With WooCommerce 2.5 a new feature has been added to the checkout page: the password strength meter.

If you allow customers to create an account from this page and they also choose their own password, they will see a password strength meter next to the password field.

Why is this useful?

The main reason is security.

If users select a strong password, not only are their accounts more secure, but also your website. Should someone get access to a user’s account with a weak password, they get access to much or all data on the website, compromising your security and users’ security as well.

I’ve heard many people complain about the strength meter. When it was added, we encountered an issue. If the password was not rated Strong, the ability to check out would be disabled. This resulted in less revenue for businesses, as customers would leave the website without purchasing anything. The WooCommerce Development Team applied a fix in version 2.5.1, so now everyone can check out, even with the weakest password. But some still complain.

So what to do?

You can completely remove the strength meter and restore the checkout process as it was before. To do this, add this function in your functions.php file in wp-content/themes/your-theme-name/:

Props to Caleb Burks for the snippet.

As I said, the strength meter is an incentive for users to use strong passwords and have safe accounts. Remove it at your own risk.

Update 16th Feb. 2016: Do you want to change only its labels? Check this post!

Update 16th May 2017: You can adjust the minimum strength of a password by using this snippet:

The default minimum strength is 3, in the example I reduced it to 2.

72 replies
  1. DeathByDisco
    DeathByDisco says:

    Hi Nicola,

    i like the strength meter feature security wise. But i have the same problem.
    A lot of customers complain that they can’t checkout or register cuz they don’t realize that they need to use a at least medium strength password.

    The option to remove that option using your function is a temp. solution but i would prefer to keep the strength meter for security reason.

    Is there a way to add a hint ? for example rename the strength meter value ?

    Instead of displaying weak , or very weak i would like to display “your password is to weak to register an account! Please consider using a stronger password”

    or something like that. ?

    any idea ?

    Reply
    • Nicola Mustone
      Nicola Mustone says:

      Hi,
      there’s not an easy way to change the strings, they are not from WC, but from WordPress.

      The only way I think that could work is to dynamically change them with a JS script in your theme when they change. But also in this case, it won’t be easy.

      Reply
  2. deryk
    deryk says:

    The strength just needs to be changed. I tried a password i use on somethings that is considered a strong password by most systems. has uppercase numbers and a symbol and is > 8 characters in length and it still wont let it be used. Ive disabled this feature on my sites because of it.

    Reply
  3. Derek Scambler
    Derek Scambler says:

    Thanks for this Nicola, I am sure we have been losing business because of this.

    We have a lot of customers of the ‘older variety’ and the fact that I have struggled to create a strong password that is still memorable, I don’t hold out much hope for them. Also, why would someone want to spend over 10 mins trying to come up with something then the next time they come to the site not be able to remember it. It would certainly put me off.

    I’ve now removed the meter, with the snippet above, as even with the excellent code you have here: https://nicolamustone.com/2016/02/16/change-the-password-strength-meter-labels/ I think some customers would still struggle.

    I know nothing of code but I thought a good solution, if possible, would be to leave the meter on so customers could see the strength of the password but remove register block for less than medium strength…

    Thanks again!

    Reply
    • Nicola Mustone
      Nicola Mustone says:

      Hi Derek,
      Thanks for stopping by!

      I know nothing of code but I thought a good solution, if possible, would be to leave the meter on so customers could see the strength of the password but remove register block for less than medium strength…

      Actually we did this in the most recent version of WooCommerce. It tells you that your password is weak , but you can still register/checkout regardless of that.

      Reply
      • Derek Scambler
        Derek Scambler says:

        Is there any way to remove the ‘Please enter a stronger password’ text as this may be where the confusion is. On my checkout page you need to scroll down to see the ‘place order’ button so I think people are still getting stuck here as it’s asking them to improve their password and they can’t see that they can checkout regardless.

        Also, do you know if you can override in the same way on the login/registration page, not just the checkout, as this still has the enforced good password?

        Thanks

        Reply
    • Derek Scambler
      Derek Scambler says:

      Sorry, I forgot to point out this was for the login/registration page, no the checkout page as this is pretty much what you already have put in place!

      Reply
  4. Brian
    Brian says:

    Hi there, this works nicely for the checkout page, thanks and thanks Caleb, but seems to break the register form on the /my-account page for non-logged in users. The strength meter and labels don’t show but the register button never becomes clickable no matter what type of password is entered. Do you see this issue also?

    Reply
  5. tracersa
    tracersa says:

    Thanks for this. This removed the password strength and validation entirely which means now password “1” is valid. Is there any way we can change the strength e.g instead of strong have a weak or medium password requirement??

    Reply
  6. Mike
    Mike says:

    I’m a little confused, the code snippet in the article remove just the meter, or does it remove the requirement for strong passwords? I want to remove the requirement altogether so customers can use the passwords they want to use

    Reply
  7. Barry Richards
    Barry Richards says:

    “The WooCommerce Development Team applied a fix in version 2.5.1, so now everyone can check out, even with the weakest password. But some still complain.”

    I don’t get it, I’m on version 2.6.1 and you can’t login with a weak password. Has to be at least medium.

    I don’t want to turn this off, I just want users to be able to choose a less complex password. But not something bleedingly obvious.

    Reply
  8. drago
    drago says:

    But this is for some Ninja theme

    Can i give you access to my site and you add it 🙂
    Once i added something in functions php and site colapsed so i had to build it again

    Reply
  9. Christian
    Christian says:

    Hi Sir,

    is there any way to DISPLAY PASSWORD FIELDS in woocommerce checkout even if you’re already SIGNED IN???.. because the default is when you’re not into sign in mode.. password fields will display..

    is there any way into this problem?

    thanks..

    Reply
  10. Vane
    Vane says:

    Hi,
    maybe a solution would be to be able to set password requirements for our site ( min. char number and char types required ).
    For example: I would disable the requirements for symbols, but I’d keep upper and lower caps and numbers. That’s much easier to remember…

    Reply
  11. Minhaz
    Minhaz says:

    Hi nicola,

    I think password meter is very important for security issue on the site. But with woocommerce’s default password strength meter user get bored. Can I control the password length and the characters. Such as, I want minimum six characters with at least one number, one symbol and one letter.

    Especially a Thanks for your Woocommerce and Storefront.

    Reply
  12. Derek Scambler
    Derek Scambler says:

    Hi Nicola, I applied this code and also the ‘Change password strength labels’ code (https://nicola.blog/2016/02/16/change-the-password-strength-meter-labels/) back in March last year. I didn’t check the ‘My Account’ page (but probably should have as I changed the text to ‘your password is weak but you can still CHECKOUT’… not really applicable on the my account page… silly me) but I have found out that although the ‘change password strength labels’ snippet of code has applied to the ‘My Account page’ the strength meter hasn’t.

    I am telling people that they should increase the strength of the password but it doesn’t matter as they can still proceed but the save button is greyed out until they create a strong password. I don’t know if this has always been the case of if something has changed in wordpress that has affected the outcome.

    The code works great on the checkout page but not for those who want to change their password or for those who want to create a new one as they have forgotten it.

    Is there anything else I could add so that it covers all areas that the strength meter operates?

    Thanks

    Derek

    Reply
    • Derek Scambler
      Derek Scambler says:

      Please ignore me… I have been an idiot! I realise now that I haven’t applied both pieces of code, I must have opted for the label change code and that is why they can’t proceed on their account page or forgotten password page. I’ll make a decision now on whether to completely remove the strength meter or to reduce it’s requirements as you mentioned above.

      Thanks, Derek

      Reply
  13. Susan
    Susan says:

    Hi Nicola,

    I used this script to remove the password strength meter as this script was generating an error in Google Search Console (as a blocked resource from /wp-admin folder).

    I checked this morning, and now I’m getting this error message (have changed client # and url):

    [Sun Mar 26 13:24:05.789746 2017] [apparmor:error] [pid 11924] (10)No child processes: [client 123.456.78.90:24667] Failed to change_hat to ‘HANDLING_UNTRUSTED_INPUT’, referer: https://mywebstore.com/cart/

    So I’ve deleted the remove password strength code.

    I’m just wondering what I may have done wrong based on this error message. I’d really like to clear up the script blocking issue, and customers don’t need to have user accounts (I’ve otherwise disabled them).

    Reply
  14. mide
    mide says:

    Thank you, we have lost a number of customer because registering was a struggle, and they didn’t know that they could checkout regardless. I have reduced the requirements. Thanks.

    Reply
  15. Matias
    Matias says:

    Hi, thanks for the snippet! I think the main issue is that it’s not clear anywhere that you can still checkout with a medium security password. I think everyone reads it and thinks they MUST use a high security password.

    I am going to ask something that perhaps is very basic: why it would represent a security threat for my site the fact that someone can log in a customer’s account?
    I mean, they would have the same access as any user with a customer role. The same access they could get just by registering in my site. That’s easier than breaking into someone else account.

    Customer wise my site doesn’t hold any really important info (card transactions are done in payment gateways sites). Thanks!

    Reply
    • Nicola Mustone
      Nicola Mustone says:

      Hi Matias,
      It’s not safe because they can still access personal data of the customer, like their address, their email, their data in general from the shop.

      It may not be harmless, maybe they will only find out that the customer purchased a shirt, but why should they know? It’s their private account and nobody should be able to access it.

      Reply
  16. Janmeet Singh
    Janmeet Singh says:

    It removes the password requirements at all, I just want the minimum required length to be 8 instead of 12.

    Reply
  17. Ron
    Ron says:

    Hi Nicola, thanks for sharing this code snippet.

    On the site where I implemented it, it works just as it should on the checkout page…

    However, on the registration page the registration button is disabled for any password less than medium strength. This is clearly a JavaScript script disabling the button until the password meets the requirements.

    Do you know of a way to disable that JavaScript too, or trick it so that it thinks the password is always medium strength or above? Also, is this how the login page works generally, or is it unique to the theme I am using?

    Thanks

    Reply
    • Ron
      Ron says:

      Update:
      Actually, I realize that the code snippet had no effect at all, whether on checkout or login page. I guess this was for an older version of woocommerce? I’m on version 3.x.

      I ended up using the code below. (I forgot the website where I got it from.)
      /**
      *Reduce the strength requirement on the woocommerce password.
      *
      * Strength Settings
      * 3 = Strong (default)
      * 2 = Medium
      * 1 = Weak
      * 0 = Very Weak / Anything
      */
      function reduce_woocommerce_min_strength_requirement( $strength ) {
      return 1;
      }
      add_filter( ‘woocommerce_min_password_strength’, ‘reduce_woocommerce_min_strength_requirement’ );

      Basically, this allows you to set what is considered an acceptable password by WooCommerce. So you can set it to accept weak or very weak passwords.

      Still not the ideal solution, but it works to lower or remove password restrictions.

      Reply
    • Nicola Mustone
      Nicola Mustone says:

      Hi,
      I’m not sure why the code is not working for you. It didn’t change for WooCommerce 3.0 and it should still work.

      Maybe there’s a conflict with the theme or another plugin?

      Reply
      • Chris
        Chris says:

        Not working for me on WooCommerce 3.x with Flatsome 3.5 Theme.

        It did work for me with WooCommerce 2.5 and Flatsome 2.9.

        Reply
  18. Xander
    Xander says:

    Hi Nicola. Thanks for the codes. I’d like to ask, if I want to set the minimum to 8 letters, how should I modify the code below accordingly?

    add_filter( ‘woocommerce_min_password_strength’, create_function( ”, ‘return 2;’ ) );

    Reply
    • Nicola Mustone
      Nicola Mustone says:

      Hey Xander,
      The strength meter does not check the complexity of the password based on the length only. It’s a different system. That code won’t change the minimum length for the password.

      Reply
  19. Luke Cavanagh
    Luke Cavanagh says:

    Why does WP load these three JS files on the front-end of homepage, if using WooCommerce, I can understand loading those on checkout and my account.

    /woocommerce/assets/js/frontend/password-strength-meter.min.js
    /wp-includes/js/zxcvbn-async.min.js
    /wp-admin/js/password-strength-meter.min.js

    Seems like a simple check if is_front_page() then not to load those JS assets on the front-end.

    Reply
  20. Eire
    Eire says:

    Can anyone confirm this works on WooCommerce 3.2.6 / WordPress 4.9.1

    The built-in password strength meter is just dreadful!

    Reply
  21. Devon
    Devon says:

    Hello,

    I am trying to use the following code snippet:

    add_filter( ‘woocommerce_min_password_strength’, create_function( ”, ‘return 8;’ ) );

    But I can still register an account with a password less than 8 characters. Is there any way to make sure that the password being used during registration is at least 8 characters long?

    Reply
  22. Yvan
    Yvan says:

    awesome work, also found how2 change the labels with your help;https://nicola.blog/2016/02/16/change-the-password-strength-meter-labels/
    Now what i dunno is what exactly are strength 1&2 their requirements?
    I know from experience what 3 requires, but not 2 for ex., since i’ve lowered it, i wanted to update the label accordingly.
    otherwise users might end up getting pretty annoyed 🙂
    ps your ‘receive posts in mailbox’ checkbox, under the reply textfield, fails.

    Reply

Trackbacks & Pingbacks

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

You have to agree to the comment policy.

This site uses Akismet to reduce spam. Learn how your comment data is processed.