README

Packagist:

WordPress:

Goal
Explain It Like I'm Five
Minimum Requirements
Installation
Usage
Performance
FAQ
Alternatives
Testing
Feedback
Change Log
Security
Credits
License

Goal

Spoiler Alert: User passwords never leave your server, not even in hashed form.

Although reusing passwords is solely users' fault but when evil attackers brute forced users' passwords, and stole all their personal information or spent users' hard earn money through your site. Those lazy users blame you, the site owner/developer.

When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example,...

Passwords obtained from previous breach corpuses

-- NIST Digital Identity Guidelines

This plugin's solely purpose is to disallow WordPress and WooCommerce users reusing passwords listed in Have I Been Pwned database.

Explain It Like I'm Five

Troy Hunt, a well-kown security expert, collected 6,493,641,194 (and counting) pwned passwords from previous security breaches
Pwned passwords stored as SHA-1 hashes on haveibeenpwned.com
Whenever WordPress / WooCommerce users attempt to change their passwords, this plugin hashes the user password
Take the first 5 characters from the hash
Ask haveibeenpwned.com for all pwned passwords with the same first 5 hash characters
Check how many times the user password appears on the have I been pwned database
Disallow the password change if it has been pwned

Users aged older than five could learn more from:

Minimum Requirements

PHP v7.0
WordPress v4.9.8
(Optional) WooCommerce v3.4.4

Installation

Composer (Recommended)

$ composer require itinerisltd/disallow-pwned-passwords

WP CLI

$ wp plugin install disallow-pwned-passwords --activate

Classic

Download the plugin zip file from https://wordpress.org/plugins/disallow-pwned-passwords/ Then, follow https://codex.wordpress.org/Managing_Plugins#Installing_Plugins

Usage

Activate and forget.

This plugin intercepts when:

creating new users on /wp-admin/user-new.php
changing other users' passwords on /wp-admin/user-edit.php
changing your password on /wp-admin/profile.php
new user registration on /wp-login.php?action=rp

Additional interceptions if WooCommerce is installed:

WC_Form_Handler::process_reset_password on Home » My account » Lost password
WC_Form_Handler::save_account_details on Home » My account » Account details
WC_Form_Handler::process_registration on Home » My account
WC_Checkout::validate_checkout on Home » Checkout

Performance

By default, this plugin caches Have I Been Pwned API responses for 1 week using WP Object Cache.

If you don't have a persistent cache plugin, it has no effect and doesn't cache anything.

In rare cases, persistent cache plugins might not be compatible, you can disable by:

<?php

use Itineris\DisallowPwnedPasswords\HaveIBeenPwned\ClientInterface;
use Itineris\DisallowPwnedPasswords\HaveIBeenPwned\Client;
use League\Container\Container;


add_action('i_dpp_register', function (Container $container): void {
    $container->add(ClientInterface::class, Client::class);
});

FAQ

Did you just send all the passwords to someone else?

No. User passwords never leave your server, not even in hashed form.

How do you compare user passwords with the 6,493,641,194 pwned ones?

Curious users can learn more from:

Paranoia users should check the plugin implementation.

What to do if I don't trust haveibeenpwned.com?

Troy Hunt is a well-kown security expert. You should trust him more than me (the plugin author). Anyways, you can replace the default API client with yours:

<?php

use Itineris\DisallowPwnedPasswords\HaveIBeenPwned\ClientInterface;
use League\Container\Container;

class YourCustomClient implements ClientInterface
{
    // Your implementation.
}

add_action('i_dpp_register', function (Container $container): void {
    $container->add(ClientInterface::class, YourCustomClient::class);
});

This plugin uses league/container. Learn more from its documents.

What to do if I don't trust the plugin author?

Good question! You shouldn't blindly trust any random security guide/plugin from the scary internet - including this one!

Review the plugin implementation.

I have installed this plugin. Does it mean my WordPress site is unhackable?

No website is unhackable.

To have a secure WordPress site, you have to keep all these up-to-date:

WordPress core
PHP
this plugin
all other WordPress themes and plugins
everything on the server
other security practices
your mindset

Strongly recommended:

WP Password Argon Two - Securely store WordPress user passwords in database with Argon2i hashing and SHA-512 HMAC using PHP's native functions
WP Cloudflare Guard - Connecting WordPress with Cloudflare firewall, protect your WordPress site at DNS level. Automatically create firewall rules to block dangerous IPs
Two-Factor
wp-password-bcrypt

Can strong passwords been pwned?

Yes. Example:

correct horse battery staple

How to disable WooCommerce password strength meter?

For testing only, use at your own risk!

add_action('wp_print_scripts', function () {
    wp_dequeue_script('wc-password-strength-meter');
}, 10000);

Will you add support for older PHP versions?

Never! This plugin will only works on actively supported PHP versions.

Don't use it on end of life or security fixes only PHP versions.

Note: Current version supports PHP 7.0 because wordpress.org svn pre-commit hook rejects PHP 7.1+ syntax. However, you should not use PHP 7.0 because it has reached end of life since 10 January 2019.

It looks awesome. Where can I find some more goodies like this?

Articles on Itineris' blog
More projects on Itineris' GitHub profile
More plugins on Itineris and TangRufus wp.org profiles
Follow @itineris_ltd and @TangRufus on Twitter
Hire Itineris to build your next awesome site

Besides wp.org, where can I give a ⭐⭐⭐⭐⭐ review?

Thanks! Glad you like it. It's important to let my boss knows somebody is using this project. Please consider:

give ⭐⭐⭐⭐⭐ reviews on wp.org
tweet something good with mentioning @itineris_ltd and @TangRufus
️️:star: star this Github repo
watch this Github repo
write blog posts
submit pull requests
hire Itineris

Alternatives

Testing

$ composer test
$ composer phpstan:analyse
$ composer style:check

Pull requests without tests will not be accepted!

Feedback

Please provide feedback! We want to make this library useful in as many projects as possible. Please submit an issue and point out what you do and don't like, or fork the project and make suggestions. No issue is too small.

Change Log

Please see CHANGELOG for more information on what has changed recently.

Security

If you discover any security related issues, please email hello@itineris.co.uk instead of using the issue tracker.

Credits

Disallow Pwned Password is a Itineris Limited project created by Tang Rufus.

Full list of contributors can be found here.

Special thanks to Troy Hunt whose Have I been pwned database makes this plugin possible. Also, the k-Anonymity validation is an awesome work of Junade Ali from Cloudflare.

License

Disallow Pwned Password is licensed under the GPLv2 (or later) from the Free Software Foundation. Please see License File for more information.

itinerisltd / disallow-pwned-passwords

Maintainers

Details