Frontend Password change

I think you are referring to two different things..

1) Verifying the request.
You should be using WP Nonces
to verify the request and protect it against XSS. That should be a practice for all your forms. you could also add additional layer of security by integrating a reCAPTCHA.

2) Data Encryption when you attempt to hash the password. Which in this case, your only option is to use SSL. Using it will secure all data transfer between client and server, additionally it goes beyond this single process of updating password.

Related Posts:

  1. Where to securely store API keys and passwords in WordPress?
  2. Why are passwords exportable as plain text in WordPress?
  3. How is password strength calculated?
  4. What are the pros and cons of using a custom front-end to retrieve content from a WordPress back-end
  5. Make password invalid once logged out of password-protected page
  6. Can’t reset WordPress password
  7. Is the “lost password” feature truly a vulnerability?
  8. Is it possible to reduce the minimum character length for passwords?
  9. Is there any point setting the keys and salts in wp-config.php?
  10. When is wp_set_password() called or how to capture a password
  11. Moving away from MD5: Where to declare the custom global $wp_hasher?
  12. Force user to change their password on the frontend at the first login and password policy
  13. How to get WordPress to send Password Reset Link Email instead of New Password?
  14. WordPress Front end Form – Enable to Submit PHP Codes
  15. Basic password protection without using users and roles
  16. How can I force a specific password?
  17. Can a WordPress administrator see other users’ passwords?
  18. After limiting the access to my wp-login.php by IP through .htaccess, all my password-protected posts stopped working. What’s the best solution now?
  19. Password-protect feed and make it usable in major aggregators
  20. Could a user account with a stolen password compromised entire WP site?
  21. How to set custom validation for WordPress Passwords?
  22. Is my WP site being hacked?
  23. How to get real password (before encrypt) when register a user?
  24. Directory to store secure file
  25. Can you alter the default wordpress strong password requirements?
  26. what is a auth_user_file.txt?
  27. How to view PHP on live site
  28. Is moving wp-config outside the web root really beneficial?
  29. Hide the fact a site is using WordPress?
  30. Verifying that I have fully removed a WordPress hack?
  31. Can I Prevent Enumeration of Usernames?
  32. Best way to eliminate xmlrpc.php?
  33. If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?
  34. Which KSES should be used and when?
  35. How can I easily verify a core or plugin update has not broken anything?
  36. Disable comment windows for all existing posts (pages/blogposts)
  37. Generate WordPress salt
  38. Stop wordpress automatically escaping $_POST data
  39. how can i embed wordpress backend in iframe
  40. Handling nonces for actions from guests to logged-in users
  41. WordPress Logout Only If User Click Logout or If User Delete Browser History
  42. Can I force a password change?
  43. What is pclzip.lib.php file that wordfence think it’s a malicious code
  44. How to disable XML-RPC from Linux command-line in a total way?
  45. How to remove javascript malware in wordpress site [closed]
  46. Completely remove the author url
  47. Restricting access to content
  48. About WordPress site security
  49. Relative security of different releases of WordPress
  50. How can I safely use $_SERVER[‘REQUEST_URI’] to avoid XSS?
  51. Using HTACCESS for Secret Access
  52. Definitive wordpress directory ownership and permissions on linux
  53. Dangers to allowing Access-Control-Allow-Origin: * for Feeds only?
  54. How do I protect user_activation_key?
  55. wordpress website host price and security [closed]
  56. How to implement secure frontend image upload? [closed]
  57. Are there security risks in working directly in the themes folder that builds into a theme folder?
  58. Secure WordPress: Change admin
  59. how much information can we hide when using wordpress cms?
  60. Wordfence detects change in wp-admin/includes/upgrade.php
  61. System setting changed by system user
  62. Does meta-data need to be sanitized?
  63. Will there be security updates for WordPress 4.9.9
  64. Need help for WordPress User Session Management?
  65. Specific way to allow WordPress users to view their current password? And edit it?
  66. On new server, site got hacked, permissions a bit strange? Please help
  67. Are SVG image files safe to upload? Why WP defines them as a security risk? [duplicate]
  68. Should I manually resolve WP Core File security issues or await a subsequent WP release?
  69. Restrict Access without Creating Users
  70. How to obfuscate wp-config.php or code
  71. Security issue with ‘paged’ and ‘posts_per_page’ parameters taken directly from a POST request?
  72. How to prevent to direct access of my custom plugin folder/files
  73. Checking for origin of a xmlrpc request
  74. RESTRICT EDIT of PHP files?
  75. wp-content – permissions for files/folders created by apache
  76. How can I restrict access to specific parts of a page, not just the page itself?
  77. Using password protection to load different page elements?
  78. User generated content and security
  79. Are major WordPress updates mandatory for security?
  80. i moved wp-config.php outside of public html and this broke my website
  81. Monitor wordpress all external calls
  82. Securing WordPress running on Azure platform
  83. Verifying that I have fully removed a WordPress hack?
  84. Spam Registrations
  85. How can I have more confidence that WP plugins aren’t getting and storing user data?
  86. Standard Method for Securing a WordPress Site
  87. Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?
  88. Any way to disable /wp-login.php redirecting to the site folder?
  89. Folder Permissions + Security Concerns
  90. Malware/Permission bug removal?
  91. Step by Step Instructions for Making Media/Uploads Private to Only Logged-In Users
  92. Secure a WordPress website in 2019: one plugin or a combinations of them?
  93. What are the different types of firewall protections available for a WordPress website?
  94. Is this a WordPress security bug?
  95. Competitor is somehow accessing MetaData on a hidden WordPress site
  96. WordPress Hacks/Defacing [closed]
  97. I am under DDoS. What can I do?
  98. SSH keypair generation: RSA or DSA?
  99. How do I protect my company from my IT guy? [closed]
  100. Does changing default port number actually increase security? [closed]