Deactivate Wordfence OTP

How to Disable Wordfence Two-Factor Authentication Without Losing Access to Your WordPress Dashboard

If you’ve been locked out of your WordPress dashboard because you’ve lost access to your Wordfence Two-Factor Authentication (2FA) OTP, don’t worry! This guide will show you how to disable Wordfence 2FA safely using FTP or your hosting provider’s File Manager.

By following these steps, you’ll regain access to your WordPress admin area without compromising your website’s security. Let’s dive in

Why Disable Wordfence 2FA?

Wordfence’s 2FA is an excellent way to protect your site, but losing access to your OTP device can leave you locked out. Thankfully, WordPress plugins like Wordfence can be manually disabled, allowing you to bypass 2FA temporarily and log back in.

Step-by-Step Guide to Disabling Wordfence 2FA

Step 1: Access Your Server Files

To disable Wordfence, you need access to your WordPress installation files. You can do this using:

- FTP/SFTP Clients (e.g., FileZilla, Cyberduck)
- Your hosting provider’s File Manager (found in cPanel, Plesk, etc.)

Step 2: Navigate to the Plugins Directory

Once you’ve logged into your server:

1. Open the root directory of your WordPress installation. This is usually named something like public_html or www.
2. Navigate to the wp-content/plugins/ folder.
3. Locate the folder named wordfence.

Step 3: Temporarily Disable Wordfence

To disable Wordfence, simply rename its folder. For example:

- Rename wordfence to wordfence_disabled.

This action disables the Wordfence plugin without deleting it. WordPress will no longer load the plugin, effectively bypassing the 2FA system.

Step 4: Log into WordPress

With Wordfence disabled, you can now log into your WordPress admin dashboard without needing a 2FA OTP.

Step 5: Re-enable Wordfence and Adjust 2FA Settings

1. Go back to the wp-content/plugins/ directory and rename the wordfence_disabled folder back to wordfence.
2. In your WordPress dashboard, navigate to Wordfence > Login Security and adjust the 2FA settings.
  - If you want to disable 2FA entirely, you can do so here.
  - If you’re reconfiguring 2FA, make sure to save your new OTP setup and keep the recovery codes somewhere safe.

Tips for the Future

1. Always save your 2FA recovery codes in a secure location when setting up Wordfence 2FA.
2. Consider using a password manager that supports storing 2FA codes.
3. If you lose access to your OTP device, having recovery codes ensures you won’t need to go through this process again.

Recover FreeOTP Codes

First you have to instal adb and get it running on your smartphone.

$ adb shell

Afterwards issue the following command. Be aware that the output will be saved in the same folder:

adb backup -f freeotp-backup.ab -apk org.fedorahosted.freeotp

Use the Android Backup extractor to get decrypt the ab file:
https://github.com/nelenkov/android-backup-extractor

abe.jar unpack freeotp-backup.ab freeotp-backup.tar

Unpack the .tar file and the only file you care about ist tokens.xml.

Use the following pyton script to get the tokens ( assuming tokens.xml is in the same folder as your python script):

#!/usr/bin/env python

import base64, json
import xml.etree.ElementTree as ET

verbose = False

root = ET.parse ('org.fedorahosted.freeotp/sp/tokens.xml').getroot()
for secrets in root.findall ('string'):
    name = secrets.get ('name')
    if name == 'tokenOrder':
        continue

    secret_json = secrets.text
    print ("secret name: {}".format(name))
    if verbose: print ("secret json: {}".format(secret_json))
    token = json.loads(secret_json);
    token_secret = token["secret"]
    if verbose: print("token secret: {}".format(token_secret))
    secret = bytes((x + 256) & 255 for x in token_secret)
    if verbose: print("token secret bytes {}".format(secret))
    code = base64.b32encode(secret)
    print("token secret base64: {}".format(code.decode()))

adb full backup Android

Download adb for windows https://dl.google.com/android/repository/platform-tools-latest-windows.zip
extract the file and open a cmd window in order to be able to execute the adb.exe
adb devices ( check if connection works)

adb backup -apk -shared -all -f c:\adb\mybackup.ab

systemd service starting without login of user

I recently had to start a systemd process without having a user being logged in. The systemd process was starting, but unfortunately the network was not up and running. The issue was that the wifi was linked to the user. In this case I used ArchLinux (Manjaro)

Here are the steps to start a service fully automatically.
Create a service-file in the location /etc/systemd/system/myService.service

[Unit]
Description=myService
After=network-online.target
Wants=network-online.target
AssertFileNotEmpty=/opt/myService/config.json

[Service]
Type=simple
SyslogIdentifier=myService
WorkingDirectory=/opt/myService
ExecStart=/opt/MyService/myexecutable (or script)
RemainAfterExit=true
Restart=always
Nice=-20

[Install]
WantedBy=multi-user.target

Once created enable the service. This will enable the service startup of the system.

sudo systemctl enable myService.service
sudo systemctl daemon-reload
sudo systemctl restart myService.service

In order to check the logs of your service use the following command:

# Just use the journalctl command, as in:
journalctl -u service-name.service

# Or, to see only log messages for the current boot:
journalctl -u service-name.service -b

Adjust the following script /etc/NetworkManager/system-connections
Change the connection of your linux.

[connection]
id=MyHotspot
uuid=exxxxxxxx-xxxxxxxxx
type=wifi
permissions=

[wifi]
mac-address=00:XX:XX:XX:DF:ED
mac-address-blacklist=
mode=infrastructure
ssid=My SSID

[wifi-security]
auth-alg=open
key-mgmt=wpa-psk
psk=MYPASSWORD

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto

Important here is thepermissions=.In a previous version of the file it was mentioning a few users. So the wifi only came up at login time of the users. With permissions= it starts even without anybody logging in.

Keep processes running after ending ssh session

Create a ssh connection to your linux station.
Type screen and then start the process you want. (assumption, screen is installed)
Press Ctrl-a and then Ctrl-Shift-D.
You can now log out of the ssh session.
In case you can come-back later you can type screen -r. This will resume your screen session and you can see the output of your processes.

php and apache2 on Ubuntu (clean install for composer)

I had multiple issues in getting a clean setup for composer.

WARNING: Module json ini file doesn't exist under /etc/php/7.2/mods-available

Moodle requires the json PHP extension. Please install or enable the json extension.

And many more.

In order to get a clean set-up. I fully uninstalled php and apache2 . The purge command is the trick here as it also removed configuration files.
Please pay attention in your environment. This means all your apache and php configuration is gone afterwards. If you want to keep it make backups of the most important files like php.ini and apache2.conf

Afterwards execute the following commands.

sudo apt purge php*

sudo apt purge apache2*

sudo apt install apache2

sudo apt install php libapache2-mod-php php-mysql

php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"

sudo php composer-setup.php --install-dir=/usr/local/bin --filename=composer

Headless Raspberry Pi

Step 1. Download a lite Raspbian image

Download the version you need. As we want to install a headless version download the Raspian XXXXX Lite version.

Step 2. Copy the image

From a Linux terminal use the following command to find your SD Card:

sudo fdisk -l

This will show you something like

Disk /dev/sdc 14.86 Gib ......

Ensure you select here the correct disk.

Afterwards copy the image with the following comand. Replace /dev/sdX by the correct path.

sudo dd bs=4M if=2019-07-10-raspbian-buster.img of=/dev/sdX conv=fsync

Step 3. Enable ssh

To activate ssh at the first start you just have to create a file ssh in the boot folder.

touch /run/media/your_username/boot/ssh

The path above might be different on your system.

Step 4. Add network info

Create a file in /run/media/your_username/boot/ called: wpa_supplicant.conf.

sudo nano /run/media/your_username/boot/wpa_supplicant.conf

Then paste the following into it (replace your country code, SSID and Password):

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev 
update_config=1 
ap_scan=1 
fast_reauth=1 
country=JP 
network=
{ ssid="network SSID" 
  psk="network password" 
  id_str="0" 
  priority=100 
}

Step 5. Find your Raspberry Pi in your network

One solution is to login to your router.

In case you do not have access to your router you can scan your ip range with nmap. Use the following command and search for your Raspberry Pi:

sudo nmap -sP 192.168.0.0/24

Adjust 192.168.0.0 to your ip range. In many cases it is 192.168.1.0 or 192.168.100.0

Step 6. Login to your Raspberry Pi

Use the following command to login:

ssh pi@192.168.0.150

Password by default: raspberry

ip route for wifi

In case you want to route the traffic of your linux machine of a specific IP through a specific interface ip routecommand should be used.

One example below asuming wlp2s0 is your wifi.

sudo ip route add 155.100.200.0/24 via 192.168.1.1 dev wlp2s0

This will lead all the traffic with target ip range 155.100.200.0/24 trough the interface of your wifi (assuming 192.168.1.1 is the wifi router).

I did not yet found a solution to route the traffic of a target “domain” through a specific interface. Happy for any input.

Pi-Backup automation

My Raspberry Pi has many little applications and it happend already 2 times that the microsd was not working anymore. Therefore I decided to automate a weekly backup for my NAS.

To get the job done. First you have to mount your NAS towards your Raspberry Pi.

Make a mount towards the NAS
Create the folder /mnt/backup
Edit the the fstab file
sudo nano /etc/fstab

In my case it looks liket this

//192.168.100.2/folder/on-your-nas /mnt/backup cifs iocharset=utf8,uid=1001,gid=1001,x-systemd.automount,x-systemd.requires=network-online.target,vers=1.0,credentials=/home/user/.ds414-pi-backup.creds

create a file for the credentials
```
nano ~/.ds414-pi-backup.creds
```
You might want to set chmod / chown permission to ensure nobody else can check your .creds file.
It should look like this
```
username=myNASUSER
password=myPassword
```
To make your changes in the fstab effect type
```
sudo mount -a
```

Test your shared drive. You might want to re-start to check if the mount works fully automatically.

Once the shared drive is working download the following great script. https://github.com/lzkelley/bkup_rpimage
The script is fully based upon input from : The Raspberry Pi Backup Thread.

Put the file in the desired location. I have it in /mnt/backup
Make the script executable
```
chmod +x /mnt/backup/bkup_rpimage.sh
```

Test the script. I run it with the following command

sudo ./bkup_rpimage.sh start -L backup-$(date +%Y-%m-%d).log -czd /mnt/backup/$(uname -n)-$(date +%Y-%m-%d).img

Create a file calling the bkup_rpimage.sh with the correct variables
```
nano /mnt/backup/backup_pi.sh
```
The following content
```
#!/bin/bash
SHELL=/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games
. /mnt/backup/bkup_rpimage.sh start -czdl /mnt/backup/$(uname -n)-$(date +%Y-%m-%d).img
```
```
chmod +x /mnt/backup/backup_pi.sh
```
This will create a backup file, gzip it and removing the unzipped version once finished. Furthermore, it will ad a log file into the folder. The PATH part has to be adjusted to your needs.

Pay attention to change the PATH variable to your needs. You can find out more about your PATH by just typing env , or you use echo $PATH. Be aware that the cronjob is running with the user of the crontab. In this szenario I decided for root as the script needs multiple permissions only root has.
Therefore, the PATH has to be set correctly.
Create a cronjob in order to automate the backup
```
sudo crontab -e
```
Add the following line at the end of the crontab file
```
0 3 * * 1 /mnt/backup/backup_pi.sh
```
This will create a cronjob running every week at 3 a.m

In order to test the script you can also change the cronjob to be executed each minute. Just type * * * * * instead of 0 3 * * * * within the crontab.

Usefull stuff:

In order to see the currently running cronjobs:

ps fauxww | grep -A 1 '[C]RON'

# Then use
Sudo kill PID

To see the furhter logging details:

sudo tail /var/log/syslog

Restore of the Backup:

In order to restore the backup on a new sd card I just used the following program:
https://www.raspberrypi.com/news/raspberry-pi-imager-imaging-utility/

You just have to select “custom img” and select the previously unzipped gz file.

Pi-hole and pivpn

Website explaining how to use pivpn and pi-hole.

https://marcstan.net/blog/2017/06/25/PiVPN-and-Pi-hole/#targetText=Pi%2Dhole%20acts%20as%20a,tracking%20domains%20should%20be%20blocked

Unbound (DNS) https://docs.pi-hole.net/guides/unbound/