Wordfence Login Security 2FA always returns “Invalid Code”
-
I am experiencing an issue with Wordfence Login Security (2FA) on a WordPress.
Environment
- WordPress 6.5.8
- Wordfence Login Security enabled
- PHP on Windows Server
- Browser tested:
- Firefox
- Chrome
- Time on server and client machines appears synchronized
Issue
I enabled Two-Factor Authentication for a user account.
The QR code was scanned successfully using an authenticator application and OTP codes are being generated normally.
However, every time I enter the generated OTP code during setup/verification, Wordfence returns:
Invalid Code
The code never validates successfully.
What I have verified
- The QR code was scanned successfully.
- Multiple OTP codes were tested.
- Different browsers were tested.
- Server can load Wordfence Login Security resources correctly:
/wp-content/plugins/wordfence/modules/login-security/js/login.*.js
/wp-content/plugins/wordfence/modules/login-security/css/login.*.css- Wordfence Login Security page is accessible and functioning.
- No PHP fatal errors are generated during the validation attempt.
Relevant PHP Debug Log
The only messages appearing are deprecated function warnings from another component:
PHP Deprecated: Function get_userdatabylogin is deprecated since version 3.3.0!
Use get_user_by('login') instead.
PHP Deprecated: Function update_usermeta is deprecated since version 3.0.0!
Use update_user_meta() instead.These warnings occur when attempting to validate the OTP.
Access Log Observation
During login attempts I can see requests such as:
POST /wp-admin/admin-ajax.php HTTP/1.1 200
POST /wp-login.php HTTP/1.1 200and Wordfence Login Security assets are loaded correctly.
However, OTP verification still fails with “Invalid Code”.
Questions
- Is there a known issue where deprecated plugins using:
get_userdatabylogin()update_usermeta()
- Does Wordfence store 2FA secrets in usermeta or a dedicated table, and are there recommended checks to verify that the secret is being saved correctly?
- Are there specific Wordfence debug logs that can show why an OTP is being rejected?
- Are there known causes of “Invalid Code” besides clock drift/time synchronization issues?
Any guidance on additional diagnostics would be appreciated.
Thank you.
You must be logged in to reply to this topic.