Nicola Mustone

Happiness Lead @ Automattic

Remove the password strength meter on the checkout page

With WooCommerce 2.5 a new feature has been added to the checkout page: the password strength meter.

If you allow customers to create an account from this page and they also choose their own password, they will see a password strength meter next to the password field.

Why is this useful?

The main reason is security.

If users select a strong password, not only are their accounts more secure, but also your website. Should someone get access to a user’s account with a weak password, they get access to much or all data on the website, compromising your security and users’ security as well.

I’ve heard many people complain about the strength meter. When it was added, we encountered an issue. If the password was not rated Strong, the ability to check out would be disabled. This resulted in less revenue for businesses, as customers would leave the website without purchasing anything. The WooCommerce Development Team applied a fix in version 2.5.1, so now everyone can check out, even with the weakest password. But some still complain.

So what to do?

You can completely remove the strength meter and restore the checkout process as it was before. To do this, add this function in your functions.php file in wp-content/themes/your-theme-name/:


function wc_ninja_remove_password_strength() {
if ( wp_script_is( 'wc-password-strength-meter', 'enqueued' ) ) {
wp_dequeue_script( 'wc-password-strength-meter' );
}
}
add_action( 'wp_print_scripts', 'wc_ninja_remove_password_strength', 100 );

view raw

functions.php

hosted with ❤ by GitHub

Props to Caleb Burks for the snippet.

As I said, the strength meter is an incentive for users to use strong passwords and have safe accounts. Remove it at your own risk.

Update 16th Feb. 2016: Do you want to change only its labels? Check this post!

Update 16th May 2017: You can adjust the minimum strength of a password by using this snippet:


add_filter( 'woocommerce_min_password_strength', create_function( '', 'return 2;' ) );

view raw

functions.php

hosted with ❤ by GitHub

The default minimum strength is 3, in the example I reduced it to 2.

, ,

More Posts That You Might Like…

74 responses to “Remove the password strength meter on the checkout page”

  1. Mike Jolley on WordPress.org

    […] I mentioned we’re adding a notice here, but for now you can disable it https://nicolamustone.com/2016/01/27/remove-the-password-strength-meter-on-the-checkout-page/ […]

    Reply
  2. DeathByDisco Avatar
    DeathByDisco

    Hi Nicola,

    i like the strength meter feature security wise. But i have the same problem.
    A lot of customers complain that they can’t checkout or register cuz they don’t realize that they need to use a at least medium strength password.

    The option to remove that option using your function is a temp. solution but i would prefer to keep the strength meter for security reason.

    Is there a way to add a hint ? for example rename the strength meter value ?

    Instead of displaying weak , or very weak i would like to display “your password is to weak to register an account! Please consider using a stronger password”

    or something like that. ?

    any idea ?

    Reply
    1. Nicola Mustone Avatar
      Nicola Mustone

      Hi,
      there’s not an easy way to change the strings, they are not from WC, but from WordPress.

      The only way I think that could work is to dynamically change them with a JS script in your theme when they change. But also in this case, it won’t be easy.

      Reply
      1. Peter Netz Lassen Avatar
        Peter Netz Lassen

        Hi
        I also would like to change the “text” – At least translate it 🙂
        But I searched in every .mo.po file I have … Where can I change the text for the “pass meter”?

        (I don’t know JS, java) But I know “Cut’n’Paste” … 😉 and I can write text in Danish!!

        Thx mate – I appreciate your time

        Reply
        1. Nicola Mustone Avatar
          Nicola Mustone

          Hi Peter,
          like I sad in my reply to DeathByDisco you can’t translate the text from WooCommerce.

          The strings are from WordPress so you need to translate WordPress.

          Please check this link to get started: https://make.wordpress.org/polyglots/handbook/

  3. Roar Avatar
    Roar

    Thanks for this!

    Reply
    1. Nicola Mustone Avatar
      Nicola Mustone

      You’re welcome!

      Reply
  4. deryk Avatar
    deryk

    The strength just needs to be changed. I tried a password i use on somethings that is considered a strong password by most systems. has uppercase numbers and a symbol and is > 8 characters in length and it still wont let it be used. Ive disabled this feature on my sites because of it.

    Reply
    1. Nicola Mustone Avatar
      Nicola Mustone

      Hi,
      I’d suggest you to open an issue here if you think that it should work differently: https://github.com/woothemes/woocommerce/issues

      Please make sure to explain why you think it’s wrong and how we should change it!

      Thank you!

      Reply
  5. Patrick Avatar
    Patrick

    How do I add this without breaking the functions.php file. I added it and messed it up.

    Reply
    1. Nicola Mustone Avatar
      Nicola Mustone

      Make sure to add the code at the end of the functions.php file. If the file has this sign at the end: ?> add the code on a line before that sign.

      Reply
  6. Derek Scambler Avatar
    Derek Scambler

    Thanks for this Nicola, I am sure we have been losing business because of this.

    We have a lot of customers of the ‘older variety’ and the fact that I have struggled to create a strong password that is still memorable, I don’t hold out much hope for them. Also, why would someone want to spend over 10 mins trying to come up with something then the next time they come to the site not be able to remember it. It would certainly put me off.

    I’ve now removed the meter, with the snippet above, as even with the excellent code you have here: https://nicolamustone.com/2016/02/16/change-the-password-strength-meter-labels/ I think some customers would still struggle.

    I know nothing of code but I thought a good solution, if possible, would be to leave the meter on so customers could see the strength of the password but remove register block for less than medium strength…

    Thanks again!

    Reply
    1. Nicola Mustone Avatar
      Nicola Mustone

      Hi Derek,
      Thanks for stopping by!

      I know nothing of code but I thought a good solution, if possible, would be to leave the meter on so customers could see the strength of the password but remove register block for less than medium strength…

      Actually we did this in the most recent version of WooCommerce. It tells you that your password is weak , but you can still register/checkout regardless of that.

      Reply
      1. Derek Scambler Avatar
        Derek Scambler

        Is there any way to remove the ‘Please enter a stronger password’ text as this may be where the confusion is. On my checkout page you need to scroll down to see the ‘place order’ button so I think people are still getting stuck here as it’s asking them to improve their password and they can’t see that they can checkout regardless.

        Also, do you know if you can override in the same way on the login/registration page, not just the checkout, as this still has the enforced good password?

        Thanks

        Reply
        1. Nicola Mustone Avatar
          Nicola Mustone

          Hi Derek,
          I updated this post including the script to change those strings as well. Check at the bottom of the article.

      2. Krystal Avatar
        Krystal

        On mine you can’t. It won’t allow registration to process.

        Reply
    2. Derek Scambler Avatar
      Derek Scambler

      Sorry, I forgot to point out this was for the login/registration page, no the checkout page as this is pretty much what you already have put in place!

      Reply
  7. larsa Avatar
    larsa

    hi plz help me

    how can Remove the password strength meter on the my-account regester user ?

    demo : https://larsa.ir/my-account

    Reply
    1. Nicola Mustone Avatar
      Nicola Mustone

      Hi Iarsa,
      by using the snippet in this article it will be removed everywhere, both on My Account and Checkout pages.

      Reply
  8. Brian Avatar
    Brian

    Hi there, this works nicely for the checkout page, thanks and thanks Caleb, but seems to break the register form on the /my-account page for non-logged in users. The strength meter and labels don’t show but the register button never becomes clickable no matter what type of password is entered. Do you see this issue also?

    Reply
    1. Brian Avatar
      Brian

      hmmm..nevermind! It’s working on the register form for me now. Maybe something weird on my local dev

      Reply
  9. tracersa Avatar
    tracersa

    Thanks for this. This removed the password strength and validation entirely which means now password “1” is valid. Is there any way we can change the strength e.g instead of strong have a weak or medium password requirement??

    Reply
    1. tracersa Avatar
      tracersa

      or maybe change the password requirement?

      Reply
      1. Nicola Mustone Avatar
        Nicola Mustone

        Hi,
        yes, check this (last reply): https://wordpress.org/support/topic/woocommerce-password-strength-meter-too-high

        Reply
  10. Bota Lucian Avatar
    Bota Lucian

    Hey, I tried the code, but there was no effect 🙁
    http://www.toner.eurofinconsulting.ro/wp/my-account/

    Reply
  11. Chris Avatar
    Chris

    Thank you. That worked beautifully.

    Reply
    1. Nicola Mustone Avatar
      Nicola Mustone

      You’re welcome Chris!

      Reply
  12. Oren Avatar
    Oren

    Thanks a lot, very helpful!

    Reply
    1. Nicola Mustone Avatar
      Nicola Mustone

      You’re welcome Oren!

      Reply
  13. ranjan Avatar
    ranjan

    this is very nice tutorial
    i implemented in my website http://www.edhik.com

    Reply
    1. Nicola Mustone Avatar
      Nicola Mustone

      Hi,
      Great! I’m happy you are using this!

      Reply
  14. Mike Avatar
    Mike

    I’m a little confused, the code snippet in the article remove just the meter, or does it remove the requirement for strong passwords? I want to remove the requirement altogether so customers can use the passwords they want to use

    Reply
    1. Nicola Mustone Avatar
      Nicola Mustone

      Hi Mike,
      It removes the requirement of a strong password.

      Reply
  15. Barry Richards Avatar
    Barry Richards

    “The WooCommerce Development Team applied a fix in version 2.5.1, so now everyone can check out, even with the weakest password. But some still complain.”

    I don’t get it, I’m on version 2.6.1 and you can’t login with a weak password. Has to be at least medium.

    I don’t want to turn this off, I just want users to be able to choose a less complex password. But not something bleedingly obvious.

    Reply
  16. Grace Avatar
    Grace

    please am having the same issue at http://www.ebygold.com

    Reply
  17. drago Avatar
    drago

    But this is for some Ninja theme

    Can i give you access to my site and you add it 🙂
    Once i added something in functions php and site colapsed so i had to build it again

    Reply
    1. Nicola Mustone Avatar
      Nicola Mustone

      Hi drago,
      I’m sorry but I can’t do this for you.

      You may want to contact one of the WooExperts here: https://woocommerce.com/wooexperts/

      Reply
  18. Christian Avatar
    Christian

    Hi Sir,

    is there any way to DISPLAY PASSWORD FIELDS in woocommerce checkout even if you’re already SIGNED IN???.. because the default is when you’re not into sign in mode.. password fields will display..

    is there any way into this problem?

    thanks..

    Reply
  19. nati Avatar
    nati

    thank you very much very helpfull

    Reply
  20. Vane Avatar
    Vane

    Hi,
    maybe a solution would be to be able to set password requirements for our site ( min. char number and char types required ).
    For example: I would disable the requirements for symbols, but I’d keep upper and lower caps and numbers. That’s much easier to remember…

    Reply
  21. suyash Avatar
    suyash

    thank you very much. It worked fine for me.

    Reply
    1. Nicola Mustone Avatar
      Nicola Mustone

      You’re welcome!

      Reply
  22. Minhaz Avatar
    Minhaz

    Hi nicola,

    I think password meter is very important for security issue on the site. But with woocommerce’s default password strength meter user get bored. Can I control the password length and the characters. Such as, I want minimum six characters with at least one number, one symbol and one letter.

    Especially a Thanks for your Woocommerce and Storefront.

    Reply
    1. Nicola Mustone Avatar
      Nicola Mustone

      Hi Minhaz,
      You can reduce the requirements with this code:

      add_filter( 'woocommerce_min_password_strength', create_function( '', 'return 2;' ) );

      The current value is 3, the minimum is 1.

      Reply
  23. Derek Scambler Avatar
    Derek Scambler

    Hi Nicola, I applied this code and also the ‘Change password strength labels’ code (https://nicola.blog/2016/02/16/change-the-password-strength-meter-labels/) back in March last year. I didn’t check the ‘My Account’ page (but probably should have as I changed the text to ‘your password is weak but you can still CHECKOUT’… not really applicable on the my account page… silly me) but I have found out that although the ‘change password strength labels’ snippet of code has applied to the ‘My Account page’ the strength meter hasn’t.

    I am telling people that they should increase the strength of the password but it doesn’t matter as they can still proceed but the save button is greyed out until they create a strong password. I don’t know if this has always been the case of if something has changed in wordpress that has affected the outcome.

    The code works great on the checkout page but not for those who want to change their password or for those who want to create a new one as they have forgotten it.

    Is there anything else I could add so that it covers all areas that the strength meter operates?

    Thanks

    Derek

    Reply
    1. Derek Scambler Avatar
      Derek Scambler

      Please ignore me… I have been an idiot! I realise now that I haven’t applied both pieces of code, I must have opted for the label change code and that is why they can’t proceed on their account page or forgotten password page. I’ll make a decision now on whether to completely remove the strength meter or to reduce it’s requirements as you mentioned above.

      Thanks, Derek

      Reply
  24. Aakash Avatar
    Aakash

    thanku very much you don’t know how much you have help me…..

    Reply
  25. Susan Avatar
    Susan

    Hi Nicola,

    I used this script to remove the password strength meter as this script was generating an error in Google Search Console (as a blocked resource from /wp-admin folder).

    I checked this morning, and now I’m getting this error message (have changed client # and url):

    [Sun Mar 26 13:24:05.789746 2017] [apparmor:error] [pid 11924] (10)No child processes: [client 123.456.78.90:24667] Failed to change_hat to ‘HANDLING_UNTRUSTED_INPUT’, referer: https://mywebstore.com/cart/

    So I’ve deleted the remove password strength code.

    I’m just wondering what I may have done wrong based on this error message. I’d really like to clear up the script blocking issue, and customers don’t need to have user accounts (I’ve otherwise disabled them).

    Reply
    1. susan Avatar
      susan

      I read more comments, and today I put this code right before the closing php tag ?> — so far it seems to be ok.

      Reply
      1. Nicola Mustone Avatar
        Nicola Mustone

        Awesome! Glad it’s working now!

        Reply
  26. mide Avatar
    mide

    Thank you, we have lost a number of customer because registering was a struggle, and they didn’t know that they could checkout regardless. I have reduced the requirements. Thanks.

    Reply
    1. Nicola Mustone Avatar
      Nicola Mustone

      You’re welcome mide!

      Reply
  27. Matias Avatar
    Matias

    Hi, thanks for the snippet! I think the main issue is that it’s not clear anywhere that you can still checkout with a medium security password. I think everyone reads it and thinks they MUST use a high security password.

    I am going to ask something that perhaps is very basic: why it would represent a security threat for my site the fact that someone can log in a customer’s account?
    I mean, they would have the same access as any user with a customer role. The same access they could get just by registering in my site. That’s easier than breaking into someone else account.

    Customer wise my site doesn’t hold any really important info (card transactions are done in payment gateways sites). Thanks!

    Reply
    1. Nicola Mustone Avatar
      Nicola Mustone

      Hi Matias,
      It’s not safe because they can still access personal data of the customer, like their address, their email, their data in general from the shop.

      It may not be harmless, maybe they will only find out that the customer purchased a shirt, but why should they know? It’s their private account and nobody should be able to access it.

      Reply
  28. Janmeet Singh Avatar
    Janmeet Singh

    It removes the password requirements at all, I just want the minimum required length to be 8 instead of 12.

    Reply
  29. Ron Avatar
    Ron

    Hi Nicola, thanks for sharing this code snippet.

    On the site where I implemented it, it works just as it should on the checkout page…

    However, on the registration page the registration button is disabled for any password less than medium strength. This is clearly a JavaScript script disabling the button until the password meets the requirements.

    Do you know of a way to disable that JavaScript too, or trick it so that it thinks the password is always medium strength or above? Also, is this how the login page works generally, or is it unique to the theme I am using?

    Thanks

    Reply
    1. Ron Avatar
      Ron

      Update:
      Actually, I realize that the code snippet had no effect at all, whether on checkout or login page. I guess this was for an older version of woocommerce? I’m on version 3.x.

      I ended up using the code below. (I forgot the website where I got it from.)
      /**
      *Reduce the strength requirement on the woocommerce password.
      *
      * Strength Settings
      * 3 = Strong (default)
      * 2 = Medium
      * 1 = Weak
      * 0 = Very Weak / Anything
      */
      function reduce_woocommerce_min_strength_requirement( $strength ) {
      return 1;
      }
      add_filter( ‘woocommerce_min_password_strength’, ‘reduce_woocommerce_min_strength_requirement’ );

      Basically, this allows you to set what is considered an acceptable password by WooCommerce. So you can set it to accept weak or very weak passwords.

      Still not the ideal solution, but it works to lower or remove password restrictions.

      Reply
    2. Nicola Mustone Avatar
      Nicola Mustone

      Hi,
      I’m not sure why the code is not working for you. It didn’t change for WooCommerce 3.0 and it should still work.

      Maybe there’s a conflict with the theme or another plugin?

      Reply
      1. Chris Avatar
        Chris

        Not working for me on WooCommerce 3.x with Flatsome 3.5 Theme.

        It did work for me with WooCommerce 2.5 and Flatsome 2.9.

        Reply
  30. Xander Avatar
    Xander

    Hi Nicola. Thanks for the codes. I’d like to ask, if I want to set the minimum to 8 letters, how should I modify the code below accordingly?

    add_filter( ‘woocommerce_min_password_strength’, create_function( ”, ‘return 2;’ ) );

    Reply
    1. Nicola Mustone Avatar
      Nicola Mustone

      Hey Xander,
      The strength meter does not check the complexity of the password based on the length only. It’s a different system. That code won’t change the minimum length for the password.

      Reply
  31. Luke Cavanagh Avatar
    Luke Cavanagh

    Why does WP load these three JS files on the front-end of homepage, if using WooCommerce, I can understand loading those on checkout and my account.

    /woocommerce/assets/js/frontend/password-strength-meter.min.js
    /wp-includes/js/zxcvbn-async.min.js
    /wp-admin/js/password-strength-meter.min.js

    Seems like a simple check if is_front_page() then not to load those JS assets on the front-end.

    Reply
    1. Haku Nguyen Avatar
      Haku Nguyen

      How can i disable those files (about 400KB) when WP load?

      Reply
  32. Bruno Pinna Avatar
    Bruno Pinna

    Hi Nicola, we agency are begin on woocommerce, and your solution are so helpul.
    worked perfecly here. Thanks!!!

    Regards from Mestre Search Brazil

    Reply
    1. Nicola Mustone Avatar
      Nicola Mustone

      Hey Bruno,
      I’m happy that you like my articles!

      Have a great weekend!

      Reply
  33. Eire Avatar
    Eire

    Can anyone confirm this works on WooCommerce 3.2.6 / WordPress 4.9.1

    The built-in password strength meter is just dreadful!

    Reply
    1. Nicola Mustone Avatar
      Nicola Mustone

      Hi Eire,
      I just tested this on WooCommerce 3.2.6, WordPress 4.9.1 and the latest version of Storefront and it works properly for me.

      Reply
  34. ed. Avatar
    ed.

    Is this still working for woocommerce 3.3?

    Reply
    1. Nicola Mustone Avatar
      Nicola Mustone

      Yes Ed,
      I just tested it on the latest version and it works.

      Reply
  35. Devon Avatar
    Devon

    Hello,

    I am trying to use the following code snippet:

    add_filter( ‘woocommerce_min_password_strength’, create_function( ”, ‘return 8;’ ) );

    But I can still register an account with a password less than 8 characters. Is there any way to make sure that the password being used during registration is at least 8 characters long?

    Reply
    1. Nicola Mustone Avatar
      Nicola Mustone

      Hi Devon,
      If that filter does not work you either put it in a wrong location (it should be at the end of functions.php in your theme’s folder, before the ?> sign if there’s one), or there’s some other issue like other filters overriding it or a bug in WooCommerce.

      In the last case, I suggest you contact the support at https://wordpress.org/support/plugin/woocommerce.

      Reply
  36. Yvan Avatar
    Yvan

    awesome work, also found how2 change the labels with your help;https://nicola.blog/2016/02/16/change-the-password-strength-meter-labels/
    Now what i dunno is what exactly are strength 1&2 their requirements?
    I know from experience what 3 requires, but not 2 for ex., since i’ve lowered it, i wanted to update the label accordingly.
    otherwise users might end up getting pretty annoyed 🙂
    ps your ‘receive posts in mailbox’ checkbox, under the reply textfield, fails.

    Reply
  37. Samir Avatar
    Samir

    How can I remove the password strength meter from the entire WordPress website?

    It is almost taking wp-includes/js/zxcvbn.min.js 400KB of space. I am not using woocommerce plugin.

    Reply
  38. cal Avatar
    cal

    The options listed in the article didn’t work for me. My theme uses wp_enqueue_scripts so here is my setup that got me rid of the password-strength-meter completely….

    BUT…it produced a 404 error and causes a 1 second delay loading the page. Pretty much cancels out the entire point of removing the script (site speed improvement)

    I don’t want the Javascript for the strength meter to load at all. I want it completely gone to decrease the page size and improve speed. If someone is stupid enough to make their pw 1234 then its their own fault.

    Can someone please help???

    function my_add_frontend_scripts() {
    // Deregister script about password strenght meter ~ 800kb
    wp_dequeue_script('wc-password-strength-meter');
    wp_deregister_script('wc-password-strength-meter');

    wp_register_script('custom-script', get_stylesheet_directory_uri().'/custom-script.js', array('jquery'), 1, false );
    wp_enqueue_script('custom-script');
    }

    add_action(‘wp_enqueue_scripts’, ‘my_add_frontend_scripts’);

    Reply

Leave a Reply

Recent Posts

Categories

Newsletter

Receive new articles from this blog directly in your inbox!

No spam guaranteed!

Blog at WordPress.com.

%d bloggers like this: