You’ll need to add some custom validation for this using the bp_signup_validate hook.
function my_validation() {
// $_POST['signup_password'] is available here to validate
}
add_action( 'bp_signup_validate', 'my_validation' );
@henrywright
Isn’t that based on the availability of the user name and not on the password strength.
@danbp
That plugin does not seem to work on the user settings page, where users can change their password..
The second link you send me, where things I tried before posting this question. None seem to work. Users can still change their password to something like A or 1 in the front-end user settings page.
That plugin is working. I tested it on my-site/members/member_name/settings/ and my-site/register/ But it doesn’t work on admin my-site/wp-admin/profile.php
And that is not a problem, because users can manage anything related to their account on front-end. Under condition you disallow wp-admin access to your members.
How would you force users to change their password once they are registered ?
Asking them to do so ?
Remove their password ?
How can you know the strength of an encrypted user password ?
If you remove the password, they are no more members, so they have anyway to register again. And in this case the plugin becames very usefull.
I tested it on my site and on a clean installation and both do not work on members/member_name/settings/ . Users do see a password strength meter, but can still change their password into something simple as 1 or A. How did you get it to work on members/member_name/settings/?
With WordPress there are many plugins (none that work with buddypress frond-end settings page) that set a minimum strength for passwords. Such as Login Security Solution and iThemes Security. You can force users to change their password or set an amount of days when users must change their password.
It seems like a major security problems (that has existed for a few years) that Buddypress allows simple passwords such as 1 and A on members/member_name/settings/
Isn’t that based on the availability of the user name and not on the password strength.
I’m not sure what you mean by “based on the availability of the user name”. But, in order to test for password strength, you need to ‘validate’ what the user has input. In this case, $_POST['signup_password'] will hold what the user has input when asked to choose a username.
I didn’t do this part for you in my code snippet, but you could do stuff like this:
if ( strlen( utf8_decode( $_POST['signup_password'] ) ) < 8 ) {
// The username is less than 8 characters in length so do something appropriate
} else {
// The username is 8 or more characters
}
This is how you validate. You could add more conditions such as ‘must contain a number’ or ‘must begin with a letter’ etc.
@henrywright
Thank you for the extra explanation. I don’t understand how adding a code to set the minimum number of signup_username characters, makes sure that the passwords has a minimum strength.
@henrywright
I tried your code and it does not work for password strength, when users try to change their password on the front-end.
I also tried to change it to signup_password, but that also does not work. It seems to only work on signup and not once members are logged in and try to change their password. This is the code I used.
function my_validation() {
global $bp;
if ( !empty( $_POST['signup_password'] ) )
if ( strlen( $_POST['signup_password'] ) < 9 )
$bp->signup->errors['signup_password'] = __( 'Your password is not strong enough and needs to be at least 9 characters long', 'buddypress' );
}
add_action( 'bp_signup_validate', 'my_validation');
My apologies, I meant $_POST['signup_password']. I copied $_POST['signup_username'] from the bp_core_screen_signup() function. My intention was to grab $_POST['signup_password'].
Thanks for spotting my mistake. I have edited my code above to use signup_password.
Also, well done for removing utf8_decode(). Not sure why that slipped in. I must have been having a bad day 🙁
Also,
I tried your code and it does not work for password strength, when users try to change their password on the front-end.
That’s because of the hook you’re using. It will work for the sign up step only. For the change password form, you’ll need a different hook. Take a look through the BP code base to find the one you need.
@henrywright
Could not get it to work. I ‘fixed’ it by removing the whole option for users to change their password. If they want to change it, they can use the lost password option. That does work with wordpress security plugins.
@@lisame
Try this i hope this resolves the issue out
limit-min-max-characters-buddypress-registration-form
Henry Wright gave a good explanation, that is the exact same way that I implemented user password and validation on my php classifieds website, which used to be a wordpress site. Can buddypress work easily with a PHP website that is not wordpress-based? It would be a cool feature to add.
Thank you. It is not about the registration form. But the settings page on the fron-end. None of these things work on that page.
it is that based on the availability of the user name and not on the password strength. Kohls coupon codes 30%, printable plus free shipping online.
@lisame as I said earlier, you will need to use a different hook for the settings page but looking through the bp_settings_action_general() function there seems no hook available.
You have 2 options from here if you’d like to get this sorted:
- Request the core team insert a hook inside
bp_settings_action_general() which will let you validate the new chosen password
- Remove
bp_settings_action_general() using remove_action() and roll your own bp_settings_action_general() function, hooking it to bp_actions
