=== Password Reset Enforcement === Contributors: teydeastudio, bartoszgadomski Tags: reset password, force password change, WordPress security, password enforcement, secure login Requires at least: 6.6 Tested up to: 7.0 Requires PHP: 7.4 Stable tag: 1.12.0 License: GPLv3 License URI: https://www.gnu.org/licenses/gpl-3.0.html Plugin URI: https://teydeastudio.com/?utm_source=Password+Reset+Enforcement Easily enforce password reset for WordPress users. Choose to force password changes site-wide, by user and/or by role, to boost your site's security. == Description == **Enhance your WordPress website's security by forcing users to reset their passwords.** Password Reset Enforcement is a simple yet powerful security plugin that allows site administrators to require users to update their passwords—ideal after a potential data breach, routine security checks, or during onboarding/offboarding processes. == Features == - **Force password reset for all users**, specific user roles, or individual users. - **Optional email notification** to users with a direct reset link. - **Flexible login behavior**: - *Allow login before resetting*: users log in with the old password, are immediately prompted to set a new one. - *Block login until reset*: users must reset their password before accessing the dashboard. - **Choose reset timing**: - *Immediately*: forces logout and password reset on next login. - *After session expiry*: users are asked to reset after their current session ends. - **WP-CLI support** for command-line password management and automation. - **Multisite compatible** (network-wide reset only). - Optimized for performance on large-scale and enterprise WordPress installations. == Use Cases == - Responding to a **security breach** or suspected compromise. - Enforcing **routine password changes** in corporate environments. - Applying **onboarding/offboarding security policies** for teams or membership sites. == Compatibility == - Works on both single-site and multisite (network) WordPress setups. - Supports PHP 7.4+ and WordPress 6.6 through 7.0. - Compatible with modern WordPress admin experience. == Screenshots == 1. Force password reset for all users. 2. Target users by role, username, or display name. 3. Process the action. == Installation == 1. Upload the plugin to the `/wp-content/plugins/` directory or install via the WordPress admin panel. 2. Activate the plugin. 3. Go to **Settings → Password Reset Enforcement** to initiate resets. == WP-CLI Commands == This plugin provides WP-CLI commands for automated password reset management: **Force Password Reset** `wp password-reset-enforcement force [--to_all] [--to_roles=] [--to_users=] [--applicability=] [--with_email] [--with_current_password_allowed] [--limit=] [--paged=]` **Clear Password Reset Enforcement** `wp password-reset-enforcement clear [--to_all] [--to_roles=] [--to_users=] [--limit=] [--paged=]` **List Users with Enforced Password Reset** `wp password-reset-enforcement list [--limit=] [--paged=]` **Check Password Reset Status** `wp password-reset-enforcement status [--to_all] [--to_roles=] [--to_users=] [--limit=] [--paged=]` = Command Options = - `--to_all`: Target all users on the site - `--to_roles=`: Comma-separated list of user roles (e.g., editor,administrator) - `--to_users=`: Comma-separated list of specific user IDs (e.g., 1,5,10) - `--applicability=`: When reset takes effect (immediately, after_session_expiry) - `--with_email`: Send email notifications to affected users (default: true) - `--with_current_password_allowed`: Allow users to reuse current password (default: false) - `--limit=`: Maximum users to process in single operation - `--paged=`: Page number for pagination = Command Examples = `wp password-reset-enforcement force --to_all` `wp password-reset-enforcement force --to_roles=editor,administrator --applicability=after_session_expiry` `wp password-reset-enforcement clear --to_users=1,5,10` `wp password-reset-enforcement list --limit=50 --paged=2` `wp password-reset-enforcement status --to_all --limit=50 --paged=2` == Related Plugins == Want to go beyond forced password resets? Check our [WP Password Policy](https://wppasswordpolicy.com/?utm_source=Password+Reset+Enforcement) plugin to enforce strong password rules, block weak passwords, and set automatic expiry policies — so you'll never need to force a password reset again. [https://wordpress.org/plugins/password-requirements/](Free version available on WordPress.org). == Frequently Asked Questions == = Will this log users out immediately? = Only if you choose the “Immediately” option. Otherwise, users will be asked to reset after their current session expires. = Is it compatible with other login plugins or 2FA solutions? = Yes, Password Reset Enforcement is designed for compatibility and works well alongside popular authentication and security plugins. = Can I use this on a WooCommerce site? = Absolutely. Works seamlessly with WooCommerce and other membership or eCommerce platforms. = Does this plugin support WP-CLI? = Yes! The plugin includes comprehensive WP-CLI commands for forcing password resets, clearing enforcement, and checking status. Perfect for automation, server management, and bulk operations. == Changelog == = 1.12.0 (2026-04-16) = * Compatibility with WordPress 7.0 confirmed * Direct access protection added to all PHP files * Unnecessary translation files removed since these are loaded from WordPress.org * Security hardening - added missing escaping * Do not hardcode `wp-login.php` path for login form * Formatting updates * Dependencies updated = 1.11.1 (2025-11-28) = * Compatibility with WordPress 6.9 confirmed * Dependencies updated = 1.11.0 (2025-10-31) = * Direct links to force password reset has been added to the Users page along with bulk action * Clear indicators that a password reset has been enforced for a given user has been added to the Users and User Profile screens * User selector component has been improved * WP-CLI commands have been added, allowing power users to force password reset, clear the enforcement, check the status, and list users for whom the password reset has been enforced * Dependencies updated * Code improvements = 1.10.2 (2025-05-08) = * Plugin links and references to Teydea Studio updated * Dependencies updated = 1.10.1 (2025-04-04) = * Compatibility with WordPress 6.8 confirmed * Issue of requesting the translated string too early fixed * Dependencies updated * Code improvements = 1.10.0 (2025-02-21) = * Dependencies updated * Code improvements = 1.9.0 (2024-12-13) = * Dependencies updated * Code improvements = 1.8.0 (2024-11-08) = * Custom capabilities for managing the plugin settings implemented * Compatibility with WordPress 6.7 confirmed * Dependencies updated * Code improvements = 1.7.2 (2024-10-25) = * JS dependency map and tree-shaking optimized = 1.7.1 (2024-10-23) = * Add missing Cache utility class (For older records, see the `changelog.txt` file).