Jump to content

Password Force Change

Recommended Posts

Hi everyone,

Here's a little module that allows you to force users to change their password on their first login, or at any time if you manually force it.



Key Features

  • During install it creates a new checkbox field in the user template, "force_passwd_change".
  • Automatic checking of this checkbox when creating a new user is determined by the "Automatic Force Change" module config setting.
  • When a user logs in for the first time (or if you have manually checked that field for an existing user), they will be warned that they have to change their password and they'll be automatically redirected to their profile page.
  • They must change their password to something new - they are not allowed to re-enter their existing password.
  • Bulk "Set All Users" option to at any time, force all users (by selected roles) to change their password.

Hopefully some of you will find it useful and please let me know if you have any suggested changes/enhancements. 

PS I used the new info.json way of defining the module details, so it requires PW 2.4.3+ 

Edited by adrian
Updated module features information
  • Like 18
Link to post
Share on other sites

Thanks Adrian! This has been on my to-do list for a while, looks like I can tick it off now. Benefits of free software -- just wait long enough and someone will solve it for you ;)

The way I've seen this implemented before was a checkbox titled "Force password change on next login", which was unchecked when a password was changed. That would slightly simplify things by removing the need to check it for existing users.. and perhaps make things a bit easier to understand if you want to use it at some point later (for some reason unchecking "password changed" sounds weird).

Just saying, doesn't matter much either way. The module looks great and I look forward to using it.. on all of our sites :)

Edit: by the way, would you mind specifying a license for this module? I'm not suspicious of your motives or anything (honestly), it's just that I try to avoid any code where licensing isn't clearly stated, and modules are no exception here :)

Edited by teppo
Link to post
Share on other sites

Hey teppo,

Thanks for the thoughts on the checkbox issue. I agree that unchecking "password changed" does sound weird :) My reasoning for going this way was because I was wanting to avoid the need for an additional step (checking the checkbox) when creating a new user. I thought, maybe incorrectly, that anyone using this module would want to ensure that all new users are required to change their password when they first login. My approach to setting up admin users is to send them all the same initial password and ask them to change it immediately. I wonder if a better approach might be to use a dropdown select that is a required field when setting up a new user. It could be called "force password change" and have a blank default and then "yes" and "no" options. It's still an extra step when setting up a user, but at least this way I can ensure the superuser doesn't forget to do it. Any thoughts on whether this would be a more logical setup?

Thanks for the reminder on the license - I actually haven't been good with that for any of my modules - mostly because of ignorance/trust with these sorts of things. I'll take care of it shortly and also check my other modules and do the same.

PS Minor fix committed this morning - I woke up realizing that I had hardcoded the path to the profile page :)

EDIT: Do you, or anyone else, know why I can't set the collapsed state of the pass field via the API? I can do it with other system fields, but not this one. You'll see in my code two commented blocks where I try to set it to open before the redirect and then set it to collapsed after they have changed their password.

Edited by adrian
  • Like 1
Link to post
Share on other sites

Just discovered a bit of a gotcha - if the new user does not have "profile-edit (User can update profile/password)" permission they obviously won't be able to change their password, so just committed an update that checks for this permission and warns that it needs adding.

  • Like 4
Link to post
Share on other sites
I wonder if a better approach might be to use a dropdown select that is a required field when setting up a new user. It could be called "force password change" and have a blank default and then "yes" and "no" options. It's still an extra step when setting up a user, but at least this way I can ensure the superuser doesn't forget to do it.

teppo - I thought through this a little more and realized that any multi field would not be a good idea as it would involve associated pages and templates for the yes/no options, so I have gone back to the checkbox, but reversed it to be a "Force password change on next login" checkbox as you suggested. However I have added a module config setting called "Automatic Force Change" and if this is checked, then the "Force password change on next login" checkbox gets automatically checked when creating a new user. I think this solves all the issues of:

  • Confusion over the reverse checked and the strange "Password Changed" label.
  • With the automatic force change checked, there is no extra step required when creating a new user, but there is also the flexibility for the superuser to turn this off so it has to become an active selection to force the password change.
  • Existing users are left untouched, which is cleaner.

I am pretty convinced this new approach is better in all ways but I'd like to hear any feedback before I commit the changes to Github, in particular from you teppo if you have a minute to think about it.

I am attaching the new version here for testing/review. Please make sure you uninstall the old version first to make sure the old passwd_changed field is removed.

If I don't hear anything back by tomorrow, I'll commit this version anyway :)

EDIT: Removed attached version to avoid confusion since it is now on Github.

  • Like 2
Link to post
Share on other sites
 was worried about the scalability of old method when user count was in thousands. 

Agreed - that occurred to me yesterday too.

Thank you both for the feedback - changes have been committed to Github and the module has been submitted to the modules directory.

  • Like 5
Link to post
Share on other sites

Now available in the modules directory:


For anyone who might have downloaded early on, please grab the latest version. There was an important fix two days ago that now prevents users from simply navigating away from their profile page to another page in the admin. Now they can't do anything in the admin until their password has been changed.

  • Like 5
Link to post
Share on other sites

Another bug fix and enhancement just committed.

There is now a batch "Set All Users" option which allows you to easily force existing users to change their password. Selection of users is possible via roles so you can limit the enforcement to just specific roles, or all if needed. If you mess up, there is also a simple way to clear the requirement for everyone as well.

This addition was in response to teppo's comment in his ProcessWire Weekly post: "easily forcing periodic password changes for users" - now it really is easy to force periodic changes, so thanks for the suggestion :)

The bug fix is for PW sites installed in a subdirectory - thanks also to teppo for reporting this.

  • Like 1
Link to post
Share on other sites

Sorry for the constant updates :)

Definitely recommended to update to the latest version as it adds better handling for users without profile-edit permission.

  1. As well as the warning, it now also unchecks the force password change checkbox if the user doesn't have profile-edit permission
  2. The Set All Users role selection is now limited to only those roles with profile-edit permission

Hopefully that will be all the changes for a while, unless someone has any suggestions.

  • Like 2
Link to post
Share on other sites
  • 1 year later...

Hi everyone,

Thanks to a request from @Ralf, this module now also works on the front-end. If you have setup your own login form and profile editing forms you can enable this for the front-end and specify a URL to redirect to for the user to change their password.


  • Like 5
Link to post
Share on other sites
  • 2 years later...

I had to uninstall this one. Is it compatible with pw 3.0.96? Once installed I set the frontend login URL for profile edit to the correct frontend page (/member-login/?profile=1 using Ryan's Login/Register/Profile module) and I get an Internal error. Won't load the page.

Additionally I set it to force all users with the "member" role to change password and as a superuser I get the message to change my password. I don't have the member role. When I set it to clear superuser, on next login I get the same message to change my password.

Link to post
Share on other sites

@digitex - I am using it with no problems on 3.0.99

Can you make sure PW debug mode is on to see if there is any further info about the internal server error and maybe check your error logs.

I also just tested the option to force all users with a particular role to have to change their password and it worked fine - set it for that role, but no impact on my superuser account.

Maybe there is some interaction with Ryan's module that I haven't tested. I don't have time to look into it at the moment, but if you wouldn't mind investigating and letting me know more details of the issue, I'll make any required changes.



Link to post
Share on other sites

@adrian I suspect you're right that it may be a specific issue with Ryan's module. With Login/Register/Profile the profile page is the same as the log in page and the profile UI is loaded with a GET variable. It may be the get variable in the Frontend Login URL that's causing the error. When logging in using a member's credentials it does try to redirect to the profile page but throws an error when it gets there.

As for the superuser role getting the password change notice I will have to get back to you.

When I get a minute I'll reinstall and enable debug. I would love to use it I'm importing 250 user accounts and need to ensure everybody updates their password.

Link to post
Share on other sites
  • 2 years later...
1 hour ago, kater said:

Using it with Login Register Pro and frontpage redirect (https://www.../login-register/?profile=1) it redirects infinitly.

Hi @kater - what do you have set for the Frontend Login URL setting - is it set to login-register/?profile=1 ?

Is it set to a full URL, or root relative?

Does adjusting that help?

Link to post
Share on other sites

happens with either setting.

relative shows in the url.




Link to post
Share on other sites

@kater - I just tested with: /?profile=1 (where the LRP module was instantiated for all pages) and also another option with /login-register/?profile=1 (where it was instantiated for just the page with the name "login-register") and both work as expected. 

I am not very familiar with the LoginRegisterPro module, but at the moment I am not sure where the infinite redirects might be coming from, but I don't think it's from the Password Force Change module.

Link to post
Share on other sites
  • 2 weeks later...

Hello @adrian,

Would it be possible to make the fields which are displayed in the user profile "translatable"?

I am talking about lines 109 and 261-264 in your code?


Furthermore I am currently building the code into an LRP module from ryan and I would like to display the message in the front-end that the user has to change his password now.
How do I display this again? Sorry I am standing a little bit on the hose right now... 🙈

Thanks cu Ralf

Link to post
Share on other sites

Hi @Ralf - that checkbox field label, description, and notes should be translatable already. You can see here on a site I have with English and Portuguese:


The "load on frontend" option should make it work with LRP. I did just commit one change that allows translating of the note that says: "You must change your password now".

Hope that gets you going.

Link to post
Share on other sites

Hello @adrian,

... yes, if you look under "Admin -> Setup -> Fields -> force_passwd_change" this is also possible *am I stupid* 🙈
I looked it up under Language and didn't have the idea to look under Fields... sorry. Of course you can find everything there and enter everything you want.

Secondly, thanks yes, I have now found the translation in the language files and translated it immediately ("You must change your password now").

But as far as my actual topic with the "output" is concerned, it still doesn't work.

My question here is, do I have to add any code to the PHP template file of LRP (login-register.php) in the frontend to output exactly this message "You must change your password now"? Because this message is currently not displayed in the frontend? (but in the backend I see this message)

Link to post
Share on other sites

@Ralf - I am glad you got the translation stuff sorted out.

The "You must change your password now" text is added as a note to the "pass" field when it is rendered. So if this module is successfully redirecting to the profile editing screen of LRP, then it should display that note - if not, then it might be a question for Ryan to see if he can support this module within LRP by displaying the note, or suggesting some other way for this module to inject that note.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By FireWire
      Hello community!

      I want to share a new module I've been working on that I think could be a big boost for multi-language ProcessWire sites.

      Some background, I was looking for a way for our company website to be efficiently translated as working with human translators was pretty laborious and a lack of updating content created a divergence between languages. I, and several other devs here, have talked about translation integrations and have recognized the power that DeepL has. DeepL is an AI deep learning powered service that delivers translation quality beyond any automated service available. After access to the API was opened up to the US, I built Fluency, a DeepL translation integration for ProcessWire.
      Fluency brings automated translation to every multi-language field in the admin, and also provides a translation tool allowing the user to translate their text to any language without it being inside a template's field. With Fluency you can:
      Translate any plain textarea or text input Translate any CKEditor content (yes, with markup) Translate page names for fully localized URLs on every page Translate your in-template translation function wrapped strings Translate modules Fluency is free, and now so is DeepL
      Since this module was first built DeepL has introduced free Developer accounts that allow anyone to start using Fluency at zero cost and beginning with the version 0.3.0 release Fluency now supports free DeepL accounts. As of June 2021 DeepL supports translation to 26 languages and continues to offer more!
      Installation and usage is completely plug and play. Whether you're building a new multi-language site, need to update a site to multi-language, or simply want to stop manually translating a site and make any language a one-click deal, it could not be easier to do it. Fluency works by having you match the languages configured in ProcessWIre to DeepL's. You can have your site translating to any or all of the languages DeepL translates to in minutes (quite literally).
      Let's break out the screenshots...
      When the default language tab is shown, a message is displayed to let users know that translation is available. Clicking on each tab shows a link that says "Translate from English". Clicking it shows an animated overlay with the word "Translating..." cycling through each language and a light gradient shift. Have a CKEditor field? All good. Fluency will translated it and use DeepL's ability to translate text within HTML tags. CKEditor fields can be translated as easily and accurately as text/textarea fields.

      Repeaters and AJAX created fields also have translation enabled thanks to a JavaScript MutationObserver that searches for multi-language fields and adds translation as they're inserted into the DOM. If there's a multi-language field on the page, it will have translation added.

      Same goes for image description fields. Multi-language SEO friendly images are good to go.

      Creating a new page from one of your templates? Translate your title, and also translate your page name for native language URLs. (Not available for Russian, Chinese, or Japanese languages due to URL limitations). These can be changed in the "Settings" tab for any page as well so whether you're translating new pages or existing pages, you control the URLs everywhere.

      Language configuration pages are no different. Translate the names of your languages and search for both Site Translation Files (including all of your modules)

      Translate all of the static text in your templates as well. Notice that the placeholders are retained. DeepL is pretty good at recognizing and keeping non-translatable strings like that. If it is changed, it's easy to fix manually.

      Fluency adds a "Translate" item to the CMS header. When clicked this opens up a modal with a full translation tool that lets the user translate any language to any language. No need to leave the admin if you need to translate content from a secondary language back to the default ProcessWire language. There is also a button to get the current API usage statistics. DeepL account owners can set billing limitations via character count to control costs. This may help larger sites or sites being retrofitted keep an eye on their usage. Fluency can be used by users having roles given the fluency-translate permission.

      It couldn't be easier to add Fluency to your new or existing website. Simply add your API key and you're shown what languages are currently available for translation from/to as provided by DeepL. This list and all configuration options are taken live from the API so when DeepL releases new languages you can add them to your site without any work. No module updates, just an easy configuration. Just match the language you configured in ProcessWire to the DeepL language you want it to be associated with and you're done. Fluency also allows you to create a list of words/phrases that will not be translated which can prevent items such as brands and company names from being translated when they shouldn't

      No "translate page" - Translating multiple fields can be done by clicking multiple translation links on multiple fields at once but engineering a "one click page translate" is not feasible from a user experience standpoint. The time it takes to translate one field can be a second or two, but cumulatively that may take much longer (CKEditor fields are slower than plain text fields). There may be a workaround in the future but it isn't currently on the roadmap. No "translate site" - Same thing goes for translating an entire website at once. It would be great, but it would be a very intense process and take a very (very) long time. There may be a workaround in the future but it isn't on the roadmap. No current support for Inline CKEditor fields - Handling for CKEditor on-demand hasn't been implemented yet, this is planned for a future release though and can be done. I just forgot about it because I've never really used that feature personally.. Alpha release - This module is in alpha. Releases should be stable and usable, but there may be edge case issues. Test the module thoroughly and please report any bugs via a Github issue on the repository or respond here. Please note that the browser plugin for Grammarly conflicts with Fluency (as it does with many web applications). To address this issue it is recommended that you disable Grammarly when using Fluency, or open the admin to edit pages in a private window where Grammarly may not be loaded. This is an issue that may not have a resolution as creating a workaround may not be possible. If you have insight as to how this may be solved please visit the Github page and file a bugfix ticket.
      ProcessWire  3.0+ UIKit Admin Theme That's Fluency in a nutshell. A core effort in this module is to create it so that there is nothing DeepL related hard-coded in that would require updating it when DeepL offers new languages. I would like this to be a future-friendly module that doesn't require developer work to keep it up-to-date.
      The Module Is Free
      This is my first real module and I want to give it back to the community as thanks. This is the best CMS I've worked with (thank you Ryan & contributors) and a great community (thank you dear reader).
      DeepL Developer Accounts
      In addition to paid Pro Developer accounts, DeepL now offers no-cost free accounts. Now all ProcessWire developers and users can use Fluency at no cost.
      Learn more about free and paid accounts by visiting the DeepL website. Sign up for a Developer account, get an API key, and start using Fluency today.
      Download & Feedback
      Download the latest version here
      Github repository:
      File issues and feature requests here (your feedback and testing is greatly appreciated):
      Thank you! ¡Gracias! Ich danke Ihnen! Merci! Obrigado! Grazie! Dank u wel! Dziękuję! Спасибо! ありがとうございます! 谢谢你!

    • By monollonom
      (once again I was surprised to see a work of mine pop up in the newsletter, this time without even listing the module on PW modules website 😅. Thx @teppo !)
      Github: https://github.com/romaincazier/FieldtypeQRCode
      Modules directory: https://processwire.com/modules/fieldtype-qrcode/
      This is a simple module I made so a client could quickly grab a QR Code of the page's url in the admin.
      There's not much to it for now, but if need be you can output anything using a hook:
      $wire->addHookAfter("FieldtypeQRCode::getQRText", function($event) { $event->return = "Your custom text"; }) You can also output the QR code on your front-end by calling the field:
      echo $page->qr_code_field; The module uses the PHP library QR Code Generator by Kazuhiko Arase. When looking for a way to generate a QR Code in PW I came across @ryan's integration in his TFA module. I'm not very familiar with fieldtype/inputfield module development so I blindly followed @bernhard (great) tutorial and his BaseFieldtypeRuntime. At some point I'll take a deeper look to make a module on my own.
      Some ideas for improvements :
      add the ability to choose what to ouput : page's url / editUrl / file(s) / image(s) / ... allow to output multiple QR codes ?
    • By Chris Bennett
      Inspired by @bernhard's excellent work on the new customisable LESS CSS getting rolled into the core soon, I thought I would offer up the module for beta testing, if it is of interest to anyone.

      It takes a different approach to admin styling, basically using the Cascade part of CSS to over-ride default UiKit values.
      Values are stored in ModuleConfig Module creates a separate AdminThemeTweaker Folder at root, so it can link to AdminThemeTweaker.php as CSS AdminThemeTweaker.php reads the module values, constructs the CSS variables then includes the CSS framework Can be switched on and off with a click. Uninstall removes everything, thanks to bernhard's wonderful remove dir & contents function.
      It won't touch your core. It won't care if stuff is upgraded. You won't need to compile anything and you don't need to touch CSS unless you want to.

      It won't do much at all apart from read some values from your module config, work out the right CSS variables to use (auto contrast based on selected backgrounds) and throw it on your screen.
      You can configure a lot of stuff, leave it as it comes (dark and curvy), change two main colors (background and content background) or delve deep to configure custom margins, height of mastheads, and all manner of silly stuff I never use.

      Have been developing it for somewhere around 2 years now. It has been (and will continue to be) constantly tweaked over that time, as I click on something and find something else to do.
      That said, it is pretty solid and has been in constant use as my sole Admin styling option for all of those 2 years.

      If nothing else, it would be great if it can provide any assistance to @bernhard or other contributor's who may be looking to solve some of the quirkier UiKit behavior.
      Has (in my opinion) more robust and predictable handling of hidden Inputfields, data-colwidths and showIf wrappers.
      I am very keen to help out with that stuff in any way I can, though LESS (and any css frameworks/tools basically) are not my go.
      I love CSS variables and banging-rocks-together, no-dependency CSS you can write with notepad.


    • By opalepatrick
      I see old posts saying that repeaters are not the way to go in Custom Process Modules. If that is the case, when using forms (as I am trying to do) how would one tackle things like repeat contact fields where there can be multiple requirements for contact details with different parameters? (Like point of contact, director, etc) or even telephone numbers that have different uses?
      Just for background I am creating a process module that allows me to create types of financial applications in the admin area (no need to publish any of this, pure admin) that require a lot of personal or company information.
      Maybe I am thinking about this incorrectly?
    • By HMCB
      I ran across a reference to IftRunner module. The post was 6 years ago. I cant find it in available modules. Has it been pulled?
  • Create New...