The WooCommerce password strength meter is good for security, but it is bad for some checkouts.
Quick Summary
- The WooCommerce password strength meter improves security but often adds friction and hurts checkout completion.
- You can remove the password strength meter entirely by dequeuing
wc-password-strength-meter, or keep it and lower the required strength viawoocommerce_min_password_strength. - If you relax or remove it, add a short hint near the password field encouraging unique, non-reused passwords.
AI-generated summary based on the text of the article and checked by the author. Read more about how BUT. Honestly uses AI.
Table of Contents
If you run a store, you sit in the middle of that trade-off. You want customers to use strong passwords because a compromised account exposes order data, addresses, and emails. At the same time, you do not want people to get stuck at the most fragile step in your funnel: creating an account while paying.
The strength meter is one more thing that can go wrong there.
There are two solutions to this: you can either remove the meter or keep it and tell WooCommerce to be less strict.
Why the WooCommerce Password Strength Meter Exists
WooCommerce uses the same password strength logic as WordPress core, powered by Dropbox’s zxcvbn library. The script handle is wc-password-strength-meter, and WooCommerce loads it on forms where customers choose a password, such as checkout and My Account.
By default, WooCommerce requires a password with a minimum “strength” value. Internally that strength is a number. Historically it is:
0Very weak1Weak2Medium3Strong (default)4Very strong (rarely used, but supported)
The goal is simple: give people feedback like “Weak” or “Strong” and stop them from using password123.
From a security perspective, this is sensible. Weak passwords are still one of the easiest ways into an account.
Why People Still Hate It
The complaints have not changed much since 2016, when the password strength meter was first introduced in WooCommerce 2.5 “Dashing Dolphin”.
- Customers see a red or orange “Weak” label and assume they are blocked.
- The meter can be confusing if you use human words like “MyRedHouse!” and the bar still says “Medium”.
- On mobile, fiddling with special characters in a masked field is annoying.
Developers and store owners have been dequeueing this script or lowering the required strength for years exactly because of this friction.
If your audience is not especially technical, a very strict meter may not be worth the drop in completed orders.
You are about to edit PHP. Even a missing semicolon can break your site. Before you make any code changes, have a backup of your site. This will help you restore things if something goes wrong. I recommend using Jetpack Backup for real-time backups and one-click restores.
Once that is in place, you can decide how opinionated you want to be about passwords.
Option 1: Remove the Password Strength Meter Everywhere
This option removes the password strength meter script from all WooCommerce frontend forms. Customers will no longer see the bar or the “Weak / Strong” labels. Passwords will still need to pass basic WordPress checks, but WooCommerce will not add extra rules.
Disclaimer: I do not recommend completely removing the WooCommerce password strength meter. Doing so makes it easier for customers and store admins to use weak or reused passwords, which in turn increases the risk of account takeover, fraudulent orders, and data exposure. From this 2023 analysis, the main entry vector for compromised websites was leaked credentials or brute-force of weak passwords.
If you decide to relax the meter or customize its behavior, you do so at your own risk and you should consider compensating protections such as two-factor authentication, rate limiting, and good user access hygiene.
Add this to your theme’s functions.php or to a small functionality plugin:
/**
* @snippet WooCommerce Password Strength Meter: Keep It or Remove It
* @author Nicola Mustone
* @author_url https://buthonestly.io/programming/woocommerce-password-strength-meter-checkout/
* @tested-up-to WooCommerce 10.3.X
* @license GPLv2
*/
function bh_remove_woocommerce_password_strength_meter() {
if ( wp_script_is( 'wc-password-strength-meter', 'enqueued' ) ) {
wp_dequeue_script( 'wc-password-strength-meter' );
}
}
add_action( 'wp_enqueue_scripts', 'bh_remove_woocommerce_password_strength_meter', 100 );
This snippet has been used since the early WooCommerce 2.x days and still works with current WooCommerce because the script handle is the same.
What this does in practice:
- Checkout: customers can create an account without seeing any strength bar
- My Account: no strength meter when changing passwords
- Registration and reset forms: same story
You get the least friction at the cost of losing an explicit nudge toward safer passwords.
If you do this, I recommend nudging your customers in another way, for example:
“Use a unique password you do not use anywhere else.”
This kind of hint is cheap to add and still better than nothing. To do that, put this in your theme’s functions.php or a small custom plugin:
/**
* @snippet WooCommerce Password Strength Meter: Keep It or Remove It
* @author Nicola Mustone
* @author_url https://buthonestly.io/programming/woocommerce-password-strength-meter-checkout/
* @tested-up-to WooCommerce 10.3.X
* @license GPLv2
*/
function bh_checkout_password_hint( $fields ) {
if ( isset( $fields['account']['account_password'] ) ) {
$fields['account']['account_password']['description'] = __( 'Use a unique password you do not use anywhere else.', 'your-textdomain' );
}
return $fields;
}
add_filter( 'woocommerce_checkout_fields', 'bh_checkout_password_hint' );
function bh_account_password_hint() {
echo '<p class="woocommerce-password-hint">';
echo esc_html__( 'Use a unique password you do not use anywhere else.', 'your-textdomain' );
echo '</p>';
}
add_action( 'woocommerce_edit_account_form', 'bh_account_password_hint', 5 );
What this does:
- Targets the “Create account password” field at checkout.
- Adds a small description line under the field with your hint.
- Prints a paragraph near the top of the account edit form. You can move it up or down by adjusting the priority
5if you want it to appear later.
You can change the text inside __() to whatever you want.
Option 2: Keep the Meter, but Relax the Rule
If you are in favor of the meter but hate how strict it is, you do not have to remove the script. WooCommerce exposes a filter that lets you choose your WooCommerce password strength requirements: woocommerce_min_password_strength.
Add this to functions.php:
/**
* @snippet WooCommerce Password Strength Meter: Keep It or Remove It
* @author Nicola Mustone
* @author_url https://buthonestly.io/programming/woocommerce-password-strength-meter-checkout/
* @tested-up-to WooCommerce 10.3.X
* @license GPLv2
*/
function bh_woocommerce_min_password_strength( $strength ) {
// 4 = Very strong (hardest)
// 3 = Strong (WooCommerce default)
// 2 = Medium
// 1 = Weak
// 0 = Very weak / anything
return 2; // Accept Medium and above.
}
add_filter( 'woocommerce_min_password_strength', 'bh_woocommerce_min_password_strength' );
A few ideas for values to return:
3if your audience is technical and uses password managers2if you want a balance between security and fewer support questions1or0if conversion is your top priority and your risk is low
The meter stays visible, which helps people at least think about password quality. It simply stops being a hard wall for everyone who cannot be bothered to generate a 30-character monster.
Option 3: Use a Plugin Instead of Code
If you would rather not touch PHP at all, there are also general password strength plugins for WooCommerce. For example, plugins like Password Strength Requirements for WooCommerce or Password Strength Settings for WooCommerce expose options for minimum length, numbers, and special characters directly in the admin.
The trade-off is that you add another plugin to maintain, and some of these tools lag behind WooCommerce core versions. Always check:
- Last updated date (for both of these it’s already 1 year ago as of today)
- Tested up to which WordPress and WooCommerce version
- Number of active installs and recent reviews
If you are comfortable editing functions.php, I would still take the code route. It is one small function, easy to track in version control, and does not depend on a third party.
How to Decide What to Do
There is no universal right answer for WooCommerce password strength. There is only what makes sense for your store.
Some simple heuristics:
- High-risk, high-value data. You store sensitive data or operate in a regulated space → Keep the meter and stay at
3or higher. - Average shop, non-technical audience. You sell physical goods, payments go through a gateway, and your users struggle with accounts → Lower the requirement to
2and watch checkout completion. - Ultra-casual, low-risk shop. You sell something low risk to a mainstream audience, and you measure a clear drop at the account step → Consider going to
1or removing the meter and compensate with good operational security and clear messaging.
Whatever you choose, make it a deliberate decision, not an accident of whichever WooCommerce version you installed years ago.
The strength meter is useful. It is not free. You pay for it with extra friction at the exact moment a customer is trying to pay you.
If that cost is acceptable, keep it. If it is not, now you know how to turn it down.
Read the Comments
By joining the conversation you are accepting our T&C. Conversations must be kept on the topic of the essay.
[…] I mentioned we’re adding a notice here, but for now you can disable it https://nicolamustone.com/2016/01/27/remove-the-password-strength-meter-on-the-checkout-page/ […]
Hi Nicola,
i like the strength meter feature security wise. But i have the same problem.
A lot of customers complain that they can’t checkout or register cuz they don’t realize that they need to use a at least medium strength password.
The option to remove that option using your function is a temp. solution but i would prefer to keep the strength meter for security reason.
Is there a way to add a hint ? for example rename the strength meter value ?
Instead of displaying weak , or very weak i would like to display “your password is to weak to register an account! Please consider using a stronger password”
or something like that. ?
any idea ?
Hi,
there’s not an easy way to change the strings, they are not from WC, but from WordPress.
The only way I think that could work is to dynamically change them with a JS script in your theme when they change. But also in this case, it won’t be easy.
Hi
I also would like to change the “text” – At least translate it 🙂
But I searched in every .mo.po file I have … Where can I change the text for the “pass meter”?
(I don’t know JS, java) But I know “Cut’n’Paste” … 😉 and I can write text in Danish!!
Thx mate – I appreciate your time
Hi Peter,
like I sad in my reply to DeathByDisco you can’t translate the text from WooCommerce.
The strings are from WordPress so you need to translate WordPress.
Please check this link to get started: https://make.wordpress.org/polyglots/handbook/
Thanks for this!
You’re welcome!
The strength just needs to be changed. I tried a password i use on somethings that is considered a strong password by most systems. has uppercase numbers and a symbol and is > 8 characters in length and it still wont let it be used. Ive disabled this feature on my sites because of it.
Hi,
I’d suggest you to open an issue here if you think that it should work differently: https://github.com/woothemes/woocommerce/issues
Please make sure to explain why you think it’s wrong and how we should change it!
Thank you!
How do I add this without breaking the functions.php file. I added it and messed it up.
Make sure to add the code at the end of the
functions.phpfile. If the file has this sign at the end:?>add the code on a line before that sign.Thanks for this Nicola, I am sure we have been losing business because of this.
We have a lot of customers of the ‘older variety’ and the fact that I have struggled to create a strong password that is still memorable, I don’t hold out much hope for them. Also, why would someone want to spend over 10 mins trying to come up with something then the next time they come to the site not be able to remember it. It would certainly put me off.
I’ve now removed the meter, with the snippet above, as even with the excellent code you have here: nicolamustone.com/2016/02/16/change-the-password-strength-meter-labels/ I think some customers would still struggle.
I know nothing of code but I thought a good solution, if possible, would be to leave the meter on so customers could see the strength of the password but remove register block for less than medium strength…
Thanks again!
Hi Derek,
Thanks for stopping by!
Actually we did this in the most recent version of WooCommerce. It tells you that your password is weak , but you can still register/checkout regardless of that.
Is there any way to remove the ‘Please enter a stronger password’ text as this may be where the confusion is. On my checkout page you need to scroll down to see the ‘place order’ button so I think people are still getting stuck here as it’s asking them to improve their password and they can’t see that they can checkout regardless.
Also, do you know if you can override in the same way on the login/registration page, not just the checkout, as this still has the enforced good password?
Thanks
Hi Derek,
I updated this post including the script to change those strings as well. Check at the bottom of the article.
On mine you can’t. It won’t allow registration to process.
Sorry, I forgot to point out this was for the login/registration page, no the checkout page as this is pretty much what you already have put in place!
hi plz help me
how can Remove the password strength meter on the my-account regester user ?
demo : https://larsa.ir/my-account
Hi Iarsa,
by using the snippet in this article it will be removed everywhere, both on My Account and Checkout pages.
Hi there, this works nicely for the checkout page, thanks and thanks Caleb, but seems to break the register form on the /my-account page for non-logged in users. The strength meter and labels don’t show but the register button never becomes clickable no matter what type of password is entered. Do you see this issue also?
hmmm..nevermind! It’s working on the register form for me now. Maybe something weird on my local dev
Thanks for this. This removed the password strength and validation entirely which means now password “1” is valid. Is there any way we can change the strength e.g instead of strong have a weak or medium password requirement??
or maybe change the password requirement?
Hi,
yes, check this (last reply): https://wordpress.org/support/topic/woocommerce-password-strength-meter-too-high
Hey, I tried the code, but there was no effect 🙁
http://www.toner.eurofinconsulting.ro/wp/my-account/
Thank you. That worked beautifully.
You’re welcome Chris!
Thanks a lot, very helpful!
You’re welcome Oren!
this is very nice tutorial
i implemented in my website
Hi,
Great! I’m happy you are using this!
I’m a little confused, the code snippet in the article remove just the meter, or does it remove the requirement for strong passwords? I want to remove the requirement altogether so customers can use the passwords they want to use
Hi Mike,
It removes the requirement of a strong password.
“The WooCommerce Development Team applied a fix in version 2.5.1, so now everyone can check out, even with the weakest password. But some still complain.”
I don’t get it, I’m on version 2.6.1 and you can’t login with a weak password. Has to be at least medium.
I don’t want to turn this off, I just want users to be able to choose a less complex password. But not something bleedingly obvious.
please am having the same issue at http://www.ebygold.com
But this is for some Ninja theme
Can i give you access to my site and you add it 🙂
Once i added something in functions php and site colapsed so i had to build it again
Hi drago,
I’m sorry but I can’t do this for you.
You may want to contact one of the WooExperts here: https://woocommerce.com/wooexperts/
Hi Sir,
is there any way to DISPLAY PASSWORD FIELDS in woocommerce checkout even if you’re already SIGNED IN???.. because the default is when you’re not into sign in mode.. password fields will display..
is there any way into this problem?
thanks..
thank you very much very helpfull
Hi,
maybe a solution would be to be able to set password requirements for our site ( min. char number and char types required ).
For example: I would disable the requirements for symbols, but I’d keep upper and lower caps and numbers. That’s much easier to remember…
thank you very much. It worked fine for me.
You’re welcome!
Hi nicola,
I think password meter is very important for security issue on the site. But with woocommerce’s default password strength meter user get bored. Can I control the password length and the characters. Such as, I want minimum six characters with at least one number, one symbol and one letter.
Especially a Thanks for your Woocommerce and Storefront.
Hi Minhaz,
You can reduce the requirements with this code:
The current value is
3, the minimum is1.Hi Nicola, I applied this code and also the ‘Change password strength labels’ code (https://nicolamustone.blog/2016/02/16/change-the-password-strength-meter-labels/) back in March last year. I didn’t check the ‘My Account’ page (but probably should have as I changed the text to ‘your password is weak but you can still CHECKOUT’… not really applicable on the my account page… silly me) but I have found out that although the ‘change password strength labels’ snippet of code has applied to the ‘My Account page’ the strength meter hasn’t.
I am telling people that they should increase the strength of the password but it doesn’t matter as they can still proceed but the save button is greyed out until they create a strong password. I don’t know if this has always been the case of if something has changed in wordpress that has affected the outcome.
The code works great on the checkout page but not for those who want to change their password or for those who want to create a new one as they have forgotten it.
Is there anything else I could add so that it covers all areas that the strength meter operates?
Thanks
Derek
Please ignore me… I have been an idiot! I realise now that I haven’t applied both pieces of code, I must have opted for the label change code and that is why they can’t proceed on their account page or forgotten password page. I’ll make a decision now on whether to completely remove the strength meter or to reduce it’s requirements as you mentioned above.
Thanks, Derek
thanku very much you don’t know how much you have help me…..
Hi Nicola,
I used this script to remove the password strength meter as this script was generating an error in Google Search Console (as a blocked resource from /wp-admin folder).
I checked this morning, and now I’m getting this error message (have changed client # and url):
[Sun Mar 26 13:24:05.789746 2017] [apparmor:error] [pid 11924] (10)No child processes: [client 123.456.78.90:24667] Failed to change_hat to ‘HANDLING_UNTRUSTED_INPUT’, referer: mywebstore.com/cart/
So I’ve deleted the remove password strength code.
I’m just wondering what I may have done wrong based on this error message. I’d really like to clear up the script blocking issue, and customers don’t need to have user accounts (I’ve otherwise disabled them).
I read more comments, and today I put this code right before the closing php tag ?> — so far it seems to be ok.
Awesome! Glad it’s working now!
Thank you, we have lost a number of customer because registering was a struggle, and they didn’t know that they could checkout regardless. I have reduced the requirements. Thanks.
You’re welcome mide!
Hi, thanks for the snippet! I think the main issue is that it’s not clear anywhere that you can still checkout with a medium security password. I think everyone reads it and thinks they MUST use a high security password.
I am going to ask something that perhaps is very basic: why it would represent a security threat for my site the fact that someone can log in a customer’s account?
I mean, they would have the same access as any user with a customer role. The same access they could get just by registering in my site. That’s easier than breaking into someone else account.
Customer wise my site doesn’t hold any really important info (card transactions are done in payment gateways sites). Thanks!
Hi Matias,
It’s not safe because they can still access personal data of the customer, like their address, their email, their data in general from the shop.
It may not be harmless, maybe they will only find out that the customer purchased a shirt, but why should they know? It’s their private account and nobody should be able to access it.
It removes the password requirements at all, I just want the minimum required length to be 8 instead of 12.
Hi Nicola, thanks for sharing this code snippet.
On the site where I implemented it, it works just as it should on the checkout page…
However, on the registration page the registration button is disabled for any password less than medium strength. This is clearly a JavaScript script disabling the button until the password meets the requirements.
Do you know of a way to disable that JavaScript too, or trick it so that it thinks the password is always medium strength or above? Also, is this how the login page works generally, or is it unique to the theme I am using?
Thanks
Update:
Actually, I realize that the code snippet had no effect at all, whether on checkout or login page. I guess this was for an older version of woocommerce? I’m on version 3.x.
I ended up using the code below. (I forgot the website where I got it from.)
/**
*Reduce the strength requirement on the woocommerce password.
*
* Strength Settings
* 3 = Strong (default)
* 2 = Medium
* 1 = Weak
* 0 = Very Weak / Anything
*/
function reduce_woocommerce_min_strength_requirement( $strength ) {
return 1;
}
add_filter( ‘woocommerce_min_password_strength’, ‘reduce_woocommerce_min_strength_requirement’ );
Basically, this allows you to set what is considered an acceptable password by WooCommerce. So you can set it to accept weak or very weak passwords.
Still not the ideal solution, but it works to lower or remove password restrictions.
Hi,
I’m not sure why the code is not working for you. It didn’t change for WooCommerce 3.0 and it should still work.
Maybe there’s a conflict with the theme or another plugin?
Not working for me on WooCommerce 3.x with Flatsome 3.5 Theme.
It did work for me with WooCommerce 2.5 and Flatsome 2.9.
Hi Nicola. Thanks for the codes. I’d like to ask, if I want to set the minimum to 8 letters, how should I modify the code below accordingly?
add_filter( ‘woocommerce_min_password_strength’, create_function( ”, ‘return 2;’ ) );
Hey Xander,
The strength meter does not check the complexity of the password based on the length only. It’s a different system. That code won’t change the minimum length for the password.
Why does WP load these three JS files on the front-end of homepage, if using WooCommerce, I can understand loading those on checkout and my account.
/woocommerce/assets/js/frontend/password-strength-meter.min.js
/wp-includes/js/zxcvbn-async.min.js
/wp-admin/js/password-strength-meter.min.js
Seems like a simple check if is_front_page() then not to load those JS assets on the front-end.
How can i disable those files (about 400KB) when WP load?
Hi Nicola, we agency are begin on woocommerce, and your solution are so helpul.
worked perfecly here. Thanks!!!
Regards from Mestre Search Brazil
Hey Bruno,
I’m happy that you like my articles!
Have a great weekend!
Can anyone confirm this works on WooCommerce 3.2.6 / WordPress 4.9.1
The built-in password strength meter is just dreadful!
Hi Eire,
I just tested this on WooCommerce 3.2.6, WordPress 4.9.1 and the latest version of Storefront and it works properly for me.
Is this still working for woocommerce 3.3?
Yes Ed,
I just tested it on the latest version and it works.
Hello,
I am trying to use the following code snippet:
add_filter( ‘woocommerce_min_password_strength’, create_function( ”, ‘return 8;’ ) );
But I can still register an account with a password less than 8 characters. Is there any way to make sure that the password being used during registration is at least 8 characters long?
Hi Devon,
If that filter does not work you either put it in a wrong location (it should be at the end of functions.php in your theme’s folder, before the
?>sign if there’s one), or there’s some other issue like other filters overriding it or a bug in WooCommerce.In the last case, I suggest you contact the support at https://wordpress.org/support/plugin/woocommerce.
awesome work, also found how2 change the labels with your help;https://nicola.blog/2016/02/16/change-the-password-strength-meter-labels/
Now what i dunno is what exactly are strength 1&2 their requirements?
I know from experience what 3 requires, but not 2 for ex., since i’ve lowered it, i wanted to update the label accordingly.
otherwise users might end up getting pretty annoyed 🙂
ps your ‘receive posts in mailbox’ checkbox, under the reply textfield, fails.
How can I remove the password strength meter from the entire WordPress website?
It is almost taking wp-includes/js/zxcvbn.min.js 400KB of space. I am not using woocommerce plugin.
The options listed in the article didn’t work for me. My theme uses wp_enqueue_scripts so here is my setup that got me rid of the password-strength-meter completely….
BUT…it produced a 404 error and causes a 1 second delay loading the page. Pretty much cancels out the entire point of removing the script (site speed improvement)
I don’t want the Javascript for the strength meter to load at all. I want it completely gone to decrease the page size and improve speed. If someone is stupid enough to make their pw 1234 then its their own fault.
Can someone please help???
function my_add_frontend_scripts() {// Deregister script about password strenght meter ~ 800kb
wp_dequeue_script('wc-password-strength-meter');
wp_deregister_script('wc-password-strength-meter');
wp_register_script('custom-script', get_stylesheet_directory_uri().'/custom-script.js', array('jquery'), 1, false );
wp_enqueue_script('custom-script');
}
add_action(‘wp_enqueue_scripts’, ‘my_add_frontend_scripts’);