Disabling the forced Admin password change in Zen Cart 1.5.0

*** Warning: This change will violate the PCI status of your cart.  You should only do this on test carts on your own PC or on carts which do not require PCI certification. ***

One of the features which is required for Zen Cart PCI compliance is periodic password changes.  This can be a nuisance on test carts and carts on your local PC.  Here’s how to turn it off.

a) To disable forced 90 day password changes, edit


and change

define('ADMIN_PASSWORD_EXPIRES_INTERVAL', strtotime('- 90 day'));


define('ADMIN_PASSWORD_EXPIRES_INTERVAL', strtotime('- 36500 day'));

(Note that the above change means you won’t have to change passwords for 100 years.  To require an annual password change, use the value 365 instead.)

b) To disable the check against the last 3 passwords, edit

and change zen_check_for_password_problems() so that the first line is
return FALSE;

2 thoughts on “Disabling the forced Admin password change in Zen Cart 1.5.0”

  1. This method of disabling the check against previous passwords also disables the checks for minimum length and strength of password.

    Better to read down a few lines in admin_access.php and comment out ( using /*…*/ the code that checks against previous passwords. In other words,

    $sql = “SELECT admin_pass, prev_pass1, prev_pass2, prev_pass3 FROM ” . TABLE_ADMIN . ”

    (code performing checks is here…)

    return $error;

  2. Thanks for tip, did the jp in 5 minutes.
    Zen Cart is a good cart but just goes too far with PCI compliance.
    Full PCI not kills small businesses but greatly lessens customers’ usability.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.