Wordfence is one of, if not THE, best security plugins for WordPress. One of the reasons I like Wordfence the most is their 2 Factor Authentication (2FA) piece that’s built-in to their web application firewall. It works well, but what happens if you accidentally lock yourself out of your website with 2FA enabled?
That happened to me.
I got a new phone and in the process of changing over my 2FA app from one phone to another, I unintentionally deleted the 2FA code from the wrong phone, thus locking myself out! I still knew my password, but I had the wrong 2FA setup on my new phone, so it would NEVER authenticate.
If this is you, don’t lose hope. There’s still a way to get back into your site. (UPDATE: and now there’s an Easy Way if you’re setup Wordfence Central)
What You’ll Need
- For the Easy Way, you’ll have to have already setup your site on Wordfence Central. If not, read on…
- Access to your website’s hosting account (cPanel is the most common of these) which should include:
- File system access or FTP access to your site’s directory
- mySQL database access
- A current administrator login for your WordPress site
- A deep breath and some composure (it’s going to be ok)
If you feel like you’re in over your head and no longer want to proceed…contact your hosting company to see if they can help. Otherwise, press on!
UPDATE: The Easy Way
If you have setup your site in Wordfence Central, then you’re in luck. You can whitelist your WAN IP address from having to provide 2FA, and then you can login and fix things. (if you don’t have Wordfence Central, click here)
Shout Out
I must give a shoutout to this post of Reddit (user: tcan1337) for coming up with this idea. Brilliant! I’m not taking credit for this idea at all, but I wanted to make you aware and show you details (with screenshots) on how to do it.
[Easy Way] Step 1
Go to https://whatismyip.com to find out what your WAN (public) IP address is from the computer you’re working from. Keep this tab open or copy your IP somewhere for later reference.
[Easy Way] Step 2
Login to your Wordfence Central account and click the Settings (gear) icon next to your site and under Configuration -> Details:
[Easy Way] Step 3
Click “Expand All Options” to display all possible options on the page.
[Easy Way] Step 4
Press Ctrl + F in your browser for the “find” feature, and search for “2fa”. Scroll down to the section for 2FA, called “Login Security”.
[Easy Way] Step 5
Type in your IP address from Step 1 in the field called “Allowlisted IP addresses that bypass 2FA“. Scroll back to the top of the page, and click “Save Changes”.
[Easy Way] Step 6
Once this takes effect, you should be able to login to your site without using 2FA. That will allow you to reset 2FA on your account and set it back up again. (see this step below)
If you’re having any problems so far, please leave a comment on this page or reach out to me directly. I’d love to help.
If you otherwise don’t have Wordfence Central configured or if you had problems, proceed with these steps below. I was able to use the following steps to access my account again even though I did already have Wordfence Central configured. I didn’t realize I could edit the configuration of Wordfence remotely like that!
How to Get Back in Your Site
Your site is most likely already broken if you’re here, but you don’t want to make it worse. You should have a recent backup of your site, which could be the best course of action instead of proceeding with the steps below. However, since you can’t login, this would have to be a backup that is available through your hosting provider. (Side-note: SiteGround is a great web host that has full backups built-in to their hosting products. If you’re looking for a host to change to later, I fully recommend them.)
Alright, enough of that. Let’s do this!
Step 1: Rename The Wordfence Plugin Folder
Access your site’s filesystem (cPanel file browser or FTP):
Next, rename the Wordfence plugin folder to something like “disabled_wordfence” like so:
You’ll find the Wordfence plugin in your web directory then “wp-content/plugins/”. If you aren’t sure where your web directory is, contact your web host to see how they’ve structured it.
Once you rename this folder, you render the Wordfence plugin inactive.
Step 2: Login with Administrator Account
That’s it! You’re back in! You should be able to sign in now with your existing administrative account password.
You’ll notice that you didn’t have to provide your 2FA code on your next login after the Wordfence plugin has been disabled. You’ll also notice you don’t see the Wordfence menu item on the left side of your Dashboard. That, of course, is because you disabled the plugin in the file system.
Step 3: Activate Wordfence
Now that you’re logged in again, you can safely re-enable the Wordfence plugin.
[Edit: Special thanks to Kirby in the Comments for bringing this to my attention! You have to rename the wordfence folder again after logging in.]
In your web server’s file system, you’ll need to rename the “disabled_wordfence” folder name back to “wordfence” to re-enable the plugin. Before you do this, make sure you are already logged into your site so that you are already past the 2FA prompt.
Wordfence may be enabled but deactivated at this point. If it is, navigate to Plugins -> Installed Plugins on the left side of your WordPress Dashboard.
To activate WordPress, just find the plugin in the list of installed plugins and click Activate.
After enabling the Wordfence plugin again, if you don’t see it in the left-hand navigation of your Dashboard, refresh the page.
Step 4: Deactivate Wordfence 2FA
At this point you’re logged into WordPress and Wordfence is back on. Boom! High-five yourself or something. You made it! You have successfully logged in, circumventing Wordfence’s 2FA.
There’s just one more step to get this fixed to 100%.
You’ll need to deactivate 2FA from your account and set it back up. This will clear out the old 2FA code and allow you to set it up like you did when you initially setup 2FA in Wordfence.
Navigate to Wordfence -> Login Security -> click “Deactivate” for your account.
Now if you sign out and sign back in, you will not be prompted for 2FA.
Step 5: Setup Wordfence 2FA Again
It’s best practice to use 2FA, especially if your account has admin access on your site. It will behoove you to require 2FA on all admin accounts, as well as any other accounts that have access to things that you wouldn’t want a hacker accessing (that puts it in perspective…).
To enable 2FA again, navigate to Wordfence on the left-hand navigation in the WordPress Dashboard, click Login Security, then turn on 2FA for your account.
Final Thoughts
I hope this has been helpful to you. It took me several hours of Googling and panicking to get this sorted out and to create the blog post for posterity.
If you need a good web host who is always willing to help with these kinds of issues, I recommend SiteGround (they’re my host). They can help you get the back-end access you need, and they will sometimes help a little within WordPress, even though that’s outside of their realm of “support”. They’re the best host I’ve found.
I would love to hear how this article has helped you. Drop a comment below, and I’ll be sure to get back to you. You can also reach out through the Contact form.
Thanks for stopping by!
So glad to find this explanation, it worked great and resolved the issue. And yes I was panicked for a bit! Only one question remains: the wordfence directory remains with the changed name. Do I need to change it back? – thanks!
Thanks for pointing this out! Yes, you’ll need to rename “disabled_wordfence” back to just “wordfence”, but make sure you are logged in first. I updated the post. Thanks for the help and let me know if I can do anything else for you.