WordPress doesn’t provide features for password expiry. Therefore, we can’t automatically expire or remove a user's password. So, we had to build a custom process where we defined an expiry date and asked the user to reset it and block logins until the reset is completed.
The first step is to add an expiry date to the password for each user. There are three events where the password is assigned or changed in WordPress. So, we have to add an expiry date to all three events where the password will be changed.
In step 2, we used the user_register action to call a custom function called wpcpp_ch12_register_password_expire_reset. This action is executed after creating a new user from the frontend or backend. So, we used the function to set 30 days as the expiry date using the date function of PHP. The first parameter to this function provides the current date while the strtotime('+1 month') parameter adds 30 days to the current date. Then we stored it in the wp_usermeta table with a key called wpccp_password_expire_date using the update_user_meta function.
In step 3, we used the after_password_reset action to call a custom function called wpcpp_ch12_password_expire_reset. WordPress executed this action after resetting the password. The code inside the function is similar to the code we used in the previous function for setting the expiry date. The only difference is that the callback function gets the user object as a parameter instead of the user ID. So, we have adjusted the code to get the user ID from the user object.
In step 4, we used the profile_update action to call a custom function called wpcpp_ch12_profile_update_password_expire_reset. WordPress executes this action on profile updates. This action is executed each time the profile is updated regardless of whether the user changes their password or not. Therefore, we used a conditional check to verify whether the password was changed using the following code:
if ( ! isset( $_POST['pass1'] ) || ” == $_POST['pass1'] ) {
return;
}
The remaining code of this function is the same as we used in the user_register action.
In step 5, we used the WordPress authenticate action with a callback function called wpcpp_ch12_authenticate. This action is executed to verify the user login credentials. Inside the function, we retrieved the password expiry date for the user from the wp_usermeta table by using the get_user_meta function. Then, we checked whether the expiry date was empty. This means that the user was created before we implemented this feature or that the password has not been changed. So, we add the expiry date and allow the user to log in.
If the expiry date is not empty, we check if the expiry date has already passed by comparing it with the current date. In such a case, we return a custom error using the WP_Error class with a message asking the user to reset the password using the given link. At this stage, the user will not be able to log in using the default backend login form.
Now, the password for each user will expire in 30 days. Then, the user will be asked to reset it when trying to log in from the backend login form.