Security and validation
Overview
The plugin uses WordPress's built-in security methods and adds optional password requirements. You can require strong passwords with minimum length and specific character types.
See Advanced (Developers) for technical details about security functions, nonces, and validation code.
How security works
Reset links are secure: Links expire after 24 hours and can only be used once
WordPress handles security: The plugin uses WordPress's built-in password reset functions
Two-layer validation: Passwords are checked in the browser (for instant feedback) and on the server (for security)
Password requirements
You can require strong passwords in Settings > Frontend Reset Password > Security:
- Minimum length: At least N characters
- Lowercase letter: At least one lowercase letter (a-z)
- Uppercase letter: At least one uppercase letter (A-Z)
- Number: At least one digit (0-9)
- Special character: At least one special character (!@#$%^&*_=+)
Visual feedback
When users enter a new password, they see a list of requirements that turn green (✓) as they're met:
This helps users create strong passwords without frustration.
Recommended settings
For most sites: Minimum 8 characters + lowercase + uppercase + number
For high-security sites: Minimum 12 characters + all character types
For low-friction sites: Minimum 8 characters only
Common questions
Are reset links secure? Yes. They expire after 24 hours and can only be used once.
Can users bypass requirements? No. Requirements are enforced on the server even if JavaScript is disabled.
How long are reset links valid? 24 hours (WordPress standard).
What if someone requests multiple resets? Only the most recent link works. Previous links are invalidated.
What's next
- Security settings - Configure password requirements
- Password validation troubleshooting - Fix validation issues
- Advanced (Developers) - Technical security details