Enforce strong passwords in WordPress, optimize password strength estimator

Steven     03.06.2021

Enfore strong passwords

A very easy way to enforce strong passwords in WordPress, is to disable the ‘confirm weak password’ checkbox. This way, all users, by default, will have to enter a strong password before they can continue. That is, in case they want to change (e.g. forgot) their passwords. Existing passwords are not enforced to change in this way. Code to be added in your theme’s function.php:

function hide_weak_password() {
  // remove the 'confirm weak password' link from the password reset dialog ?>
  <script>
    document.addEventListener("DOMContentLoaded", function(event) { 
      var elements = document.getElementsByClassName('pw-weak');
      var requiredElement = elements[0];
      if(requiredElement){
        requiredElement.remove();
      }
    });
</script>
<?php }
add_action( 'login_enqueue_scripts', 'hide_weak_password' );

Optimize password strength estimator

WordPress uses the popular zxcvbn password strength estimator to indicate password strength. As this add-on is not so lightweight, it makes sense to disable it on all pages, except login and user profile screens. Add below code in functions.php as well:

// disable default loading of password strength script, except on profile and login pages
function deregister_password_script() {
  if ($GLOBALS['pagenow'] != 'wp-login.php' && $GLOBALS['pagenow'] != 'profile.php') {
    wp_dequeue_script('zxcvbn-async');
    wp_deregister_script('zxcvbn-async'); 
  }
}
add_action('wp_print_scripts', 'deregister_password_script', 100);