Passwords Evolved

Important Notice: This plugin is no longer supported on wordpress.org. Please open issues on GitHub.

The goal of this plugin is to shore up the WordPress authentication using standard security practice recommendations. At this time, the plugin improves WordPress authentication by doing the following:

Enforcing uncompromised passwords

This plugin prevents someone from using passwords that have appeared in data breaches. Whenever someone logs into a WordPress site, it’ll verify their password using the Have I been pwned? API. If their password appeared in a data breach, the plugin will prevent them from logging in until they reset their password.

By default, this level of enforcement is only done on an account that has the “administrator” role. You can change which roles have their passwords enforced from the settings page. For people that have a role where there’s no password enforcement, the plugin will show a warning when they log in with a compromised password.

The enforcement of uncompromised password also extends to when someone resets or changes their password. That said, in those situations, using an uncompromised password is mandatory. Someone will never be able to reset or change their password to one that’s appeared in a security breach. (As long as the plugin is able to contact the API.)

Using stronger password hashing

The plugin also encrypts passwords using either the bcrypt and Argon2 hashing functions. These are the strongest hashing functions available in PHP. Argon2 is available natively starting with PHP 7.2, but the plugin can also encrypt passwords on older PHP versions using the libsodium compatibility layer introduced in WordPress 5.2.

You don’t have to do anything to convert your password hash to a stronger encryption standard. The plugin will take care of converting it the next time that you log in after installing the plugin. If you decide to remove the plugin, your password will continue working and remain encrypted until you reset it.

It’s also worth noting that using a stronger hashing function is only important in the advent of a data breach. A stronger password hashing function makes decrypting the passwords from the data breach a lot harder to do. This combined with the enforcement of uncompromised passwords will help ensure that those passwords are never decrypted. (Or at least without significant effort.)

1.4.0

Released: 2025-03-22

• Only define wp_generate_password for wordpress 6.8 or higher [carlalexander]
• Add support for wp_hash_password_algorithm hook in wordpress 6.8 [carlalexander]

1.3.4

Released: 2024-11-27

• Update wp_set_password function to match current wordpress version [carlalexander]

1.3.3

Released: 2022-09-25

• Use different capabilities for admin pages so that they work when plugins directory isn’t writeable [carlalexander]

1.3.2

Released: 2022-04-19

• Add missing echo on settings_saved [cornelraiu-1]

1.3.1

Released: 2022-04-09

• Add es_MX and es_CR translations [riper81]

1.3.0

Released: 2021-03-21

• Remove call to api on every request [carlalexander]
• Add informal (default) and formal german translations [carstenbach]

1.2.0

Released: 2020-01-03

• Fixed fatal error when installed as a mu-plugin [carlalexander]
• Added support for libsodium [carlalexander]

1.1.4

Released: 2019-05-07

• Bump minimum PHP version to 5.6 [carlalexander]

1.1.3

Released: 2018-04-29

• Fixed missing settings_saved string in English translation [carlalexander]
• Added missing echo when translating settings_saved string [carlalexander]

1.1.2

Released: 2018-03-21

• Added Brazilian Portuguese translation [celsobessa]
• Reworked how the plugin handles its default translation [carlalexander]

1.1.1

Released: 2018-03-06

Improved how the API client and password generator handled if the API was online or not.

1.1.0

Released: 2018-03-01

Reworked plugin to use the new version of the HIBP API (Have I been pwned? API) which supports k-anonymity. This allows the plugin to be used in production now.

1.0.0

Released: 2017-08-24

Initial release