Logo
WP Fix by Blimx

2FA Recovery in WordPress — Without Backup Codes

Actualizado:
AccessSecurity

The 2FA lockout situation

You set up two-factor authentication on WordPress months ago. You changed phones. Your old phone is dead. You can't generate codes. You don't have the backup codes (or you do but lost the paper).

Your WordPress site is online and working — you're locked out, not your visitors. But you can't update plugins, post new content, or even change the password.

This article is the recovery procedure, ordered from least destructive to most.

Method 1 — Email-based bypass (if your plugin supports it)

Most 2FA plugins offer "send recovery code to email" as an option. The trigger is on the 2FA prompt screen.

Plugins that support this: - WP 2FA (by WP White Security) - Two-Factor (by WP team) - WordFence Login Security - iThemes Security

Steps: 1. Go to your WordPress login 2. Enter username and password 3. On the 2FA prompt screen, look for "Send code to email" link 4. Click and check your email 5. Enter the code from email

This only works if you can access the admin email. If you can't, move to Method 2.

Method 2 — Disable 2FA plugin via FTP/SSH

This is the workhorse recovery method.

Via FTP: 1. Connect via FTP to your site 2. Navigate to /wp-content/plugins/ 3. Rename your 2FA plugin folder (e.g. two-factortwo-factor-DISABLED) 4. WordPress detects plugin missing, deactivates it 5. Log in normally 6. Either set up 2FA fresh, or rename plugin folder back and reconfigure

Via SSH:

cd /var/www/yoursite/wp-content/plugins
mv two-factor two-factor-DISABLED

Via WP-CLI:

wp plugin deactivate two-factor

This is what we use in 90% of recovery cases. Takes 30 seconds.

Method 3 — Edit usermeta to remove 2FA secret

If you can't deactivate the plugin (e.g. it's a must-use plugin or part of a security suite), you can manually remove the 2FA data for your user account.

Via WP-CLI:

wp user meta delete <user_id> _two_factor_provider
wp user meta delete <user_id> _two_factor_enabled_providers
wp user meta delete <user_id> _two_factor_backup_codes

The meta key names vary by plugin. Common ones:

  • _two_factor_provider
  • _two_factor_secret
  • _googleauthenticator_secret
  • _wf_loginshield_secret

Via phpMyAdmin/MySQL:

SELECT user_id, meta_key FROM wp_usermeta 
WHERE meta_key LIKE '%two_factor%' OR meta_key LIKE '%totp%' OR meta_key LIKE '%2fa%';

DELETE FROM wp_usermeta WHERE user_id = X AND meta_key IN ('_two_factor_secret', '_two_factor_enabled_providers');

After removing the secret, log in with username + password only. Set up 2FA fresh once logged in.

Method 4 — Direct database password reset

If you also forgot your password (not just 2FA), reset directly:

UPDATE wp_users 
SET user_pass = MD5('NewTempPassword123!') 
WHERE user_login = 'youradmin';

WordPress's password format isn't actually MD5, but MD5 hashes pass through and get re-hashed on next login. Once you log in with NewTempPassword123!, immediately change to a strong password.

With WP-CLI (more robust):

wp user update <user_login> --user_pass="NewTempPassword123!"

This uses the proper hashing algorithm.

Method 5 — Recovery user creation

If your user account is in a strange state where multiple methods don't work, create a fresh admin user:

wp user create rescueadmin admin@yoursite.com --role=administrator --user_pass="StrongRecoveryPassword123!"

Log in as rescueadmin. Fix issues with the original account from there.

After resolved, delete the rescue user:

wp user delete rescueadmin --reassign=1

Method 6 — wp-config.php emergency

WordPress supports an emergency mode where you can bypass certain auth checks. Add to wp-config.php:

define('CONCATENATE_SCRIPTS', false);

Then visit wp-login.php?action=resetpass. Resets password via email if the user has correct email.

For more aggressive bypass:

// TEMPORARY — REMOVE AFTER USE
add_filter('wp_authenticate_user', function($user) { return $user; }, 999);

This disables all login filters including 2FA. Log in. Remove the filter immediately.

Why these methods work

WordPress's auth system is layered. 2FA hooks into post-login checks. By: - Removing the 2FA plugin → no post-login check happens - Removing the 2FA secret from usermeta → no secret to compare against - Resetting password → bypasses 2FA in some plugins that tie 2FA to password verification

Each method targets a different layer.

Preventing future lockouts

After recovery, set up resilient 2FA:

  1. Save backup codes — print, store in a fireproof safe
  2. Add multiple devices — your phone AND a hardware key (YubiKey)
  3. Add SMS as fallback — even if SMS is less secure, it's better than total lockout
  4. Add admin email recovery — ensure the recovery email is one you control

Common mistakes during 2FA recovery

  • Trying password reset before checking 2FA — many "forgot password" flows also require 2FA
  • Resetting database manually with MD5 hash — WordPress salting may not accept it; use WP-CLI
  • Not removing rescue user after recovery — leaves an attack surface
  • Storing backup codes in same place as 2FA app — defeats the purpose

When to call a specialist

If your site is critical and the database/FTP isn't accessible (or you don't know how to use them), we provide 2FA recovery in under an hour with no risk of data loss.

2FA recovery within minutes. For broader access issues see locked admin recovery.