Tutorials

WordPress 2FA Recovery: How to Use Backup Codes and Recover Access

Lost your phone or authenticator app? Learn how to recover WordPress access using backup codes and what to do if you're locked out of your 2FA-protected account.

D
David Kim
8 min read
54 views
WordPress 2FA recovery using backup codes

When 2FA Becomes a Problem

Two-factor authentication is excellent security—until you lose access to your second factor. A lost phone, broken device, or accidentally deleted authenticator app can lock you out of your own WordPress site. This guide explains how to prepare for 2FA emergencies and recover access when things go wrong.

Prevention: Setting Up for Success

Save Your Backup Codes

When you enable 2FA with WP Folder Shield, you receive 10 one-time backup codes. These are your emergency access keys:

  • Each code works only once
  • They never expire (until used)
  • They're generated specifically for your account

Where to Store Backup Codes

  • Password Manager - In a secure note alongside your WordPress credentials
  • Printed Copy - In a safe, safety deposit box, or secure location
  • Encrypted File - On a backup drive with strong encryption
  • Multiple Locations - Don't rely on just one storage method

Use Authy for Cloud Backup

Unlike Google Authenticator, Authy backs up your 2FA tokens to the cloud (encrypted). If you lose your phone, you can restore on a new device.

Set Up on Multiple Devices

Some authenticator apps (Authy, Microsoft Authenticator) sync across devices. Set up on both your phone and tablet for redundancy.

Recovery Method 1: Using Backup Codes

When to Use

  • Lost phone
  • Broken phone
  • Deleted authenticator app
  • Can't find device

How to Use a Backup Code

  1. Go to your WordPress login page
  2. Enter your username and password
  3. When prompted for 2FA code, look for "Use backup code" link
  4. Enter one of your saved backup codes
  5. You'll be logged in

After Using a Backup Code

  1. Go to Users > Profile
  2. Generate new backup codes
  3. Set up 2FA on your new device
  4. Save the new backup codes securely

Recovery Method 2: FTP/Database Access

If you've lost backup codes and phone, you can disable 2FA through file or database access.

Option A: Disable WP Folder Shield Temporarily

  1. Connect to your site via FTP/SFTP
  2. Navigate to wp-content/plugins/
  3. Rename "wp-folder-shield" to "wp-folder-shield-disabled"
  4. Log into WordPress (2FA is now disabled)
  5. Rename the folder back
  6. Reconfigure your 2FA

Option B: Remove 2FA via Database

  1. Access phpMyAdmin or database tool
  2. Find the wp_usermeta table
  3. Search for your user_id
  4. Delete rows with meta_key containing "2fa" or "totp"
  5. Log into WordPress
  6. Set up 2FA again

Warning: Database modifications can break your site. Always backup first.

Recovery Method 3: Contact Your Team

If you're not the only administrator:

  1. Contact another admin
  2. Have them go to Users > Your Profile
  3. They can generate new backup codes for you
  4. Or temporarily disable your 2FA requirement

Recovery Method 4: WP-CLI Access

If you have server/SSH access:

wp user meta delete USERNAME wpfs_totp_secret
wp user meta delete USERNAME wpfs_2fa_enabled

This removes 2FA for that user, allowing normal login.

Best Practices After Recovery

Immediate Steps

  1. Set up 2FA on your new/recovered device
  2. Generate new backup codes
  3. Store backup codes in multiple secure locations
  4. Mark used backup codes as consumed

Review Your Security

  • Check for any unauthorized access during lockout
  • Review recent login history
  • Verify no new admin users were created
  • Check plugins list for unknown additions

WP Folder Shield Backup Code Management

Viewing Remaining Codes

In Users > Profile, you can see how many backup codes remain unused.

Generating New Codes

Click "Generate New Backup Codes" to create a fresh set. This invalidates all previous codes.

Admin Management

Super admins can manage 2FA for other users, including generating new backup codes or disabling 2FA temporarily.

Preventing Future Lockouts

Checklist

  • ☐ Backup codes saved in password manager
  • ☐ Backup codes printed and stored securely
  • ☐ Using Authy or similar with cloud backup
  • ☐ 2FA set up on secondary device
  • ☐ Other admin has access (for team sites)
  • ☐ Know how to access via FTP if needed

Conclusion

2FA lockouts are frustrating but preventable. The key is preparation: save your backup codes in multiple locations, use an authenticator app with cloud backup, and ensure you have recovery options before you need them. With proper preparation, you can maintain strong 2FA security while always having a path back in if something goes wrong.

Share:
D
Written by David Kim

WP Folder Shield Team

Related Articles

The Ultimate Guide to WordPress Security in 2026
The Ultimate Guide to WordPress Security in 2026

Learn how to protect your WordPress website from hackers, malware, and security threats with this...

January 15, 2026
How to Scan Your WordPress Site for SEO Spam and Hidden Malicious Content
How to Scan Your WordPress Site for SEO Spam and Hidden Malicious Content

Learn effective methods to scan your WordPress site for hidden SEO spam, malicious links, and...

January 13, 2026
How to Protect Your WordPress Uploads Folder from Malware
How to Protect Your WordPress Uploads Folder from Malware

The wp-content/uploads folder is one of the most vulnerable directories in WordPress. Learn how to...

January 13, 2026

Ready to Secure Your WordPress Site?

Get complete protection with WP Folder Shield.

Get Started