Password Security

Bcrypt Password Hashing

Altis uses the wp-password-bcrypt library (from Roots) to provide bcrypt password hashing for WordPress. This library is a drop-in replacement for WordPress' default password hashing functions, and provides a more secure hashing algorithm.

Altis also allows you to control the minimum password strength required for user passwords, and provides a filter to add additional password strength checks. See below for more information.

Minimum Password Strength

To protect against brute force and dictionary attacks, Altis enforces a minimum password strength.

Passwords are scored one of four possible scores:

  • Very Weak (score: 1)
  • Weak (score: 2)
  • Medium (score: 3)
  • Strong (score: 4)

By default, passwords which score below 2 (i.e. Very Weak passwords) will be rejected.

To change the minimum password strength, set the setting to a different score (i.e. 3).

To disable the minimum password strength checks, set the setting to 0.

Additional strength checks

To add additional strength checks, the filter is provided. This filters the boolean $is_weak which can be set to true to reject a password.

For example, to reject any passwords which contain the word "human":

add_filter( '', function ( $is_weak, $password ) {
	if ( strpos( $password, 'human' ) !== false ) {
		return true;

	return $is_weak;
}, 10, 2 );

The filter receives other parameters which can be used for more dynamic checks; for example, you could require a higher password strength score for administrators or for specific capabilities.

add_filter( '', function ( bool $is_weak, string $password, WP_User $user, array $results ) {
	if ( $user->has_cap( 'publish_newsletter' ) && ( $results['score'] < 4 ) ) {
		return true;

	return $is_weak;
}, 10, 4 );