Block compromised passwords
WARNING: Enabling this setting adds a dependency on outbound HTTPS access to a third-party breach lookup service. Verify that the environment can reach the external service and that this dependency is acceptable before turning it on.
Description of the control
This control appears under Breach Protection as Block compromised passwords. The card description states that it ties into breach data so known-bad passwords cannot be reused.
The UI also states that this enforcement leverages Have I Been Pwned (HIBP) or a similar breach feed. Use this setting when the site should block passwords that appear in known breaches.
Procedure
- In WordPress admin, open Posture Management.
- Select Authentication & Accounts.
- In the Breach Protection card, locate Block compromised passwords.
- Turn on the Enable toggle.
- Review the breach threshold setting in the same card.
- Reject the password if found in equal or greater than the number of breaches indicated.
- Click Save Authentication Settings.
Validation
After saving, reload Posture Management -> Authentication & Accounts and confirm the Enable toggle remains on for Block compromised passwords.
Test a password update with a password known to be blocked by the configured threshold and confirm the password is rejected.