Signup Breach Checker

Checks user e-mails and optionally passwords against breach lists from on signup.

Author:Dan Dulaney (profile at
WordPress version required:4.9.0
WordPress version tested:5.2.21
Plugin version:1.1
Added to WordPress repository:16-01-2018
Last updated:05-06-2019
Warning! This plugin has not been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.
Rating, %:0
Rated by:0
Plugin URI:
Total downloads:816
Active installs:10+
plugin download
Click to start download

**Note: This plugin sends e-mail address (and optionally SHA1 hashed passwords) to an external API, at **

This plugin is meant to provide a service to your site members by doing the following:

  • On user registration, check the haveibeenpwned API to see if their e-mail has been in any known breaches
  • Stores (in user_meta) any breaches found, and if the user has been notified (by your site)
  • If welcome e-mails are enabled, adds a section sharing information about the breaches, and the suggestion to use a strong password with a link to help. If not, it also lets them know they are clean.
  • Optional (Disabled by default): Enable password checking against the API’s list of known passwords on password reset / new user password set. This only triggers if the user also has had their e-mail leaked in a known breach, and e-mails the user with additional information.

Planned for future updates:

  • (Toggleable) Method of checking existing users and notifying them.
  • (Toggleable) Method to periodically check all users that haven’t had a breach, and notify them if that changes.
  • (Toggleable) Method to add admin notifications of new breaches discovered by

Dependencies and Liscencing

This plugin relies on the the HaveIBeenPwned APIv2, and has been designed to comply with rate limiting and usage policy.