Your login attempt has been blocked because the password you are using exists on lists of passwords leaked in data breaches.
If you see this message when trying to log in to your site, it’s because we’ve found your password on a list of breached credentials. When big websites are breached, user data is sometimes leaked, including passwords. These leaks are used to compile lists of passwords. Malicious actors run bots that make large amounts of login attempts on WordPress websites using those passwords. There are several scenarios in which you are at risk:
1. Your password may by pure coincidence be the same as one on such a list. Bots will try these passwords on a variety of sites and may eventually find a match on your site.
2. If you are using the same email or username-password combination on your WordPress website as you have used on other sites in the past and those credentials were at some point leaked, only one attempt may be needed to breach your site.
If you are an admin using a leaked password you may see a notice in WordPress on all admin pages prompting you to change your password. Please change your password to a safe password immediately. As soon as your IP changes (which can happen under many different circumstances) you will otherwise be locked out of your site as described above.
You can enter your email address here to see if it has appeared in leaks: https://haveibeenpwned.com/
For your security, we will block any attempts to log in with passwords that exist breached password lists. You can regain access to your site by resetting your password, and choosing a new, strong password. If another plugin or your theme prevents password resets on your site, you can also temporarily disable Wordfence, log in, and then change your password. (See “Forcefully regain access to your site” below.)