This plugin enhances site security by preventing users from setting passwords that have been exposed in known data breaches. It is designed for site administrators and developers who manage user accounts on popular content management and e-commerce platforms.

Core Security Check: Validates new and changed passwords against the Have I Been Pwned database, which contains billions of compromised credentials from past security incidents.

Privacy-First Design: User passwords are never transmitted from your server, not even in hashed form. The check uses a k-anonymity method, sending only a partial hash prefix to the external API.

Broad Interception Points: The plugin works during key user actions, including new user registration, password changes in the admin area, and on the front-end user profile pages. If the e-commerce platform is active, it also covers checkout and account recovery flows.

Performance Consideration: Includes optional caching of API responses for one week to reduce external requests and improve performance, relying on the site's persistent object cache if available.

Extensible Architecture: Allows developers to replace the default API client with a custom implementation if they prefer to use a different breach data source or have specific integration requirements.