• I am experiencing an issue with Wordfence Login Security (2FA) on a WordPress.

    Environment

    • WordPress 6.5.8
    • Wordfence Login Security enabled
    • PHP on Windows Server
    • Browser tested:
      • Firefox
      • Chrome
    • Time on server and client machines appears synchronized

    Issue

    I enabled Two-Factor Authentication for a user account.

    The QR code was scanned successfully using an authenticator application and OTP codes are being generated normally.

    However, every time I enter the generated OTP code during setup/verification, Wordfence returns:

    Invalid Code

    The code never validates successfully.

    What I have verified

    1. The QR code was scanned successfully.
    2. Multiple OTP codes were tested.
    3. Different browsers were tested.
    4. Server can load Wordfence Login Security resources correctly:
    /wp-content/plugins/wordfence/modules/login-security/js/login.*.js
    /wp-content/plugins/wordfence/modules/login-security/css/login.*.css
    1. Wordfence Login Security page is accessible and functioning.
    2. No PHP fatal errors are generated during the validation attempt.

    Relevant PHP Debug Log

    The only messages appearing are deprecated function warnings from another component:

    PHP Deprecated: Function get_userdatabylogin is deprecated since version 3.3.0!
    Use get_user_by('login') instead.

    PHP Deprecated: Function update_usermeta is deprecated since version 3.0.0!
    Use update_user_meta() instead.

    These warnings occur when attempting to validate the OTP.

    Access Log Observation

    During login attempts I can see requests such as:

    POST /wp-admin/admin-ajax.php HTTP/1.1 200
    POST /wp-login.php HTTP/1.1 200

    and Wordfence Login Security assets are loaded correctly.

    However, OTP verification still fails with “Invalid Code”.

    Questions

    1. Is there a known issue where deprecated plugins using:
      • get_userdatabylogin()
      • update_usermeta()
      can interfere with Wordfence Login Security 2FA enrollment?
    2. Does Wordfence store 2FA secrets in usermeta or a dedicated table, and are there recommended checks to verify that the secret is being saved correctly?
    3. Are there specific Wordfence debug logs that can show why an OTP is being rejected?
    4. Are there known causes of “Invalid Code” besides clock drift/time synchronization issues?

    Any guidance on additional diagnostics would be appreciated.

    Thank you.

    • This topic was modified 1 week, 6 days ago by harryxtr.
Viewing 1 replies (of 1 total)
  • Plugin Support wfphil

    (@wfphil)

    Hi @harryxtr

    Please send your Wordfence diagnostics report.

    Update to the latest version of Wordfence if you haven’t already done so.

    Go to the top of the “Diagnostics” tab on the Wordfence “Tools” page. There will be a “SEND REPORT BY EMAIL” button to send the diagnostics report. Enter wftest [at] wordfence [dot] com as the email and harryxtr as the forum username please.

    Once you have emailed me the diagnostics report can you reply here to let me know that it has been sent. This is important in the unlikely event that your installation of WordPress is having an issue with sending mail

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.