Wordfence is one of, if not THE, best security plugins for WordPress. One of the reasons I like Wordfence the most is their 2 Factor Authentication piece that’s built-in to their web application firewall. It works well, but what happens if you accidentally lock yourself out of your website with 2FA enabled?
That happened to me.
I got a new phone and in the process of changing over my 2FA app from one phone to another, I unintentionally deleted the 2FA code from the wrong phone, thus locking myself out! I still knew my password, but I had the wrong 2FA setup on my new phone, so it would NEVER authenticate.
If this is you, don’t lose hope. There’s still a way to get back into your site.
What You’ll Need
- Access to your website’s hosting account (cPanel is the most common of these) which should include:
- File system access or FTP access to your site’s directory
- mySQL database access
- A current administrator login for your WordPress site
- A deep breath and some composure (it’s going to be ok)
If you feel like you’re in over your head and no longer want to proceed…contact your hosting company to see if they can help. Otherwise, press on!
How to Get Back in Your Site
Your site is most likely already broken if you’re here, but you don’t want to make it worse. You should have a recent backup of your site, which could be the best course of action instead of proceeding with the steps below. However, since you can’t login, this would have to be a backup that is available through your hosting provider. (Side-note: SiteGround is a great web host that has full backups built-in to their hosting products. If you’re looking for a host to change to later, I fully recommend them.)
Alright, enough of that. Let’s do this!
Rename The Wordfence Plugin Folder
Access your site’s filesystem (cPanel file browser or FTP):
Next, rename the Wordfence plugin folder to something like “disabled_wordfence” like so:
You’ll find the Wordfence plugin in your web directory then “wp-content/plugins/”. If you aren’t sure where your web directory is, contact your web host to see how they’ve structured it.
Once you rename this folder, you render the Wordfence plugin inactive.
Login with Administrator Account
That’s it! You’re back in! You should be able to sign in now with your existing administrative account password.
You’ll notice that you didn’t have to provide your 2FA code on your next login after the Wordfence plugin has been disabled. You’ll also notice you don’t see the Wordfence menu item on the left side of your Dashboard. That, of course, is because you disabled the plugin in the file system.
Now that you’re logged in again, you can safely re-enable the Wordfence plugin. Navigate to Plugins -> Installed Plugins on the left side of your WordPress Dashboard.
To activate WordPress, just find the plugin in the list of installed plugins and click Activate.
After enabling the Wordfence plugin again, if you don’t see it in the left-hand navigation of your Dashboard, refresh the page.
At this point you’re logged into WordPress and Wordfence is back on. Boom! High-five yourself or something. You made it! You have successfully logged in, circumventing Wordfence’s 2FA.
There’s just one more step to get this fixed to 100%.
You’ll need to deactivate 2FA from your account and set it back up. This will clear out the old 2FA code and allow you to set it up like you did when you initially setup 2FA in Wordfence.
Navigate to Wordfence -> Login Security -> click “Deactivate” for your account.
Now if you sign out and sign back in, you will not be prompted for 2FA.
Setup 2 Factor Authentication Again
It’s best practice to use 2FA, especially if your account has admin access on your site. It will behoove you to require 2FA on all admin accounts, as well as any other accounts that have access to things that you wouldn’t want a hacker accessing (that puts it in perspective…).
To enable 2FA again, navigate to Wordfence on the left-hand navigation in the Dashboard, click Login Security, then turn on 2FA for your account.
I hope this has been helpful to you. It took me several hours of Googling and panicking to get this sorted out and to create the blog post for posterity.
I would love to hear how this article has helped you. Drop a comment below, and I’ll be sure to get back to you. You can also reach out through the Contact form.
Thanks for stopping by!