What’s the simplest way to secure your user profile? You guessed it—set a strong password. Easy enough for your own profile, but what about the users on your website? How can you ensure they create secure passwords that keep your site safe from malicious attacks?
It’s a real problem: weak passwords can be an open door for hackers. And as a site owner, you need to make sure every user sets a strong password without making the registration process too complicated.
Here’s the good news: WordPress has a built-in feature called the “Password Strength Meter” that helps you do just that. Surprisingly, many people don’t know about it and end up using plugins or custom code. Let’s explore how you can easily enable this feature and make your website more secure.
Need help securing your site?
If setting up these features sounds daunting, our team at Wisdm Labs can assist you. We’ll help secure your website, so you can focus on growing your business.
The “Password Strength Meter” in WordPress
Now, although the functionality is provided by WordPress, it’s not something you would find in your dashboard. You need to follow a few steps to make it work.
So… How do you enable the Password Strength Meter?
You need to connect to your website using an FTP client. Under wp-admin->js you should be able to find a file called password-strength-meter.js. This is the file which sets the ball rolling.
This file needs to be enqueued. You can do this by hooking on to an appropriate action and adding the below line, in functions.php file of your theme (preferably child theme):
wp_enqueue_script( 'password-strength-meter' );
You need to enqueue this file on every page where the password strength meter has to be displayed. For this, you need to find the appropriate hooks. For example, say you need to display this on your BuddyPress registration page. Then you need to use the ‘bp_before_register_page’ action to enqueue my script. And for the usual WordPress registration page, you need to use the ‘register_form’ hook.
But merely enqueueing the JS file is not enough. The JS just provides us functions we would be using to check the password strength. You now need to add your own script, which will act as a mediator between your settings page and the password strength meter script.
Let’s add this script in password-strength-meter-mediator.js. You need to create it in your theme’s js folder, and enqueue it along with the password-strength-meter.js.
wp_enqueue_script( 'password-strength-meter-mediator', get_stylesheet_directory_uri() . '/js/password-strength-meter-mediator.js', array('password-strength-meter'));
You can rename the file path form ‘/js/password_strength_meter_mediator.js’ to wherever your file is stored 🙂
Now, for the main part- the pièce de résistance- using the password-strength-meter.js functions to test the strength of the password.
Using the Password Strength Meter
Now, validating the password strength will return a status. To display this status, we need to add the below line of code where the password strength meter has to work (the registration page for example) and save it.
<span id="password-strength"></span>
Then, we need to add the below code in password_strength_meter_mediator.js. Let’s assume, you have two fields which input the password- signup_password (password field), and signup_password_confirm (confirm password field).
jQuery( document ).ready( function( $ ) { // trigger the wdmChkPwdStrength $( 'body' ).on( 'keyup', 'input[name=signup_password], input[name=signup_password_confirm]', function( event ) { wdmChkPwdStrength( // password field $('input[name=signup_password]'), // confirm password field $('input[name=signup_password_confirm]'), // strength status $('#password-strength'), // Submit button $('input[type=submit]'), // blacklisted words which should not be a part of the password ['admin', 'happy', 'hello', '1234'] ); }); });
We’re using the ‘keyup’ function on the password input fields to test the strength of the password.
The wdmChkPwdStrength is the function which will check the strength of the password entered. The parameters which we’ll be passing are:
- The password field id (you could use the field name instead)
- The confirm password field id
- The field id where the password strength status has to be displayed.
- The id of the form submit button
- A list of words which won’t be accepted as a part of the password
function wdmChkPwdStrength( $pwd, $confirmPwd, $strengthStatus, $submitBtn, blacklistedWords ) { var pwd = $pwd.val(); var confirmPwd = $confirmPwd.val(); // extend the blacklisted words array with those from the site data blacklistedWords = blacklistedWords.concat( wp.passwordStrength.userInputBlacklist() ) // every time a letter is typed, reset the submit button and the strength meter status // disable the submit button $submitBtn.attr( 'disabled', 'disabled' ); $strengthStatus.removeClass( 'short bad good strong' ); // calculate the password strength var pwdStrength = wp.passwordStrength.meter( pwd, blacklistedWords, confirmPwd ); // check the password strength }
The wp.passwordStrength.meter is a default function provided by WordPress present in password-strength-meter.js. It accepts the passwords and blacklisted words array and returns the strength of the password (2,3,4,5).
So, we need to extend the wdmChkPwdStrength function by checking the return value.
// check the password strength switch ( pwdStrength ) { case 2: $strengthStatus.addClass( 'bad' ).html( pwsL10n.bad ); break; case 3: $strengthStatus.addClass( 'good' ).html( pwsL10n.good ); break; case 4: $strengthStatus.addClass( 'strong' ).html( pwsL10n.strong ); break; case 5: $strengthStatus.addClass( 'short' ).html( pwsL10n.mismatch ); break; default: $strengthStatus.addClass( 'short' ).html( pwsL10n.short ); } // set the status of the submit button
Depending on the value of the strength result returned by the wp.passwordStrength.meter function, we need to take the appropriate action.
- If the pwdStrength value is 2: This implies the password is weak and will show “weak” as the output on the frontend and keep the submit button disabled
- If the pwdStrength value is 3: This indicates the password strength is better than weak but not as good and shows “medium” as the output on the frontend, keeping the submit button disabled
- If the pwdStrength value is 4: The password strong and hence “strong” is shown on the frontend and the submit button is enabled. A user can now create his account provided all other required fields are properly filled 😀
- If the pwdStrength value is 5: This means the password and confirm password do not match and the user has to correct it. The submit button remains disabled.
- By default: The submit button remains disabled.
The last and final piece of code you need to add, is to enable the submit button, if the password is strong and both fields match.
// set the status of the submit button if ( 4 === pwdStrength && '' !== confirmPwd.trim() ) { $submitBtn.removeAttr( 'disabled' ); } return pwdStrength;
If you’re okay with allowing a user with a medium strength password to create an account, you can change the above condition accordingly.
A word of caution: Do not change the value to 5 or else you will enable the submit button even if the passwords don’t match! 🙂
[space]
Plugin Alternative {#plugin-alternative}
Not comfortable editing theme files and JavaScript? No problem — several plugins expose this functionality without writing a single line of code.
WP Password Policy Manager — Set minimum strength requirements per user role, enforce password expiry, and monitor compliance. Handy for multi-role sites with customers, vendors, and admins.
Force Strong Passwords — Lightweight and zero-config. It simply blocks profile saves until a strong password is set. That’s it.
Password Policy Manager for WordPress — Adds configurable complexity rules and a dashboard showing which users currently have weak passwords.
For most WooCommerce stores or membership sites, a plugin is quicker to implement and easier to maintain — especially when your registration form is built by WooCommerce, LearnDash, or a form plugin rather than a custom template.
Before installing a new plugin, it’s worth running a quick check on your existing setup. Our free WordPress Vulnerability Scanner gives you a baseline security read in under three minutes — if existing plugins are already flagged, adding more isn’t the fix.
Where Should the Meter Appear?
The meter can be added to any WordPress form that accepts a password field. Here are the most common places and the hooks to use:
| Form | Hook to use |
|---|---|
| Standard WordPress registration | register_form |
| WordPress password reset | Already active natively — no action needed |
| WooCommerce registration form | woocommerce_register_form |
| WooCommerce My Account (password change) | woocommerce_edit_account_form |
| BuddyPress registration | bp_before_register_page |
| Custom / page builder forms | Plugin approach recommended |
Password Security Beyond the Meter
The strength meter is a solid first step — but it works best alongside a few other basics.
Two-factor authentication (2FA) — A strong password can still be compromised in a data breach elsewhere. 2FA means a stolen password alone isn’t enough to get in.
Login attempt limiting — Pair the meter with a plugin that rate-limits failed logins. Brute force attacks try thousands of combinations; rate limiting stops them early.
Blacklisting obvious terms — The blacklist array in the code above is your chance to block site-specific obvious choices: your brand name, your domain, common local terms. Keep it updated as your site evolves.
Keeping WordPress maintained — No password policy protects a site running an unpatched plugin with a known exploit. Our WordPress Maintenance Ultimate Guide walks through the full picture, including updates, backups, and what to check on a regular cadence.
Running regular security audits — Our WordPress Security Do’s and Don’ts guide covers what to check and how often — useful if you’re managing multiple sites or clients.
Self-Check: Is Your Registration Form Secure?
Before you close this tab, run through these quickly:
| Check | Status |
|---|---|
| Password strength meter active on registration form? | ✅ / ❌ |
| Submit button disabled until minimum strength is met? | ✅ / ❌ |
| Blacklist includes your site name and obvious terms? | ✅ / ❌ |
| Two-factor authentication enabled for admin/editor roles? | ✅ / ❌ |
| Login attempt limiting active? | ✅ / ❌ |
| Security scan run in the last 30 days? | ✅ / ❌ |
More than two ❌? Start with the strength meter — it’s the quickest win — then work through the rest. Not sure where your site stands? Run our free WordPress Vulnerability Scanner for a starting point.
FAQ
Does the password strength meter work on WooCommerce registration forms automatically?
No — it needs to be enqueued specifically for WooCommerce hooks. Use woocommerce_register_form for the registration page, or woocommerce_edit_account_form for the My Account password section. Alternatively, a plugin handles this without any hook wrangling. If you’re new to WordPress security in general, our post on why WordPress websites get hacked gives useful context on where weak passwords sit in the broader threat landscape.
Can I allow medium-strength passwords instead of requiring strong ones?
Yes. In the final if condition, change 4 === pwdStrength to pwdStrength >= 3. That enables the submit button for medium or strong passwords. Just don’t set it to 5 — that value means the passwords don’t match, not that the password is extra strong!
Do I need to edit the password-strength-meter.js file directly?
No — and you shouldn’t. That file is part of WordPress core and gets overwritten on every update. All your customisation lives in the mediator script and functions.php. The core file stays untouched.
What does the blacklist array actually do?
The array you pass to wdmChkPwdStrength is your custom list of disallowed strings. On top of that, wp.passwordStrength.userInputBlacklist() automatically adds the current user’s username and email to the blacklist. Both are merged together, so you get coverage from both sources. For a deeper dive into how WordPress handles authentication data, our post on WordPress SALTS and KEYS explains the underlying encryption layer.
Will this work with Elementor or other page builder forms?
It depends on how the form renders the password field. If it uses standard HTML input fields, the JS approach usually works once you identify the correct field name or ID. If the form has its own validation layer, the plugin route is more reliable and less brittle.
Wrapping Up!
That was a lot to take in wasn’t it?! Maybe. But once you start implementing it, I’m sure it won’t take you more than an hour if you follow the above steps! 🙂
So, there it is — you’ll have just added a password strength functionality easily and taken one of the most straightforward steps toward keeping your WordPress site secure. 😀
For those of you who have any doubts, the comment section is open. Ask away!
Need expert assistance?
Setting up security features can be tricky — and if your site has custom registration flows, WooCommerce integrations, or multiple user roles, it can get complex fast. If you’d rather leave it to the pros, the experts at WisdmLabs are just a message away. We’ll make sure your WordPress site is secure and running smoothly.
4 Responses
Hi! Great tutorial.
Can you tell me where I add the code you have supplied above?
Does it all go in functions.php of my child theme?
Thanks
Yes Michael that’s right, the code will have to added to the functions.php file of your child theme.
Only the 2 “wp_enqueue_script” go to the function.php file.
The “” goes to the HTML, JS or wherever the form is located.
The rest of the code goes to the password-strength-meter-mediator.js file.
Thanks for this post. It works great.
Works like a charm, very helpful! Thanks a lot!