Our free plugin, Defender, beefs up your WordPress site’s security with Pwned password protection, force password change, and other enhanced features!

Defender will secure your site against password leak attacks and block logins from users entering known compromised passwords that exist in Pwned database breach records.

You can choose the user roles for who you want to enable password checks and force a password change if a password is compromised.

Let’s take a quick look around at what’s new with Defender! They include:

With this release (and more coming soon), your WordPress site’s security game just got better.

Pwned Passwords

Pwned Passwords are over 613 million real-world passwords that were previously exposed in data breaches. This makes them unsuitable for ongoing use since they are at a much greater risk of being used to overtake other accounts.

New Pwned Passwords notification.
Defender is here to protect your passwords!

Passwords entered by your users in default login and registration forms are checked against the publicly accessible database breach records found at Have I Been Pwned.

If a password is entered by a user and that password is found in the database, well, it will make them change it. Simple as that!

User passwords never leave the site, because it’s an important part of security. Passwords are hashed and only a part of hashed passwords are being checked.

To get set up with Pwned Passwords, it’s as easy as going to Tools > Pwned Passwords. Once here, Defender can get this feature set up by clicking Activate.

Where you click activate.
One-click is all it takes for this extra security boost.

Then, you determine User Roles. This will decide the user roles you want to enable pwned password checks for.

Choose as many roles as you’d like.

You can select or deselect user roles at any time (except for Administrator, which can’t be disabled). Just be sure to click Save Changes once configured, then your Pwned Passwords feature is all set.

Force Password Change

When a user is forced to change their password, they won’t have access to any other pages until the password change is complete. They’ll be redirected to a password reset page right away to change it.

Force Password Change is a part of the Pwned Password and is enabled by default when Pwned Passwords is activated.

They’ll also be greeted with a message about the password needing to be changed if the user tries to add a Pwned password. The message can be customized however you like in the Force Password Change area.

Where you enter a custom message for force password change.
Add any custom message that you’d like!

In the login area, the message will appear like this:

What the message looks like when a user logs in.
What the message will look like.

Once the user enters a Username or Email Address, they can get it changed immediately. Once logged in, they’ll have access to their normal user roles.

And, of course, it’s as easy as ever to disable this feature, if you’d like. Just click Deactivate.

Where you deactivate the Pwned passwords.
This is located at the bottom of the screen in the Pwned Password area.

It’s also worth noting that if a user adds a password that has already been pwned, the password won’t be saved and will show a custom message.

With this latest addition to Defender, you and your users won’t have to worry about a compromised password being used.

It’s just one of many password security features that Defender has to offer. Defender also includes 2FA, Login Protection, Firewall — and much more!

Force Bulk Password Reset for All Users and Other New Features Coming Soon

Image of Defender.
Defender is about to force all of your users to reset their passwords, if needed.

Coming up with the release of Defender 2.5.2 will be a feature to force a password reset for all users. If there’s a login breach, this feature will ensure that passwords are reset and secure.

There’s also going to be an integration with our popular (and free!) image optimizing plugin, Smush. Soon, Defender will exclude images that have been optimized by Smush from Malware Scanning reports.

Plus, you’ll be able to deactivate Malware Scanning when all scan options are unselected.

And, coming soon Defender will also have a ReCaptcha feature.

The Best Defense Doesn’t Stop There…

Defender is constantly beefing up his security. These new updates are just an inkling of what’s to come, thanks to his awesome team of developers. You can always check out our Roadmap to see what’s on the horizon.

If you’re not using Defender yet, you’re missing out on the security protection that we just talked about. Plus he includes 404 Detection, Geolocation IP Lockout, ability to disable trackbacks & pinbacks, Core and Server Update Recommendations, and other features. All for free!

For a detailed look, be sure to read our article on getting the most out of Defender security.

Free Video Why 100 is NOT a Perfect Google PageSpeed Score (*5 Min Watch) Learn how to use Google PageSpeed Insights to set realistic goals, improve site speed, and why aiming for a perfect 100 is the WRONG goal.
Watch the video