Security settings
Overview
Security settings enforce password requirements to ensure users create strong passwords during password resets. These requirements are validated on both client-side (JavaScript) and server-side (PHP) for maximum security.
Access security settings at Settings > Frontend Reset Password > Security tab.
Password requirements
Minimum Password Length
Setting: somfrp_pass_length
Purpose: Require passwords to be at least N characters long.
Default: 0 (no minimum length requirement)
Recommended: 8-12 characters
Validation: Must be at least as long as the number of required character types (see validation rules below)
Example: Setting to 8 requires passwords to be at least 8 characters
Require Lowercase Letter
Setting: somfrp_pass_lowercase
Purpose: Require at least one lowercase letter (a-z) in passwords.
Default: Unchecked (not required)
Validation pattern: /[a-z]/
Example: Password must contain at least one of: a, b, c, ..., z
Require Uppercase Letter
Setting: somfrp_pass_uppercase
Purpose: Require at least one uppercase letter (A-Z) in passwords.
Default: Unchecked (not required)
Validation pattern: /[A-Z]/
Example: Password must contain at least one of: A, B, C, ..., Z
Require Number
Setting: somfrp_pass_number
Purpose: Require at least one digit (0-9) in passwords.
Default: Unchecked (not required)
Validation pattern: /[0-9]/
Example: Password must contain at least one of: 0, 1, 2, ..., 9
Require Special Character
Setting: somfrp_pass_special
Purpose: Require at least one special character in passwords.
Default: Unchecked (not required)
Validation pattern: /[!@#$%^&*_=+]/
Allowed special characters: ! @ # $ % ^ & * _ = +
Example: Password must contain at least one of these special characters
Validation rules
The plugin enforces a critical validation rule to prevent impossible password requirements:
Rule: Minimum password length must be at least as long as the number of required character types.
Examples:
✅ Valid: Require lowercase, uppercase, number (3 types) with minimum length 8 ✅ Valid: Require all 4 types with minimum length 4 ✅ Valid: Require lowercase only (1 type) with minimum length 1 ❌ Invalid: Require lowercase, uppercase, number, special (4 types) with minimum length 3 ❌ Invalid: Require lowercase and uppercase (2 types) with minimum length 1
If you try to save invalid settings, the plugin displays an error and reverts to the previous valid settings.
How requirements are enforced
Client-side validation (JavaScript)
Purpose: Provide real-time feedback as users type
Implementation:
- JavaScript listens to password input field
- Tests password against regex patterns for each requirement
- Updates visual indicators (green checkmarks or red X marks)
- HTML5
patternattribute provides browser-level validation
User experience: Users see exactly which requirements they're missing as they type
Server-side validation (PHP)
Purpose: Enforce requirements even if JavaScript is disabled or bypassed
Implementation:
- PHP validates password against requirements from settings
- Checks both password fields match
- Returns error if validation fails
Security: Cannot be bypassed by disabling JavaScript or manipulating form data
Visual feedback
When security requirements are enabled, the password reset form displays a requirements list with real-time visual feedback:
Before typing: All requirements show in neutral state
While typing:
- Requirements turn green (✓) when met
- Requirements turn red (✗) when not met
On submit: Browser validates using HTML5 pattern attribute
Common configurations
High security (recommended for sensitive sites)
Minimum Password Length: 12
Require Lowercase Letter: ✓
Require Uppercase Letter: ✓
Require Number: ✓
Require Special Character: ✓
Strength: Very strong passwords required User experience: May frustrate some users, but ensures maximum security
Moderate security (recommended for most sites)
Minimum Password Length: 8
Require Lowercase Letter: ✓
Require Uppercase Letter: ✓
Require Number: ✓
Require Special Character: ✗
Strength: Strong passwords without special character requirement User experience: Good balance between security and usability
Basic security
Minimum Password Length: 8
Require Lowercase Letter: ✗
Require Uppercase Letter: ✗
Require Number: ✗
Require Special Character: ✗
Strength: Length-only requirement User experience: Easy for users, but less secure
No requirements (WordPress default)
Minimum Password Length: 0
All checkboxes: Unchecked
Strength: No enforced requirements (WordPress allows any password) User experience: Maximum flexibility, minimum security
Password strength recommendations
For membership sites
Enable all requirements with 10-12 character minimum. Members often have access to sensitive account information and should use strong passwords.
For e-commerce sites
Enable lowercase, uppercase, and number requirements with 8-10 character minimum. Balance security with checkout conversion rates.
For public blogs
Enable lowercase and uppercase requirements with 8 character minimum. Basic security without frustrating casual users.
For enterprise/corporate sites
Enable all requirements with 12-14 character minimum. Corporate accounts often have elevated privileges and need maximum security.
Testing your configuration
After configuring security settings:
- Log out of WordPress (or use incognito mode)
- Navigate to your password reset page
- Request a password reset for a test account
- Click the reset link in the email
- Try entering passwords that don't meet requirements
- Verify validation indicators update correctly
- Verify you can't submit invalid passwords
- Verify valid passwords are accepted
Troubleshooting
Validation indicators don't update
Problem: Requirements list doesn't show green/red indicators as user types.
Causes:
- JavaScript error preventing validation
- Theme CSS hiding indicators
- Browser JavaScript disabled
Solution: Check browser console for errors. Verify JavaScript is enabled. Check CSS isn't hiding .valid and .invalid classes.
Can submit invalid passwords
Problem: Form accepts passwords that don't meet requirements.
Causes:
- JavaScript validation bypassed
- Server-side validation not working
- Settings not saved correctly
Solution: This shouldn't happen due to server-side validation. Check WordPress debug log for PHP errors. Verify settings are saved.
Settings won't save
Problem: Clicking Save Changes shows error about invalid configuration.
Causes:
- Minimum length is less than number of required character types
- Example: 3 character minimum with 4 requirements enabled
Solution: Increase minimum length to at least match the number of checked requirements.
Users complain passwords are too complex
Problem: Users frustrated by password requirements.
Solutions:
- Reduce requirements to moderate security level
- Increase minimum length but reduce character type requirements
- Add clear instructions on the form about requirements
- Consider your user base and site sensitivity when setting requirements
Security best practices
Enable multiple requirements
Don't rely on just length—combine length with character type requirements for stronger passwords.
Set reasonable minimums
8-12 characters with mixed types is strong without being frustrating. Avoid requiring 20+ character passwords unless absolutely necessary.
Test the user experience
Complete a password reset yourself to ensure the experience is smooth and requirements are clear.
Monitor failed attempts
Check logs for patterns that might indicate attacks or usability issues.
Educate users
Add help text to your password reset page explaining why strong passwords matter.
What's next
- Design settings - Configure UI features like password visibility toggle
- Security and validation concept - Understand how validation works
- Password validation troubleshooting - Resolve validation issues