=== Password Reset Enforcement ===
Contributors: teydeastudio, bartoszgadomski
Tags: reset password, force password change, WordPress security, password enforcement, secure login
Requires at least: 6.6
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.12.0
License: GPLv3
License URI: https://www.gnu.org/licenses/gpl-3.0.html
Plugin URI: https://teydeastudio.com/?utm_source=Password+Reset+Enforcement

Easily enforce password reset for WordPress users. Choose to force password changes site-wide, by user and/or by role, to boost your site's security.

== Description ==

**Enhance your WordPress website's security by forcing users to reset their passwords.**

Password Reset Enforcement is a simple yet powerful security plugin that allows site administrators to require users to update their passwords—ideal after a potential data breach, routine security checks, or during onboarding/offboarding processes.

== Features ==

- **Force password reset for all users**, specific user roles, or individual users.
- **Optional email notification** to users with a direct reset link.
- **Flexible login behavior**:
  - *Allow login before resetting*: users log in with the old password, are immediately prompted to set a new one.
  - *Block login until reset*: users must reset their password before accessing the dashboard.
- **Choose reset timing**:
  - *Immediately*: forces logout and password reset on next login.
  - *After session expiry*: users are asked to reset after their current session ends.
- **WP-CLI support** for command-line password management and automation.
- **Multisite compatible** (network-wide reset only).
- Optimized for performance on large-scale and enterprise WordPress installations.

== Use Cases ==

- Responding to a **security breach** or suspected compromise.
- Enforcing **routine password changes** in corporate environments.
- Applying **onboarding/offboarding security policies** for teams or membership sites.

== Compatibility ==

- Works on both single-site and multisite (network) WordPress setups.
- Supports PHP 7.4+ and WordPress 6.6 through 7.0.
- Compatible with modern WordPress admin experience.

== Screenshots ==

1. Force password reset for all users.
2. Target users by role, username, or display name.
3. Process the action.

== Installation ==

1. Upload the plugin to the `/wp-content/plugins/` directory or install via the WordPress admin panel.
2. Activate the plugin.
3. Go to **Settings → Password Reset Enforcement** to initiate resets.

== WP-CLI Commands ==

This plugin provides WP-CLI commands for automated password reset management:

**Force Password Reset**
`wp password-reset-enforcement force [--to_all] [--to_roles=<roles>] [--to_users=<user_ids>] [--applicability=<when>] [--with_email] [--with_current_password_allowed] [--limit=<number>] [--paged=<page>]`

**Clear Password Reset Enforcement**
`wp password-reset-enforcement clear [--to_all] [--to_roles=<roles>] [--to_users=<user_ids>] [--limit=<number>] [--paged=<page>]`

**List Users with Enforced Password Reset**
`wp password-reset-enforcement list [--limit=<number>] [--paged=<page>]`

**Check Password Reset Status**
`wp password-reset-enforcement status [--to_all] [--to_roles=<roles>] [--to_users=<user_ids>] [--limit=<number>] [--paged=<page>]`

= Command Options =

- `--to_all`: Target all users on the site
- `--to_roles=<roles>`: Comma-separated list of user roles (e.g., editor,administrator)
- `--to_users=<user_ids>`: Comma-separated list of specific user IDs (e.g., 1,5,10)
- `--applicability=<when>`: When reset takes effect (immediately, after_session_expiry)
- `--with_email`: Send email notifications to affected users (default: true)
- `--with_current_password_allowed`: Allow users to reuse current password (default: false)
- `--limit=<number>`: Maximum users to process in single operation
- `--paged=<page>`: Page number for pagination

= Command Examples =

`wp password-reset-enforcement force --to_all`
`wp password-reset-enforcement force --to_roles=editor,administrator --applicability=after_session_expiry`
`wp password-reset-enforcement clear --to_users=1,5,10`
`wp password-reset-enforcement list --limit=50 --paged=2`
`wp password-reset-enforcement status --to_all --limit=50 --paged=2`

== Related Plugins ==

Want to go beyond forced password resets? Check our [WP Password Policy](https://wppasswordpolicy.com/?utm_source=Password+Reset+Enforcement) plugin to enforce strong password rules, block weak passwords, and set automatic expiry policies — so you'll never need to force a password reset again. [https://wordpress.org/plugins/password-requirements/](Free version available on WordPress.org).

== Frequently Asked Questions ==

= Will this log users out immediately? =
Only if you choose the “Immediately” option. Otherwise, users will be asked to reset after their current session expires.

= Is it compatible with other login plugins or 2FA solutions? =
Yes, Password Reset Enforcement is designed for compatibility and works well alongside popular authentication and security plugins.

= Can I use this on a WooCommerce site? =
Absolutely. Works seamlessly with WooCommerce and other membership or eCommerce platforms.

= Does this plugin support WP-CLI? =
Yes! The plugin includes comprehensive WP-CLI commands for forcing password resets, clearing enforcement, and checking status. Perfect for automation, server management, and bulk operations.

== Changelog ==

= 1.12.0 (2026-04-16) =
* Compatibility with WordPress 7.0 confirmed
* Direct access protection added to all PHP files
* Unnecessary translation files removed since these are loaded from WordPress.org
* Security hardening - added missing escaping
* Do not hardcode `wp-login.php` path for login form
* Formatting updates
* Dependencies updated

= 1.11.1 (2025-11-28) =
* Compatibility with WordPress 6.9 confirmed
* Dependencies updated

= 1.11.0 (2025-10-31) =
* Direct links to force password reset has been added to the Users page along with bulk action
* Clear indicators that a password reset has been enforced for a given user has been added to the Users and User Profile screens
* User selector component has been improved
* WP-CLI commands have been added, allowing power users to force password reset, clear the enforcement, check the status, and list users for whom the password reset has been enforced
* Dependencies updated
* Code improvements

= 1.10.2 (2025-05-08) =
* Plugin links and references to Teydea Studio updated
* Dependencies updated

= 1.10.1 (2025-04-04) =
* Compatibility with WordPress 6.8 confirmed
* Issue of requesting the translated string too early fixed
* Dependencies updated
* Code improvements

= 1.10.0 (2025-02-21) =
* Dependencies updated
* Code improvements

= 1.9.0 (2024-12-13) =
* Dependencies updated
* Code improvements

= 1.8.0 (2024-11-08) =
* Custom capabilities for managing the plugin settings implemented
* Compatibility with WordPress 6.7 confirmed
* Dependencies updated
* Code improvements

= 1.7.2 (2024-10-25) =
* JS dependency map and tree-shaking optimized

= 1.7.1 (2024-10-23) =
* Add missing Cache utility class

(For older records, see the `changelog.txt` file).
