Password Security

bcrypt Password Hashing

Altis uses the wp-password-bcrypt library (from Roots) to provide bcrypt password hashing for WordPress. This library is a drop-in replacement for WordPress' default password hashing functions, and provides a more secure hashing algorithm.

Altis also allows you to control the minimum password strength required for user passwords, and provides a filter to add additional password strength checks. See below for more information.

Minimum Password Strength

To protect against brute force and dictionary attacks, Altis enforces a minimum password strength.

Passwords are scored one of four possible scores:

  • 'Very Weak' (score: 1)
  • 'Weak' (score: 2)
  • 'Medium' (score: 3)
  • 'Strong' (score: 4)

By default, passwords which score below 2 (i.e. 'Very Weak' passwords) will be rejected.

To change the minimum password strength, set the modules.security.minimum-password-strength setting to a different score (i.e. 3).

To disable the minimum password strength checks, set the modules.security.minimum-password-strength setting to 0.

Additional strength checks

To add additional strength checks, the altis.security.passwords.is_weak filter is provided. This filters the boolean $is_weak which can be set to true to reject a password.

For example, to reject any passwords which contain the word "human":

add_filter( 'altis.security.passwords.is_weak', function ( $is_weak, $password ) {
    if ( strpos( $password, 'human' ) !== false ) {
        return true;
    }

    return $is_weak;
}, 10, 2 );

The filter receives other parameters which can be used for more dynamic checks; for example, you could require a higher password strength score for administrators or for specific capabilities.

add_filter( 'altis.security.passwords.is_weak', function ( bool $is_weak, string $password, WP_User $user, array $results ) {
    if ( $user->has_cap( 'publish_newsletter' ) && ( $results['score'] < 4 ) ) {
        return true;
    }

    return $is_weak;
}, 10, 4 );