We installed WordFence on sandbox GEN to scan the site for issues with the following settings:

Message sent on 7/9 to support to ask we can schedule WordFence to scan certain folders instead of whole site since it takes too long to do a full scan  

We also changed the performance settings:

Under Firewall settings on the same page as above, we changed:

Located on the same page as above

Located on the same page as above. All the WordFence settings are in the same place. We changed the following settings:

Due to the changes in the Rate Limiting settings, admins will not be able to create accounts with weak passwords. In this example, I went to users and editing an existing account on sandbox. I clicked set new password to reveal the new password field. I entered password as the password, which is a very weak password as shown below. I checked off the confirm use of weak password box:  

I then scrolled down and clicked the update button and the following message appeared:

sandbox will no longer allow weak passwords even if this box is checked

This is due to the settings in WordFence that we're testing

form lives here: https://sandbox.genengnews.com/create-your-gen-account/?level=2

No affect. I was able to create a free GEN account with a weak password. I used password as the password for this test.

RCP has an add-on to enforce strong passwords at registration: https://wordpress.org/plugins/rcp-strong-passwords/

https://www.genengnews.com/get-the-gen-digital-magazine - this form creates accounts for those who fill it out. There is some effect from the enforcement of stronger passwords.

I filled out the form and put password for the password and submitted the form. This is the message that appeared:

It doesn't tell you that the password is not strong enough. It's not spam blocking the entry. It is the weak password. I did several tests with real names and fake ones all using password as the password and the same message appears until you enter a stronger password and hit submit.

It looks like we can fix this. There are settings on the form for what is allowed for the password: (I checked them off for testing. They were not checked on the original form)

What effect do those settings have on the form and the messaging?

The changes to the settings above will result in the following changes on the form:

No effect. I logged in with a free account I created through RCP (GEN Edge Sign up form) where the password was password, but I was not prompted to change my weak password to a stronger one.

These are the only options I have found but they do not address the weak password problem. Not sure if this is a deal breaker.

Some effect.

When I hovered over Howdy, name and clicked profile from the drop down

then clicked to update my password:

It would not take a new weak password. I tried password1 but it did not pop up a message asking for a stronger password nor did it explain why it rejected the password. It did not even tell me it did not take the password. There was no success message, but there was no error message either. I logged out and tried to log back in using password1 but it did not work. I was able to log in using password  but that was the password I was trying to change.

Found this but may not need to do anything for BB if we can enforce strong passwords elsewhere: https://buddydev.com/support/forums/topic/enforce-strong-passwords-in-buddypress-general-settings/