Did you receive this error after you tried login in? It's from Wordfence.

INSECURE PASSWORD: Your login attempt has been blocked because the password you are using exists on lists of passwords leaked in data breaches. Attackers use such lists to break into sites and install malicious code. Please reset your password to reactivate your account

if you had an account with a password that Wordfence checked against a leaked password so it complains that you must changed it in order to log in otherwise your site is at risk. Hackers keep regularly checking for weak passwords so they can get access to yet another customer site that they can control.

This feature blocks logins for administrators that use a known or compromised passwords.
Any administrator using a password previously seen in a breach will need to reset their password to log in.

You can read more about this feature on Wordfence's blog at https://www.wordfence.com/blog/2018/03/password-leak-attacks-wordpress/

Solutions to Fix Wordfence Blocking the WordPress Logins

Solution 1: reset your password as suggested

The most obvious solution is to do exactly that. Click on the "Lost your password?" link and enter your username or email.
Hopefully your site is configured to send outgoing emails, if not then you'll need to login with another admin account and reset that account's password. If you don't have another admin account you'll need to find a way to reset it in another way.

Solution 2: reset your password using wp-cli

If you have access to wp-cli you can run the following command to reset your password.

wp user update 'YOUR_ACCOUNT' --user_pass='YOUR_NEW_PASS' --skip-plugins --skip-themes

Solution 3: reset your password using the free sak4wp tool

SAK4WP is one of our free tools and it stands for Swiss Army Knife for WordPress. It is very powerful and allows you to do several operations on your WordPress site. For security reasons we highly recommend you delete it after you're done. There are security checks in place but still it's a very powerful tool. There's a Delete button that will make it delete itself.

One of the SAK4WP's features allows you to log in as any user without entering their password. Just pick a username from the list. You need to just upload the file !sak4wp.php via (S)FTP or from a file manager into the WordPress folder where wp-config.php is.


Here's a direct link to the php file.


Solution 4: Temporarily Deactivate Wordfence plugin

As a last resort you can try this appraoch. You need to have (S)FTP or other file access.

You need to rename the wordfence plugin folder which can be found in /wp-content/plugins/wordfence/

You need to pick wordfence000 and then try to login.

After you login go and change your account's password.

After that is done go back and rename the Wordfence folder back to its original name.

Disclaimer: The content in this post is for educational purposes only. Always remember to take a backup before doing any of the suggested steps just to be on the safe side.
Referral Note: When you purchase through an referral link (if any) on this page, we may earn a commission.