Support » Plugin: Wordfence Security - Firewall & Malware Scan » 2FA won’t recognize Authenticator codes or recovery codes

  • Resolved infinitydog

    (@infinitydog)


    I recently installed the Wordfence plugin on my website. Tonight I activated the Two-Factor Authentication feature in the Login Security section, using the scanned QR code it displayed on the plugin’s Login Security page on my site. It added a Wordfence entry on my Google Authenticator iPhone app.

    I downloaded my recovery codes, and then I logged out of my site to test the new 2FA system.

    I entered my login and password correctly, and then it asked me for the 2FA code. I opened the Google Authenticator app, made sure I was looking at the Wordfence authentication code, and entered it as shown.

    Every time, it produces the error “VALIDATION FAILED: The 2FA code could not be validated. Please try logging in again.”

    After three failed attempts at using Authenticator code, I tried my first recovery code. I got the same error: “VALIDATION FAILED: The 2FA code could not be validated. Please try logging in again.”

    I am now effectively locked out of my site, and have no way back in.

    I followed the steps as instructed; I entered the codes as directed. Why am I locked out of my site?

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author WFSupport

    (@wfsupport)

    Thanks for reaching out. I’m happy to provide you instructions on how to get back in.

    If you have lost or replaced your old phone and can no longer access your site(s), and you have misplaced the 2FA backup codes, there are 2 ways to get back into the site.

    The first way is if you have added the site in Wordfence Central (a free site management tool in your account on wordfence.com).

    • Login to Wordfence.com and look for the Configuration tab.
    • Click the gear icon at the end of the row that the site you need to access is on.
    • Scroll down to the Login Security Options section and expand it by clicking the small black arrow to the right.
    • In the section that says “Whitelisted IP addresses that bypass 2FA” add your public facing IP address.
      NOTE : You can get your public facing IP by clicking here.
    • Scroll back to the top of the screen and save the changes.

    You should now be able to login to your site with just a username and password.

    If you haven’t added your site to Wordfence Central follow these steps.

    • Please use FTP/SFTP — or any file manager your web host provides via their administration panel.
    • Look inside the /wp-content/plugins/ directory and rename the wordfence directory to wordfence.bak. This will deactivate Wordfence and allow you to login without the 2FA code.
    • Once you have logged in to your WordPress admin you can name the folder back to wordfence again.
    • Go to your user profile and add 2FA back to your account, making sure to download the backup codes in case of problems in the future.

    Now that you’re back in you can figure out what happened. Create a test account and enable 2FA (you can use the same phone) and activate it. Then try logging in, making sure to follow these steps :
    Enter your username and password on the site like normal.
    When the screen refreshes it should ask for a 2FA code. Enter it then and click to continue. It should log you in.

    If the screen refreshes and you see the username and password field again, try logging in like this:
    Enter your username and then for the password field enter your password, a space, and the code. For instance if your password is JL4@aTfx6g and the code is 123 456, enter JL4@aTfx6g 123456 in the password field.

    If the test account works, try it again with your account. If it doesn’t, respond here and let me know.

    Tim

    Thread Starter infinitydog

    (@infinitydog)

    Hello, Tim. Thank you for your detailed response.

    Using FTP, I was able to follow the steps to temporarily disable Wordfence. That enabled me to log in and temporarily deactivate Wordfence’s 2FA feature.

    I then created a new test admin account, followed the steps to set up its 2FA — scanned the QR code with the iPhone Google Authenticator app to create a unique code generator for that new account, downloaded the new recovery codes, used the code from the Google Authenticator to activate 2FA (that always works), and logged out to test the new account.

    The same login validation error occurred with the new account, despite following all the steps exactly as instructed.

    The good news is, I figured out what was going wrong. A legacy plugin — Stop Spammers Version 2021.14 — appears to have been interfering in the Wordfence login security 2FA process. When I deactivated the Stop Spammers plugin, the Wordfence 2FA login authentication worked as intended.

    Thank you very much for your help and your patience, and I apologize for the fact that it was one of my own leftover plugins that proved to be the culprit.

    Dave

    Plugin Author WFSupport

    (@wfsupport)

    Oh wow. Good catch!

    Thanks for letting us know.

    Tim

    Please see: https://wordpress.org/plugins/stop-spammer-registrations-plugin/#why%20is%202fa%20failing%3F

    It’s important to keep both Stop Spammers and Wordfence installed. Neither of these plugins replace each other, and instead compliment each other. If you have a membership site especially, you’re likely to see the return of quite a bit of spam if you remove Stop Spammers.

    Thread Starter infinitydog

    (@infinitydog)

    Bryan,

    Thanks for letting me know about that. I’ve made the correction you suggested and re-enabled the Stop Spammers plugin. It now works fine and no longer interferes with the Wordfence 2FA. Much obliged!

    Dave

    You’re welcome.

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.