PHPackages                             itinerisltd/disallow-pwned-passwords - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. itinerisltd/disallow-pwned-passwords

ActiveWordpress-plugin[Authentication &amp; Authorization](/categories/authentication)

itinerisltd/disallow-pwned-passwords
====================================

Disallow WordPress and WooCommerce users using pwned passwords.

0.3.2(7y ago)281.8k[3 issues](https://github.com/ItinerisLtd/disallow-pwned-passwords/issues)GPL-2.0-or-laterPHPPHP ^7.0

Since Aug 28Pushed 7y ago7 watchersCompare

[ Source](https://github.com/ItinerisLtd/disallow-pwned-passwords)[ Packagist](https://packagist.org/packages/itinerisltd/disallow-pwned-passwords)[ Docs](https://itinerisltd.github.io/disallow-pwned-passwords/)[ RSS](/packages/itinerisltd-disallow-pwned-passwords/feed)WikiDiscussions master Synced yesterday

READMEChangelog (6)Dependencies (7)Versions (12)Used By (0)

Disallow Pwned Password
=======================

[](#disallow-pwned-password)

[![CircleCI](https://camo.githubusercontent.com/7d08b634a9dcf72c019978ffbed4b0aff6b635666e96b894ccb51f1794d3ee83/68747470733a2f2f636972636c6563692e636f6d2f67682f4974696e657269734c74642f646973616c6c6f772d70776e65642d70617373776f7264732e7376673f7374796c653d737667)](https://circleci.com/gh/ItinerisLtd/disallow-pwned-passwords)[![Scrutinizer Code Quality](https://camo.githubusercontent.com/252c44b35e8c96dc73c8bb8482a2c8b3033e2e33f15d73c8c078caae3a1a6493/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f4974696e657269734c74642f646973616c6c6f772d70776e65642d70617373776f7264732f6261646765732f7175616c6974792d73636f72652e706e673f623d6d6173746572)](https://scrutinizer-ci.com/g/ItinerisLtd/disallow-pwned-passwords/?branch=master)[![GitHub License](https://camo.githubusercontent.com/02f6a501e474a0abda2b06784163894d83a988d9e877bb41975b227b7a6087b2/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f6974696e657269736c74642f646973616c6c6f772d70776e65642d70617373776f7264732e737667)](https://github.com/ItinerisLtd/disallow-pwned-passwords/blob/master/LICENSE)[![Hire Itineris](https://camo.githubusercontent.com/28070f6fe57ce0e650e45ceddf0f294c6ebb8e5248af50e801ed5d81026c076c/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f486972652d4974696e657269732d6666363962342e737667)](https://www.itineris.co.uk/contact/)

Packagist: [![Packagist Version](https://camo.githubusercontent.com/a621c2ce7d4fb2b454ca96458716ff8755f7afa3e6ecbaaa33dc8dbd1e778a7c/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6974696e657269736c74642f646973616c6c6f772d70776e65642d70617373776f7264732e737667)](https://packagist.org/packages/itinerisltd/disallow-pwned-passwords)[![PHP from Packagist](https://camo.githubusercontent.com/9d6629b1965db9187ff3efc12adb8549e6117ff8cb1df64410e6b77daf4ca781/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f6974696e657269736c74642f646973616c6c6f772d70776e65642d70617373776f7264732e737667)](https://packagist.org/packages/itinerisltd/disallow-pwned-passwords)[![Packagist Downloads](https://camo.githubusercontent.com/2b3946293aa6b92724a67ba1caae798d453c275c7edb394ae0662cb11df2355d/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6974696e657269736c74642f646973616c6c6f772d70776e65642d70617373776f7264732e737667)](https://packagist.org/packages/itinerisltd/disallow-pwned-passwords)

WordPress: [![Wordpress Plugin Version](https://camo.githubusercontent.com/8f2733d22188b1e005f20a3c891284fcfb9736bd63e6fe80a14463f3794f14f3/68747470733a2f2f696d672e736869656c64732e696f2f776f726470726573732f706c7567696e2f762f646973616c6c6f772d70776e65642d70617373776f7264732e7376673f7374796c653d666c6174)](https://wordpress.org/plugins/disallow-pwned-passwords/)[![Wordpress Plugin: Required WP Version](https://camo.githubusercontent.com/5e35db47762ab9b4cb53b44abb70cfb8a9519a82047e16abaecad078fd148153/68747470733a2f2f696d672e736869656c64732e696f2f776f726470726573732f706c7567696e2f77702d76657273696f6e2f646973616c6c6f772d70776e65642d70617373776f7264732e7376673f7374796c653d666c6174)](https://wordpress.org/plugins/disallow-pwned-passwords/)[![Wordpress Plugin: Tested WP Version](https://camo.githubusercontent.com/4b242a66054fbe2795d1e732da2a547b983f8d755c7d4c08f1bf0426d51999da/68747470733a2f2f696d672e736869656c64732e696f2f776f726470726573732f706c7567696e2f7465737465642f646973616c6c6f772d70776e65642d70617373776f7264732e7376673f7374796c653d666c6174)](https://wordpress.org/plugins/disallow-pwned-passwords/)[![Wordpress Plugin Rating](https://camo.githubusercontent.com/bc6edf603cc9495c57b02f47197e13d4e0640337943203e0a194803aed5dbf3c/68747470733a2f2f696d672e736869656c64732e696f2f776f726470726573732f706c7567696e2f726174696e672f646973616c6c6f772d70776e65642d70617373776f7264732e7376673f7374796c653d666c6174)](https://wordpress.org/support/plugin/disallow-pwned-passwords/reviews/#new-post)[![WordPress Plugin Downloads](https://camo.githubusercontent.com/e8da5195aa6b44938de06de0b83a6f5966abb75541f5890a8114f79846e448db/68747470733a2f2f696d672e736869656c64732e696f2f776f726470726573732f706c7567696e2f64742f646973616c6c6f772d70776e65642d70617373776f7264732e7376673f7374796c653d666c6174)](https://wordpress.org/plugins/disallow-pwned-passwords/advanced/)

- [Goal](#goal)
- [Explain It Like I'm Five](#explain-it-like-im-five)
- [Minimum Requirements](#minimum-requirements)
- [Installation](#installation)
    - [Composer (Recommended)](#composer-recommended)
    - [WP CLI](#wp-cli)
    - [Classic](#classic)
- [Usage](#usage)
- [Performance](#performance)
- [FAQ](#faq)
    - [Did you just send all the passwords to someone else?](#did-you-just-send-all-the-passwords-to-someone-else)
    - [How do you compare user passwords with the 6,493,641,194 pwned ones?](#how-do-you-compare-user-passwords-with-the-6493641194-pwned-ones)
    - [What to do if I don't trust haveibeenpwned.com?](#what-to-do-if-i-dont-trust-haveibeenpwnedcom)
    - [What to do if I don't trust the plugin author?](#what-to-do-if-i-dont-trust-the-plugin-author)
    - [I have installed this plugin. Does it mean my WordPress site is *unhackable*?](#i-have-installed-this-plugin-does-it-mean-my-wordpress-site-is-unhackable)
    - [Can strong passwords been pwned?](#can-strong-passwords-been-pwned)
    - [How to disable WooCommerce password strength meter?](#how-to-disable-woocommerce-password-strength-meter)
    - [Will you add support for older PHP versions?](#will-you-add-support-for-older-php-versions)
    - [It looks awesome. Where can I find some more goodies like this?](#it-looks-awesome-where-can-i-find-some-more-goodies-like-this)
    - [Besides wp.org, where can I give a ⭐⭐⭐⭐⭐ review?](#besides-wporg-where-can-i-give-a-starstarstarstarstar-review)
- [Alternatives](#alternatives)
- [Testing](#testing)
- [Feedback](#feedback)
- [Change Log](#change-log)
- [Security](#security)
- [Credits](#credits)
- [License](#license)

Goal
----

[](#goal)

Spoiler Alert: **User passwords never leave your server, not even in hashed form**.

Although reusing passwords is solely users' fault but when evil attackers brute forced users' passwords, and stole all their personal information or spent users' hard earn money through your site. **Those lazy users blame you**, the site owner/developer.

> When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example,...
>
> - Passwords obtained from previous breach corpuses
>
> \-- [NIST Digital Identity Guidelines](https://pages.nist.gov/800-63-3/sp800-63b.html)

This plugin's solely purpose is to **disallow WordPress and WooCommerce users reusing passwords listed in [Have I Been Pwned](https://haveibeenpwned.com/) database**.

Explain It Like I'm Five
------------------------

[](#explain-it-like-im-five)

- [Troy Hunt](https://www.troyhunt.com), a well-kown security expert, collected 6,493,641,194 (and counting) pwned passwords from previous security breaches
- Pwned passwords stored as SHA-1 hashes on haveibeenpwned.com
- Whenever WordPress / WooCommerce users attempt to change their passwords, this plugin hashes the user password
- Take the first 5 characters from the hash
- Ask haveibeenpwned.com for all pwned passwords with the same first 5 hash characters
- Check how many times the user password appears on the have I been pwned database
- Disallow the password change if it has been pwned

Users aged older than five could learn more from:

- [Have I Been Pwned's FAQs](https://haveibeenpwned.com/FAQs)
- [Why SHA-1 was chosen in the Pwned Passwords](https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/)
- [I've \[Troy Hunt\] Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download](https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity)
- [Validating Leaked Passwords with k-Anonymity](https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/)

Minimum Requirements
--------------------

[](#minimum-requirements)

- PHP v7.0
- WordPress v4.9.8
- **(Optional)** WooCommerce v3.4.4

Installation
------------

[](#installation)

### Composer (Recommended)

[](#composer-recommended)

```
$ composer require itinerisltd/disallow-pwned-passwords
```

### WP CLI

[](#wp-cli)

```
$ wp plugin install disallow-pwned-passwords --activate
```

### Classic

[](#classic)

Download the plugin zip file from Then, follow [https://codex.wordpress.org/Managing\_Plugins#Installing\_Plugins](https://codex.wordpress.org/Managing_Plugins#Installing_Plugins)

Usage
-----

[](#usage)

Activate and forget.

This plugin intercepts when:

- creating new users on `/wp-admin/user-new.php`
- changing other users' passwords on `/wp-admin/user-edit.php`
- changing your password on `/wp-admin/profile.php`
- new user registration on `/wp-login.php?action=rp`

Additional interceptions if WooCommerce is installed:

- [`WC_Form_Handler::process_reset_password`](https://github.com/woocommerce/woocommerce/blob/master/includes/class-wc-form-handler.php) on Home » My account » Lost password
- [`WC_Form_Handler::save_account_details`](https://github.com/woocommerce/woocommerce/blob/master/includes/class-wc-form-handler.php) on Home » My account » Account details
- [`WC_Form_Handler::process_registration`](https://github.com/woocommerce/woocommerce/blob/master/includes/class-wc-form-handler.php) on Home » My account
- [`WC_Checkout::validate_checkout`](https://github.com/woocommerce/woocommerce/blob/master/includes/class-wc-checkout.php) on Home » Checkout

Performance
-----------

[](#performance)

By default, this plugin caches Have I Been Pwned API responses for 1 week using [WP Object Cache](https://codex.wordpress.org/Class_Reference/WP_Object_Cache).

If you don't have a [persistent cache plugin](https://codex.wordpress.org/Class_Reference/WP_Object_Cache#Persistent_Caching), it has no effect and doesn't cache anything.

In rare cases, persistent cache plugins might not be compatible, you can disable by:

```
