You can use this code in your functions.php to restrict users below admin level from changing their passwords:
if ( is_admin() ) {
add_action( 'init', 'disable_password_fields', 10 );
}
function disable_password_fields() {
if ( ! current_user_can( 'activate_plugins' ) ) {
$show_password_fields = add_filter( 'show_password_fields', '__return_false' );
}
}
The admin should probably register each user manually if possible and select a strong password for them.
Edit – Changed user level check. Syntax.
Related Posts:
- Where to securely store API keys and passwords in WordPress?
- Why are passwords exportable as plain text in WordPress?
- How is password strength calculated?
- Make password invalid once logged out of password-protected page
- Can’t reset WordPress password
- Is the “lost password” feature truly a vulnerability?
- Frontend Password change
- Is it possible to reduce the minimum character length for passwords?
- Is there any point setting the keys and salts in wp-config.php?
- When is wp_set_password() called or how to capture a password
- Moving away from MD5: Where to declare the custom global $wp_hasher?
- How to get WordPress to send Password Reset Link Email instead of New Password?
- Basic password protection without using users and roles
- Can a WordPress administrator see other users’ passwords?
- After limiting the access to my wp-login.php by IP through .htaccess, all my password-protected posts stopped working. What’s the best solution now?
- Password-protect feed and make it usable in major aggregators
- Could a user account with a stolen password compromised entire WP site?
- How to set custom validation for WordPress Passwords?
- Is my WP site being hacked?
- How to get real password (before encrypt) when register a user?
- Directory to store secure file
- Can you alter the default wordpress strong password requirements?
- What’s the best approach for generating a new API key?
- Simplest two-way encryption using PHP
- How does the SQL injection from the “Bobby Tables” XKCD comic work?
- how fix “this certificate cannot be verified up to a trusted certification authority”
- How can bcrypt have built-in salts?
- Getting a List of Currently Available Roles on a WordPress Site?
- Prevent access or auto-delete readme.html, license.txt, wp-config-sample.php
- How safe / sanitized is wp_insert_posts()?
- From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
- Enforcing password complexity
- Is there a way to force ssl on certain pages
- What is the purpose of having a token in cookies?
- Regular security checks – what steps should be included?
- What are the pros and cons of using a custom front-end to retrieve content from a WordPress back-end
- Do Cookies Need to be Sanatized Before Being Saved?
- Is WP vulnerable when updating plugins or themes?
- Disable external access to REST API Endpoint
- What is the wp-includes/certificates/ca-bundle.crt used for?
- Do you need to escape hard coded plain text?
- Encrypt emails?
- Garbage in beginning of wp-config.php – was this WP installation compromised?
- WordPress salts set in config and database
- Disallow file edit not preventing plugin install
- How to secure WordPress XMLRPC?
- How can I find security hole in my wordpress site?
- Does WP show me if I’m logged in from multiple locations?
- Is it necessary to use esc_url with template tags such as get_permalink?
- WordPress Malware Problem help! [duplicate]
- Staging Site: Made Public – Security Questions
- Best Way to Enable Two Step Authentication
- Restrictive File Permissions
- Why are xmlrpc.php and wp-cron.php being called so often?
- Using esc_html with HTML purifier and CSSTidy: Overkill?
- wordfence scan warning on W3 Total Cache [closed]
- No option “I would like my site to be private, visible only to users I choose” in Privacy Settings
- wp-config.php modified?
- How do I properly update the WordPress database password?
- Suspicious Files
- How to save iframe tag into a post?
- wp-json and what data does it give away?
- Is is necessary to use security plugin for wordpress? [closed]
- neccessary?
- Is wp_kses the right approach in sanitizing this string?
- Reset Password policy
- iTheme Security always lockout my account [closed]
- Is it sensible to worry about sanitizing admin input in plugin custom CSS?
- Renaming install.php for security?
- Which Versions of WordPress Ship with the Patched TimThumb?
- Use global variables or function that returns said variables for site-wide private-ish WP settings?
- Is it safe to give wordpress directories ownership to www-data?
- Use Google authentication for pages within a website [closed]
- Do we need to escape data that we receive from theme options?
- Why does WordPress change a file’s permissions?
- Side effects of disallowing *.php requests in production environment?
- Outgoing new connection to linked Websites – why?
- My Site keeps crashing due to the wp-confg file being deleted
- Someone keeps changing my SITEURL (mysql injection or xss?) [closed]
- How WordPress sanitizes post content on save? Or it doesn’t?
- Replace domain in database
- What highest security brake with wordpress and static files?
- Spam in WordPress root folder
- Has anyone developed a anti-spam plugin to simply allow users to BLOCK whatever they wish to, but one that will also go easy on IP addresses?
- HSTS header not being added correctly
- how to protect wordpress content from crawler
- Is it okay to use an ACF field to store a password for a protected area of a page?
- Cannot access wp admin of WordPress website (security plugin issue) [closed]
- Why are the latest visits to my website originating from my own website?
- Secure Multiple WordPress Installations on shared hosting
- How do I hide WordPress users from security scanning?
- Background Updates Not Happening
- wp-config.php file and code injection
- FORCE_SSL_ADMIN affecting subdomains
- What is the best security $_POST method?
- My WP site and password was hacked, what to do? [closed]
- Bank account number and Sort Code in a form [closed]
- How do you search for backdoors from the previous IT person?
- Is wp-cron.php vulnerable to external attacks and how to protect it?
- How to address security vulnerabilities: LUCKY13, BEAST, and BREACH