WP-Safety

Force Password Change Security & Risk Analysis

wordpress.org/plugins/force-password-change

Require users to change their password on first login.

500 active installs v0.6 PHP + WP 3.2+ Updated Aug 10, 2020
passwordpasswordsregistrationuserusers
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Force Password Change Safe to Use in 2026?

Generally Safe

Score 85/100

Force Password Change has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 5yr ago
Risk Assessment

The "force-password-change" v0.6 plugin exhibits an exceptionally strong security posture based on the provided static analysis. The complete absence of identified attack surface points, dangerous functions, SQL injection vulnerabilities, unescaped output, file operations, external HTTP requests, and security checks (nonces and capabilities) is remarkable. Taint analysis also shows zero flows, indicating no evident path for untrusted input to reach sensitive sinks. The plugin's history of zero known CVEs further reinforces this positive assessment, suggesting a history of secure development and maintenance. This plugin appears to be very robustly coded with security as a high priority.

Vulnerabilities
None known

Force Password Change Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Force Password Change Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
0
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0
Attack Surface

Force Password Change Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 6
actioninitforce-password-change.php:77
actionuser_registerforce-password-change.php:78
actionpersonal_options_updateforce-password-change.php:79
actiontemplate_redirectforce-password-change.php:80
actioncurrent_screenforce-password-change.php:81
actionadmin_noticesforce-password-change.php:82
Maintenance & Trust

Force Password Change Maintenance & Trust

Maintenance Signals

WordPress version tested5.5.18
Last updatedAug 10, 2020
PHP min version
Downloads15K

Community Trust

Rating80/100
Number of ratings4
Active installs500
Alternatives

Force Password Change Alternatives

Password Strength Settings for WooCommerce

Password Strength Settings for WooCommerce

wc-password-strength-settings

A
85

Help secure your WooCommerce site by enforcing stronger passwords and taking additional control of your strength requirements.

10K No CVEs
Expire User Passwords

Expire User Passwords

expire-user-passwords

A
100

Require certain users to change their passwords on a regular basis.

3K No CVEs
WordPass

WordPass

wordpass

A
85

Creates word-based passwords for WordPress.

30 No CVEs
New User Approve

New User Approve

new-user-approve

A
86

WordPress user approval plugin to moderate registrations. Approve or deny real users and prevent fake signups to control who registers on site.

20K 8 CVEs
Expire Users

Expire Users

expire-users

A
100

Set expiry dates for user logins.

4K No CVEs
Developer Profile

Force Password Change Developer Profile

Simon Blackbourn

5 plugins · 570 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Force Password Change

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

CSS Classes
error
FAQ

Frequently Asked Questions about Force Password Change