Remove the password strength meter on the checkout page
With WooCommerce 2.5 a new feature has been added to the checkout page: the password strength meter.
If you allow customers to create an account from this page and they also choose their own password, they will see a password strength meter next to the password field.
Why is this useful?
The main reason is security.
If users select a strong password, not only are their accounts more secure, but also your website. Should someone get access to a user’s account with a weak password, they get access to much or all data on the website, compromising your security and users’ security as well.
I’ve heard many people complain about the strength meter. When it was added, we encountered an issue. If the password was not rated Strong, the ability to check out would be disabled. This resulted in less revenue for businesses, as customers would leave the website without purchasing anything. The WooCommerce Development Team applied a fix in version 2.5.1, so now everyone can check out, even with the weakest password. But some still complain.
So what to do?
You can completely remove the strength meter and restore the checkout process as it was before. To do this, add this function in your functions.php file in wp-content/themes/your-theme-name/:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function wc_ninja_remove_password_strength() { | |
| if ( wp_script_is( 'wc-password-strength-meter', 'enqueued' ) ) { | |
| wp_dequeue_script( 'wc-password-strength-meter' ); | |
| } | |
| } | |
| add_action( 'wp_print_scripts', 'wc_ninja_remove_password_strength', 100 ); |
Props to Caleb Burks for the snippet.
As I said, the strength meter is an incentive for users to use strong passwords and have safe accounts. Remove it at your own risk.
Update 16th Feb. 2016: Do you want to change only its labels? Check this post!
Update 16th May 2017: You can adjust the minimum strength of a password by using this snippet:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| add_filter( 'woocommerce_min_password_strength', create_function( '', 'return 2;' ) ); |
The default minimum strength is 3, in the example I reduced it to 2.
Hi Nicola,
i like the strength meter feature security wise. But i have the same problem.
A lot of customers complain that they can’t checkout or register cuz they don’t realize that they need to use a at least medium strength password.
The option to remove that option using your function is a temp. solution but i would prefer to keep the strength meter for security reason.
Is there a way to add a hint ? for example rename the strength meter value ?
Instead of displaying weak , or very weak i would like to display “your password is to weak to register an account! Please consider using a stronger password”
or something like that. ?
any idea ?
Hi,
there’s not an easy way to change the strings, they are not from WC, but from WordPress.
The only way I think that could work is to dynamically change them with a JS script in your theme when they change. But also in this case, it won’t be easy.
Hi
I also would like to change the “text” – At least translate it 🙂
But I searched in every .mo.po file I have … Where can I change the text for the “pass meter”?
(I don’t know JS, java) But I know “Cut’n’Paste” … 😉 and I can write text in Danish!!
Thx mate – I appreciate your time
Hi Peter,
like I sad in my reply to DeathByDisco you can’t translate the text from WooCommerce.
The strings are from WordPress so you need to translate WordPress.
Please check this link to get started: https://make.wordpress.org/polyglots/handbook/
Thanks for this!
You’re welcome!
The strength just needs to be changed. I tried a password i use on somethings that is considered a strong password by most systems. has uppercase numbers and a symbol and is > 8 characters in length and it still wont let it be used. Ive disabled this feature on my sites because of it.
Hi,
I’d suggest you to open an issue here if you think that it should work differently: https://github.com/woothemes/woocommerce/issues
Please make sure to explain why you think it’s wrong and how we should change it!
Thank you!
How do I add this without breaking the functions.php file. I added it and messed it up.
Make sure to add the code at the end of the
functions.phpfile. If the file has this sign at the end:?>add the code on a line before that sign.Thanks for this Nicola, I am sure we have been losing business because of this.
We have a lot of customers of the ‘older variety’ and the fact that I have struggled to create a strong password that is still memorable, I don’t hold out much hope for them. Also, why would someone want to spend over 10 mins trying to come up with something then the next time they come to the site not be able to remember it. It would certainly put me off.
I’ve now removed the meter, with the snippet above, as even with the excellent code you have here: https://nicolamustone.com/2016/02/16/change-the-password-strength-meter-labels/ I think some customers would still struggle.
I know nothing of code but I thought a good solution, if possible, would be to leave the meter on so customers could see the strength of the password but remove register block for less than medium strength…
Thanks again!
Hi Derek,
Thanks for stopping by!
Actually we did this in the most recent version of WooCommerce. It tells you that your password is weak , but you can still register/checkout regardless of that.
Is there any way to remove the ‘Please enter a stronger password’ text as this may be where the confusion is. On my checkout page you need to scroll down to see the ‘place order’ button so I think people are still getting stuck here as it’s asking them to improve their password and they can’t see that they can checkout regardless.
Also, do you know if you can override in the same way on the login/registration page, not just the checkout, as this still has the enforced good password?
Thanks
Hi Derek,
I updated this post including the script to change those strings as well. Check at the bottom of the article.
On mine you can’t. It won’t allow registration to process.
Sorry, I forgot to point out this was for the login/registration page, no the checkout page as this is pretty much what you already have put in place!
hi plz help me
how can Remove the password strength meter on the my-account regester user ?
demo : https://larsa.ir/my-account
Hi Iarsa,
by using the snippet in this article it will be removed everywhere, both on My Account and Checkout pages.
Hi there, this works nicely for the checkout page, thanks and thanks Caleb, but seems to break the register form on the /my-account page for non-logged in users. The strength meter and labels don’t show but the register button never becomes clickable no matter what type of password is entered. Do you see this issue also?
hmmm..nevermind! It’s working on the register form for me now. Maybe something weird on my local dev
Thanks for this. This removed the password strength and validation entirely which means now password “1” is valid. Is there any way we can change the strength e.g instead of strong have a weak or medium password requirement??
or maybe change the password requirement?
Hi,
yes, check this (last reply): https://wordpress.org/support/topic/woocommerce-password-strength-meter-too-high
Hey, I tried the code, but there was no effect 🙁
http://www.toner.eurofinconsulting.ro/wp/my-account/
Thank you. That worked beautifully.
You’re welcome Chris!
Thanks a lot, very helpful!
You’re welcome Oren!
this is very nice tutorial
i implemented in my website http://www.edhik.com
Hi,
Great! I’m happy you are using this!
I’m a little confused, the code snippet in the article remove just the meter, or does it remove the requirement for strong passwords? I want to remove the requirement altogether so customers can use the passwords they want to use
Hi Mike,
It removes the requirement of a strong password.
“The WooCommerce Development Team applied a fix in version 2.5.1, so now everyone can check out, even with the weakest password. But some still complain.”
I don’t get it, I’m on version 2.6.1 and you can’t login with a weak password. Has to be at least medium.
I don’t want to turn this off, I just want users to be able to choose a less complex password. But not something bleedingly obvious.
please am having the same issue at http://www.ebygold.com
But this is for some Ninja theme
Can i give you access to my site and you add it 🙂
Once i added something in functions php and site colapsed so i had to build it again
Hi drago,
I’m sorry but I can’t do this for you.
You may want to contact one of the WooExperts here: https://woocommerce.com/wooexperts/
Hi Sir,
is there any way to DISPLAY PASSWORD FIELDS in woocommerce checkout even if you’re already SIGNED IN???.. because the default is when you’re not into sign in mode.. password fields will display..
is there any way into this problem?
thanks..
thank you very much very helpfull
Hi,
maybe a solution would be to be able to set password requirements for our site ( min. char number and char types required ).
For example: I would disable the requirements for symbols, but I’d keep upper and lower caps and numbers. That’s much easier to remember…
thank you very much. It worked fine for me.
You’re welcome!
Hi nicola,
I think password meter is very important for security issue on the site. But with woocommerce’s default password strength meter user get bored. Can I control the password length and the characters. Such as, I want minimum six characters with at least one number, one symbol and one letter.
Especially a Thanks for your Woocommerce and Storefront.
Hi Minhaz,
You can reduce the requirements with this code:
The current value is
3, the minimum is1.Hi Nicola, I applied this code and also the ‘Change password strength labels’ code (https://nicola.blog/2016/02/16/change-the-password-strength-meter-labels/) back in March last year. I didn’t check the ‘My Account’ page (but probably should have as I changed the text to ‘your password is weak but you can still CHECKOUT’… not really applicable on the my account page… silly me) but I have found out that although the ‘change password strength labels’ snippet of code has applied to the ‘My Account page’ the strength meter hasn’t.
I am telling people that they should increase the strength of the password but it doesn’t matter as they can still proceed but the save button is greyed out until they create a strong password. I don’t know if this has always been the case of if something has changed in wordpress that has affected the outcome.
The code works great on the checkout page but not for those who want to change their password or for those who want to create a new one as they have forgotten it.
Is there anything else I could add so that it covers all areas that the strength meter operates?
Thanks
Derek
Please ignore me… I have been an idiot! I realise now that I haven’t applied both pieces of code, I must have opted for the label change code and that is why they can’t proceed on their account page or forgotten password page. I’ll make a decision now on whether to completely remove the strength meter or to reduce it’s requirements as you mentioned above.
Thanks, Derek
thanku very much you don’t know how much you have help me…..
Hi Nicola,
I used this script to remove the password strength meter as this script was generating an error in Google Search Console (as a blocked resource from /wp-admin folder).
I checked this morning, and now I’m getting this error message (have changed client # and url):
[Sun Mar 26 13:24:05.789746 2017] [apparmor:error] [pid 11924] (10)No child processes: [client 123.456.78.90:24667] Failed to change_hat to ‘HANDLING_UNTRUSTED_INPUT’, referer: https://mywebstore.com/cart/
So I’ve deleted the remove password strength code.
I’m just wondering what I may have done wrong based on this error message. I’d really like to clear up the script blocking issue, and customers don’t need to have user accounts (I’ve otherwise disabled them).
I read more comments, and today I put this code right before the closing php tag ?> — so far it seems to be ok.
Awesome! Glad it’s working now!
Thank you, we have lost a number of customer because registering was a struggle, and they didn’t know that they could checkout regardless. I have reduced the requirements. Thanks.
You’re welcome mide!
Hi, thanks for the snippet! I think the main issue is that it’s not clear anywhere that you can still checkout with a medium security password. I think everyone reads it and thinks they MUST use a high security password.
I am going to ask something that perhaps is very basic: why it would represent a security threat for my site the fact that someone can log in a customer’s account?
I mean, they would have the same access as any user with a customer role. The same access they could get just by registering in my site. That’s easier than breaking into someone else account.
Customer wise my site doesn’t hold any really important info (card transactions are done in payment gateways sites). Thanks!
Hi Matias,
It’s not safe because they can still access personal data of the customer, like their address, their email, their data in general from the shop.
It may not be harmless, maybe they will only find out that the customer purchased a shirt, but why should they know? It’s their private account and nobody should be able to access it.
It removes the password requirements at all, I just want the minimum required length to be 8 instead of 12.
Hi Nicola, thanks for sharing this code snippet.
On the site where I implemented it, it works just as it should on the checkout page…
However, on the registration page the registration button is disabled for any password less than medium strength. This is clearly a JavaScript script disabling the button until the password meets the requirements.
Do you know of a way to disable that JavaScript too, or trick it so that it thinks the password is always medium strength or above? Also, is this how the login page works generally, or is it unique to the theme I am using?
Thanks
Update:
Actually, I realize that the code snippet had no effect at all, whether on checkout or login page. I guess this was for an older version of woocommerce? I’m on version 3.x.
I ended up using the code below. (I forgot the website where I got it from.)
/**
*Reduce the strength requirement on the woocommerce password.
*
* Strength Settings
* 3 = Strong (default)
* 2 = Medium
* 1 = Weak
* 0 = Very Weak / Anything
*/
function reduce_woocommerce_min_strength_requirement( $strength ) {
return 1;
}
add_filter( ‘woocommerce_min_password_strength’, ‘reduce_woocommerce_min_strength_requirement’ );
Basically, this allows you to set what is considered an acceptable password by WooCommerce. So you can set it to accept weak or very weak passwords.
Still not the ideal solution, but it works to lower or remove password restrictions.
Hi,
I’m not sure why the code is not working for you. It didn’t change for WooCommerce 3.0 and it should still work.
Maybe there’s a conflict with the theme or another plugin?
Not working for me on WooCommerce 3.x with Flatsome 3.5 Theme.
It did work for me with WooCommerce 2.5 and Flatsome 2.9.
Hi Nicola. Thanks for the codes. I’d like to ask, if I want to set the minimum to 8 letters, how should I modify the code below accordingly?
add_filter( ‘woocommerce_min_password_strength’, create_function( ”, ‘return 2;’ ) );
Hey Xander,
The strength meter does not check the complexity of the password based on the length only. It’s a different system. That code won’t change the minimum length for the password.
Why does WP load these three JS files on the front-end of homepage, if using WooCommerce, I can understand loading those on checkout and my account.
/woocommerce/assets/js/frontend/password-strength-meter.min.js
/wp-includes/js/zxcvbn-async.min.js
/wp-admin/js/password-strength-meter.min.js
Seems like a simple check if is_front_page() then not to load those JS assets on the front-end.
How can i disable those files (about 400KB) when WP load?
Hi Nicola, we agency are begin on woocommerce, and your solution are so helpul.
worked perfecly here. Thanks!!!
Regards from Mestre Search Brazil
Hey Bruno,
I’m happy that you like my articles!
Have a great weekend!
Can anyone confirm this works on WooCommerce 3.2.6 / WordPress 4.9.1
The built-in password strength meter is just dreadful!
Hi Eire,
I just tested this on WooCommerce 3.2.6, WordPress 4.9.1 and the latest version of Storefront and it works properly for me.
Is this still working for woocommerce 3.3?
Yes Ed,
I just tested it on the latest version and it works.
Hello,
I am trying to use the following code snippet:
add_filter( ‘woocommerce_min_password_strength’, create_function( ”, ‘return 8;’ ) );
But I can still register an account with a password less than 8 characters. Is there any way to make sure that the password being used during registration is at least 8 characters long?
Hi Devon,
If that filter does not work you either put it in a wrong location (it should be at the end of functions.php in your theme’s folder, before the
?>sign if there’s one), or there’s some other issue like other filters overriding it or a bug in WooCommerce.In the last case, I suggest you contact the support at https://wordpress.org/support/plugin/woocommerce.
awesome work, also found how2 change the labels with your help;https://nicola.blog/2016/02/16/change-the-password-strength-meter-labels/
Now what i dunno is what exactly are strength 1&2 their requirements?
I know from experience what 3 requires, but not 2 for ex., since i’ve lowered it, i wanted to update the label accordingly.
otherwise users might end up getting pretty annoyed 🙂
ps your ‘receive posts in mailbox’ checkbox, under the reply textfield, fails.
How can I remove the password strength meter from the entire WordPress website?
It is almost taking wp-includes/js/zxcvbn.min.js 400KB of space. I am not using woocommerce plugin.
The options listed in the article didn’t work for me. My theme uses wp_enqueue_scripts so here is my setup that got me rid of the password-strength-meter completely….
BUT…it produced a 404 error and causes a 1 second delay loading the page. Pretty much cancels out the entire point of removing the script (site speed improvement)
I don’t want the Javascript for the strength meter to load at all. I want it completely gone to decrease the page size and improve speed. If someone is stupid enough to make their pw 1234 then its their own fault.
Can someone please help???
function my_add_frontend_scripts() {// Deregister script about password strenght meter ~ 800kb
wp_dequeue_script('wc-password-strength-meter');
wp_deregister_script('wc-password-strength-meter');
wp_register_script('custom-script', get_stylesheet_directory_uri().'/custom-script.js', array('jquery'), 1, false );
wp_enqueue_script('custom-script');
}
add_action(‘wp_enqueue_scripts’, ‘my_add_frontend_scripts’);