Pwned Password Protection, Force Password Change, and More Available With Defender

Our free plugin, Defender, beefs up your WordPress site’s security with Pwned password protection, force password change, and other enhanced features!

Defender will secure your site against password leak attacks and block logins from users entering known compromised passwords that exist in Pwned database breach records.

You can choose the user roles for who you want to enable password checks and force a password change if a password is compromised.

Need to force a password reset for users? Now that can be done in an instant with Defender’s force bulk password reset!

Let’s take a quick look around at what’s new with Defender. They include:

With this release (and more coming soon), your WordPress site’s security game just got better.

Pwned Passwords

Pwned Passwords are over 613 million real-world passwords that were previously exposed in data breaches. This makes them unsuitable for ongoing use since they are at a much greater risk of being used to overtake other accounts.

New Pwned Passwords notification.
Defender is here to protect your passwords!

Passwords entered by your users in default login and registration forms are checked against the publicly accessible database breach records found at Have I Been Pwned.

If a password is entered by a user and that password is found in the database, well, it will make them change it. Simple as that!

User passwords never leave the site, because it’s an important part of security. Passwords are hashed and only a part of hashed passwords are being checked.

To get set up with Pwned Passwords, it’s as easy as going to Tools > Pwned Passwords. Once here, Defender can get this feature set up by clicking Activate.

Where you click activate.
One-click is all it takes for this extra security boost.

Then, you determine User Roles. This will decide the user roles you want to enable pwned password checks for.

Choose as many roles as you’d like.

You can select or deselect user roles at any time (except for Administrator, which can’t be disabled). Just be sure to click Save Changes once configured, then your Pwned Passwords feature is all set.

Force Password Change

When a user is forced to change their password, they won’t have access to any other pages until the password change is complete. They’ll be redirected to a password reset page right away to change it.

Force Password Change is a part of the Pwned Password and is enabled by default when Pwned Passwords is activated.

They’ll also be greeted with a message about the password needing to be changed if the user tries to add a Pwned password. The message can be customized however you like in the Force Password Change area.

Where you enter a custom message for force password change.
Add any custom message that you’d like!

In the login area, the message will appear like this:

What the message looks like when a user logs in.
What the message will look like.

Once the user enters a Username or Email Address, they can get it changed immediately. Once logged in, they’ll have access to their normal user roles.

And, of course, it’s as easy as ever to disable this feature, if you’d like. Just click Deactivate.

Where you deactivate the Pwned passwords.
This is located at the bottom of the screen in the Pwned Password area.

It’s also worth noting that if a user adds a password that has already been pwned, the password won’t be saved and will show a custom message.

With this latest addition to Defender, you and your users won’t have to worry about a compromised password being used.

It’s just one of many password security features that Defender has to offer. Defender also includes 2FA, Login Protection, Firewall — and much more!

Force Bulk Password Reset for All Users and Other New Features

Image of Defender.
Defender is about to force all of your users to reset their passwords, if needed.

Defender now has a force a password reset for all users. If there’s a login breach, this feature will ensure that passwords are reset and secure.

password reset image.
It’s easier than ever to use a force password reset on WordPress!

From the dashboard, simply go to Tools>Password Reset. Then, you click on the Force Password Reset button.

the force password button
It’s all done in a click.

After clicking on this button, it will confirm that you want to do this and ensure you have the right user roles for the reset.

the confirmation sign about resetting password.
This sign pops up to make sure you want to force a password change.

You can select the role(s) of users who will be automatically logged out in this same area. Simply click on who’d you’d like the reset for. Pick from:

  • Administrator
  • Editor
  • Author
  • Contributor
  • Subscriber
  • Customer
  • Shop Manager
user roles.
Select as few or as many roles as you’d like.

Also, add a custom message for these users so they know why there’s a reset.

the custom message for the reset.
Customize the message however you’d like.

It’s also worth noting that this feature also includes WP CLI support.

And that’s it! Forced password resets are as easy as ever to implement, and a great security measure to include on your site.

Coming Soon…

There’s also going to be an integration with our popular (and free!) image optimizing plugin, Smush. Soon, Defender will exclude images that have been optimized by Smush from Malware Scanning reports.

Plus, you’ll be able to deactivate Malware Scanning when all scan options are unselected.

And, coming soon Defender will also have a ReCaptcha feature.

The Best Defense Doesn’t Stop There…

Defender is constantly beefing up his security. These new updates are just an inkling of what’s to come, thanks to his awesome team of developers. You can always check out our Roadmap to see what’s on the horizon.

If you’re not using Defender yet, you’re missing out on the security protection that we just talked about. Plus he includes 404 Detection, Geolocation IP Lockout, ability to disable trackbacks & pinbacks, Core and Server Update Recommendations, and other features. All for free!

For a detailed look, be sure to read our article on getting the most out of Defender security.