For more information on WordPress roles and capabilities, please see the Roles and Capabilities article in the WordPress Codex.
With this feature, you can force users to use strong passwords based on their user role.
To enable Strong Passwords, head over to Security -> Dashboard -> Settings -> User Groups -> Password Requirements
Warning: If your site invites public registrations, setting the role too low may annoy your members.
Refuse Compromised Passwords
With the Refuse Compromised Passwords feature enabled, the passwords that your users create will be checked against a list of known compromised passwords. If the password is shown to have been compromised, they will not be allowed to use that password and will have to create another. You can determine the user roles this applies to.
After the Refuse Compromised Passwords setting has been enabled, users who attempt to log in with a compromised password will see this notice on their WordPress login screen, prompting them to update their password using a strong password generator.
Once the password has been updated, the user can now successfully log in using a secure password.
Note: Passwords are checked against the list created by Have I Been Pwned. Plaintext passwords are never sent to Have I Been Pwned. Instead, 5 characters of the hashed password are sent over an encrypted connection to their API. Read the technical details here.
The Password Age setting will allow you to force a periodic password change and even set the number of days a password can be in use before requiring a new one.
You can determine which user roles this is applied to. (It’s a best practice to change passwords every 120 days or 4 months.)
After enabling the Password Age setting to any of the User Groups, the Password Requirements module will appear in Security -> Settings -> Features -> Login Security, and from there, you can set the MAXIMUM PASSWORD AGE:
Force Password Change
The Force Password Change options are added to the User Security Profiles card and in the User Security Settings.
Clicking the Force Password Change for All Users button in the User Security Profiles card will require all of your users to reset their password the next time they log into your site.
To take this action, go to Security -> Dashboard -> User Security Profiles card.
Clicking the Force a Password Reset button on the User Security Settings page will require the selected user to reset their password the next time they log into your site.
To take this action, go to Security -> User Security and click the Edit User button or the Quick Actions - Edit Multiple Users button.
Note: You can find all of the User Security Check information either in the Security Dashboard's User Security Profiles card or the User Security Settings page.