For the security of WordPress, user passwords should be changed from time to time. This partially protects against password guessing by robots, especially if the site does not have two-factor authentication.
The simplest solution is the Expire User Passwords plugin from the Telegraph Media Group. They decided that the authors in their large blog network were required to change their passwords at least once a month.
This plugin works out of the box and does not have additional screens with settings. It performs one simple function: when trying to log in to the WordPress admin panel, the plugin compares the current time with the time the password was last changed, and if it is more than 30 days, then users have to change the password before they can get into the console.
The default password expiration is 30 days, but if desired, a new period can be specified in the wp-config.php configuration file using a constant:
define( 'TMG_AEP_EXPIRY', 60 * 60 * 24 * 180 ); // 180 days
A nice addition to this plugin would be the ability to record the passwords used and not allow users to use the same password twice when changing.
You can download the Expire User Passwords plugin from the official WordPress.org directory, or by searching for the plugin name under Plugins → Add New in the WordPress admin panel. If you are using WordPress in Multisite mode, then this plugin must be activated for the entire network.
There are also some more functional alternatives like WordPress Password Expiry and WP Password Policy Manager. These plugins have a number of additional settings, including password expiration, the ability to disable certain roles, the ability to set minimum password requirements, and more.
Also, as an alternative, we advise you to consider the Password Change Reminder plugin, which only displays a reminder of outdated passwords.