WP Engineer

Disable password fields for non-admins

So you’ve created a user and added a strong password because you care for your blog’s security? Unfortunately you can’t be sure that the user will keep this strong password since he/she can change it to a much weaker one on his profile page.
This problem can be solved by adding a filter:

if ( is_admin() )
  add_action( 'init', 'disable_password_fields', 10 );

function disable_password_fields() {
  if ( ! current_user_can( 'administrator' ) )
    $show_password_fields = add_filter( 'show_password_fields', '__return_false' );
}

Now only a user with the administrator role can change the passwords of the users and make sure that they are using strong passwords.

Posted

in

by

Latz

Tags:

,

Comments

10 responses to “Disable password fields for non-admins”

  1. Steve Taylor Avatar
    Steve Taylor

    Alternatively, http://wordpress.org/extend/plugins/force-strong-passwords/ ๐Ÿ™‚

  2. Latz Avatar
    Latz

    @steve: Unfortunately the algorithm checking for a strong password treats passwords like “abcdefghiklm” or “1234567890a” or even “————” as strong passwords since they are simply long. Took me only two minutes to figure this out and “normal” users will do so as well and use them (they will!).

    Just checked: “password123” is a strong password, too. Maybe it’s time to think about a better algorithm…

  3. Steve Taylor Avatar
    Steve Taylor

    @Latz, the algorithm is just copied straight from the WP core JavaScript. I’m no expert on password strength algorithms, so if anyone could contribute a better one for the plugin…

  4. Nathan Smith Avatar
    Nathan Smith

    Really very generous of you Latz! I’ve found out its very useful for me. Great put!! Thanks ๐Ÿ™‚

  5. micha Avatar
    micha

    And what about the recover-password-dialog, where users can too choose a password themselves?

  6. Beachbum Avatar
    Beachbum

    Can this be tweaked for multi-site and superadmin?

  7. GeekPress Avatar
    GeekPress

    You can replace this

    “if ( is_admin() )
    add_action( ‘init’, ‘disable_password_fields’, 10 );”

    by

    add_action( ‘admin_init’, ‘disable_password_fields’, 10 );

  8. Adrian Avatar
    Adrian

    Good suggestion to overcome password related issue. Adding filter is a clever concept. Really liked that. Will try it myself and how it works. Thanks for the tip off!

  9. Diije Avatar
    Diije

    My only issue : it can be very useful to change passwords once in a while, isn’t it ? With this hack, it’s impossible.
    However, great trick, it gave me some ideas ๐Ÿ™‚

  10. Rajesh Namase Avatar
    Rajesh Namase

    Thanks for this code, really helpful for me.