Blog

Require a specific password length

Many of the leading WordPress security plugins have the ability to force/require strong passwords for users. But one of the requests I’ve received from people is if there is a way to require passwords to be of a certain length. It seems that some users who work with clients are finding that some clients will reset a password to something “easier to remember” but not entirely secure, or the developer is trying to enforce a specific “password policy” and one of the aspects of a policy specifies a certain number of characters.

How to Set a Password Length Requirement

Setting a password length requirement is fairly easy since WordPress already provides a hook that occurs before a password is actually reset.  The hook is validate_password_reset, and it allows developers to verify aspects of the user entered password before passing it through the password reset function.

Here is an example code snippet:

<?php
add_action('validate_password_reset', 'wps_password_min_length_val', 10, 2);
function wps_password_min_length_val($errors, $user){
    if( strlen($_POST['pass1-text']) < 12 ){
        $errors->add('password_too_short', 'ERROR: Password is too short.');
    }
}

The basics of this function (which can be placed in an active theme’s functions.php file or a custom plugin) are as follows:

  • The WordPress hook being used is validate_password_reset.
  • The function is comparing the value entered into the password reset box (pass1-text) and checking the length of that string (strlen) and making sure that if the entered password value is less than 12, then the following $errors will be rendered out on the screen.
  • And since there are “errors” in the password reset process, the process does not continue and returns to the screen to allow the user to try again to create a password that “passes the test.”

You can try this out on your own site by creating a test user, then proceed to reset the password with a shorter password value.

While there are plugins that may perform this functionality, if you can do it with this simple code snippet, why clutter the plugins area with unnecessary plugins.

If you enjoy or find these types of posts useful, please let me know or request a type of tutorial/code solution in the comments below.

Subscribe for Updates and Special Deals




Marketing permission: I give my consent to to be in touch with me via email using the information I have provided in this form for the purpose of news, updates and marketing.


  1. Hello,
    When I add the code to our site, the error message automatically shows up, after I reset the password and attempt to create a new one.

    Says Password is too short -without entering anything…It does prevent the user though from entering less than 12 characters..Just wondering why the message shows up regardless?

    1. It’s because the code snippet is looking at the “form” and counting the characters… and the error message will appear UNTIL you have more than 12 characters in the password field. I guess we could adjust the code snippet to also check to see if there is “nothing” in the form and not to render any error message until characters begin to be entered into the form.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.