Default Support for HIBP

People have a terrible habit of using the same password over and over and often times have no clue the password they use isn’t safe anymore. It’s also a common oversight to add this by most creators. Add a Setting to enable/disable of course.

Read-only archive:

Author: Dustin Snider

Vote count: 9

Status: open


  • request-add-feature



I’ve used this as part of the Shield Security plugin. It’s a nice feature, definitely would be nice to have in the core. But can be easily done as a plugin.

Do you still think this should be in the core @james ?

I think this could be a good feature for our Security page, letting admin set site-wide settings and enforce them for all users.

The few options that make sense to offer:

  • Enforcement mode:
    • Notify - will notify user but not require new password
    • Require - will require user to pick a new password

And we might want to offer bulk option to select users and perform HIBP check.


Yes, this has my vote as a basic measure to improve password security.

An implementation should probably start as a research plugin anyway, and then evaluation of whether it should be included in core would happen separately.

1 Like

Might be worth looking at forking an existing plugin? These are 2 that I found…


Bcrypt support would be nice. Although not under this petition. We implement it on all client sites we host.

Do you know if it’s still possible to use HIBP without paying? Looks like he added authentication and pricing in 2019.

1 Like

The way we would use HIBP (searching based on the SHA-1 hash of a proposed password) is still free:

GET{first 5 hash chars}

Elsewhere on that page:

Authorisation is required for all APIs that enable searching HIBP by email address,

Searching based on password hash is not such an API, so it does not require authorisation/authentication.

We would probably still want to set up a proxy service for HIBP where we have sites query and store the results on our servers. This would allow us to minimize the number of calls to their servers and also respond with an error if that service becomes unavailable at some point in the future.


The second plugin above uses this method. Looks like it will work for us (both CP and CC) as is.

Minimum requirements

  • PHP v7.0
  • WordPress v4.9.8
  • (Optional) WooCommerce v3.4.4

I use bcrypt on all my sites too. I did open a PR for it soon after CP first started, but it didn’t get implemented because of a theoretical edge case which I’ve never seen occur. I’m wondering whether it might be worth looking at argon2 now instead; that doesn’t have the same theoretical edge case.


Thanks for reminding me of this. I remember that petition now. Let’s have that discussion there, that’s a tree that needs shaking.

1 Like

Thanks, that’s good to know.

For reference, this is how Shield Security implements it:

1 Like

This petition will be closed but you can track progress on GitHub:

This topic was automatically closed after 3 days. New replies are no longer allowed.