2FA lockout despite renaming Wordfence folder via SFTP

  • Resolved knittingtheweb

    (@knittingtheweb)


    6 months, 1 week ago

    I recently bought a new iPhone and am locked out of my website due to a problem with Wordfence 2FA.

    All of my apps were transferred to my new phone at the Apple Store. However, something went wrong with the Microsoft Authenticator app. Now when I try to log in to my website using a code generated on the new phone, I get “CODE INVALID: The 2FA code provided is either expired or invalid. Please try again.”

    I used SFTP to rename the Wordfence folder to wordfence.bak. I tried again to log in and got “CODE REQUIRED: Please provide your 2FA code when prompted.” Shouldn’t renaming the Wordfence folder have disabled 2FA?

    When I reverted the Wordfence plugin folder rename, I’m back to getting the CODE INVALID message.

    I tried the login process in both Firefox and Chrome.

    Are there other methods to deactivate Wordfence? If I can deactivate it and log in, I know how to reset the 2FA in Wordfence settings.

    Thanks for any help you can give. I’m getting a little worried at this point!

    The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support wfmargaret

    (@wfmargaret)

    Hi @knittingtheweb, thanks for reaching out.

    If you have Wordfence Login Security installed, please make sure that is deactivated as well by renaming the folder wordfence-login-security to wordfence-login-security.bak.

    While Wordfence is deactivated, please perform a hard refresh on the login page and try logging in again. I want to ensure there’s no cached JavaScript or CSS on the page that’s interfering with the login after the plugin is deactivated.  You could also try private browsing/incognito mode to see if the issue subsides when the browser is bypassing the cache.

    Let me know how that goes for you!

    Thanks,
    Margaret

    Thread Starter knittingtheweb

    (@knittingtheweb)

    Thank you for your reply, Margaret. I do not have Wordfence Login Security installed.

    I tried again:

    1. I renamed the Wordfence folder to wordfence.bak via SFTP.
    2. I opened the login form in a new incognito Chrome window.
    3. I entered my admin username and password.
    4. I again received the “CODE REQUIRED: Please provide your 2FA code when prompted” message.

    Any other suggestions? I’ve worked through this new phone/Wordfence 2FA issue on 10 websites hosted by WP Engine, and in every case renaming the folder allowed me to log in and reset 2FA. The fact that it’s not working on this website is concerning. It’s on shared hosting by Namecheap/EasyWP, if that information is useful.

    Plugin Support wfmargaret

    (@wfmargaret)

    Hi @knittingtheweb,

    I’m seeing Wordfence active on the website currently.? I suspect you re-enabled it, but if you left that disabled please double-check that you’re renaming the folder on the correct site.

    If you’ve added your site to Wordfence Central, you can allowlist your IP in your site’s 2FA, which will allow you to temporarily bypass the two-factor authentication and log in.

    • Log into Wordfence.com and look for the Configuration tab.
    • Click the gear icon at the end of the row that the site you need to access is on.
    • Scroll down to the Login Security Options section and expand General by clicking the small black arrow to the right.
    • In the section that says “Allowlisted IP addresses that bypass 2FA and reCAPTCHA” add your public-facing IP address.
      NOTE : You can get your public-facing IP by clicking this link.
    • Scroll back to the top of the screen and save the changes.
    • You should now be able to login to your site with just a username and password.

    Thanks,
    Margaret

    Thread Starter knittingtheweb

    (@knittingtheweb)

    I should have also mentioned that none of my recovery codes are working.

    Thread Starter knittingtheweb

    (@knittingtheweb)

    You’re correct, I had re-enabled Wordfence pending additional help. ??

    Thank you for the detailed instructions for whitelisting my IP address in Wordfence Central. That did the trick; I was able to log in, disable and then re-enable 2FA, and save my new recovery codes.

    Brilliant! Thank you so much, Margaret. Wordfence is such a great plugin and now I know their support is top-notch, too!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘2FA lockout despite renaming Wordfence folder via SFTP’ is closed to new replies.

Tags