Disallow Pwned Password

常見問題集

What are the minimum requirements?

• PHP v7.0
• WordPress v4.9.8
• (Optional) WooCommerce v3.4.4

Did you just send all the passwords to someone else?

No. User passwords never leave your server, not even in hashed form.

How do you compare user passwords with the 6,493,641,194 pwned ones?

Curious users can learn more from:

• I’ve Just Launched “Pwned Passwords” V2 With Half a Billion Passwords for Download
• Validating Leaked Passwords with k-Anonymity

Paranoia users should check the plugin implementation.

What to do if I don’t trust haveibeenpwned.com?

Troy Hunt is a well-kown security expert. You should trust him more than me (the plugin author).
Anyways, you can replace the default API client with yours:

<?php

use Itineris\DisallowPwnedPasswords\HaveIBeenPwned\ClientInterface;
use League\Container\Container;

class YourCustomClient implements ClientInterface
{
    // Your implementation.
}

add_action('i_dpp_register', function (Container $container): void {
    $container->add(ClientInterface::class, YourCustomClient::class);
});

This plugin uses league/container. Learn more from its documents.

What to do if I don’t trust the plugin author?

Good question! You shouldn’t blindly trust any random security guide/plugin from the scary internet – including this one!

Review the plugin implementation.

I have installed this plugin. Does it mean my WordPress site is *unhackable*?

No website is unhackable.

To have a secure WordPress site, you have to keep all these up-to-date:

• WordPress core
• PHP
• this plugin
• all other WordPress themes and plugins
• everything on the server
• other security practices
• your mindset

Strongly recommended:

• WP Password Argon Two – Securely store WordPress user passwords in database with Argon2i hashing and SHA-512 HMAC using PHP’s native functions
• WP Cloudflare Guard – Connecting WordPress with Cloudflare firewall, protect your WordPress site at DNS level. Automatically create firewall rules to block dangerous IPs
• Two-Factor
• wp-password-bcrypt

Can strong passwords been pwned?

Yes. Example:

• correct horse battery staple

How to disable WooCommerce password strength meter?

For testing only, use at your own risk!

add_action('wp_print_scripts', function () {
    wp_dequeue_script('wc-password-strength-meter');
}, 10000);

Will you add support for older PHP versions?

Never! This plugin will only works on actively supported PHP versions.

Don’t use it on end of life or security fixes only PHP versions.

Note: Current version supports PHP 7.0 because wordpress.org svn pre-commit hook rejects PHP 7.1+ syntax. However, you should not use PHP 7.0 because it has reached end of life since 10 January 2019.

It looks awesome. Where can I find some more goodies like this?

• Articles on Itineris’ blog
• More projects on Itineris’ GitHub profile
• More plugins on Itineris and TangRufus wp.org profiles
• Follow @itineris_ltd and @TangRufus on Twitter
• Hire Itineris to build your next awesome site

Besides wp.org, where can I give a ★★★★★ review?

Thanks! Glad you like it. It’s important to let my boss knows somebody is using this project. Please consider:

• give ★★★★★ reviews on wp.org
• tweet something good with mentioning @itineris_ltd and @TangRufus
• ️️★ star this Github repo
• watch this Github repo
• write blog posts
• submit pull requests
• hire Itineris

Where to report security related issues?

If you discover any security related issues, please email hello@itineris.co.uk instead of using the issue tracker.