Deactivate Wordfence OTP

November 15, 2024

If you lost access to your Wordfence Two-Factor Authentication OTP device and are locked out of your WordPress dashboard, you can disable Wordfence temporarily via FTP or your hosting file manager — no database access needed.

Why this works

WordPress only loads a plugin if its folder exists. Renaming the folder disables it instantly, bypassing the 2FA check.

Step 1: Access your server files

Use an FTP/SFTP client (FileZilla, Cyberduck) or your hosting control panel's file manager.

Step 2: Navigate to the plugins directory

Go to your WordPress root (usually public_html or www) and open wp-content/plugins/.

Step 3: Rename the Wordfence folder

Rename wordfence to wordfence_disabled.

WordPress will no longer load the plugin, and you can log in without a 2FA code.

Step 4: Log in

Go to your WordPress admin and log in normally — no OTP required.

Step 5: Re-enable and reconfigure

  1. Rename wordfence_disabled back to wordfence.
  2. In WordPress, go to Wordfence → Login Security.
  3. Either disable 2FA entirely or set it up again with a new device.
  4. Store the recovery codes somewhere safe this time.

Tips

  • Save Wordfence 2FA recovery codes in a password manager when setting up.
  • A password manager with TOTP support (e.g., Bitwarden) means you never need a separate OTP device.