCommerce is installed:
WC_Form_Handler::process_reset_password
on Home » My account » Lost passwordWC_Form_Handler::save_account_details
on Home » My account » Account detailsWC_Form_Handler::process_registration
on Home » My accountWC_Checkout::validate_checkout
on Home » CheckoutUsers aged older than five could learn more from:
Fork the plugin on GitHub.