Deactivate Wordfence OTP

How to Disable Wordfence Two-Factor Authentication Without Losing Access to Your WordPress Dashboard

If you’ve been locked out of your WordPress dashboard because you’ve lost access to your Wordfence Two-Factor Authentication (2FA) OTP, don’t worry! This guide will show you how to disable Wordfence 2FA safely using FTP or your hosting provider’s File Manager.

By following these steps, you’ll regain access to your WordPress admin area without compromising your website’s security. Let’s dive in

Why Disable Wordfence 2FA?

Wordfence’s 2FA is an excellent way to protect your site, but losing access to your OTP device can leave you locked out. Thankfully, WordPress plugins like Wordfence can be manually disabled, allowing you to bypass 2FA temporarily and log back in.

Step-by-Step Guide to Disabling Wordfence 2FA

Step 1: Access Your Server Files

To disable Wordfence, you need access to your WordPress installation files. You can do this using:

- FTP/SFTP Clients (e.g., FileZilla, Cyberduck)
- Your hosting provider’s File Manager (found in cPanel, Plesk, etc.)

Step 2: Navigate to the Plugins Directory

Once you’ve logged into your server:

1. Open the root directory of your WordPress installation. This is usually named something like public_html or www.
2. Navigate to the wp-content/plugins/ folder.
3. Locate the folder named wordfence.

Step 3: Temporarily Disable Wordfence

To disable Wordfence, simply rename its folder. For example:

- Rename wordfence to wordfence_disabled.

This action disables the Wordfence plugin without deleting it. WordPress will no longer load the plugin, effectively bypassing the 2FA system.

Step 4: Log into WordPress

With Wordfence disabled, you can now log into your WordPress admin dashboard without needing a 2FA OTP.

Step 5: Re-enable Wordfence and Adjust 2FA Settings

1. Go back to the wp-content/plugins/ directory and rename the wordfence_disabled folder back to wordfence.
2. In your WordPress dashboard, navigate to Wordfence > Login Security and adjust the 2FA settings.
  - If you want to disable 2FA entirely, you can do so here.
  - If you’re reconfiguring 2FA, make sure to save your new OTP setup and keep the recovery codes somewhere safe.

Tips for the Future

1. Always save your 2FA recovery codes in a secure location when setting up Wordfence 2FA.
2. Consider using a password manager that supports storing 2FA codes.
3. If you lose access to your OTP device, having recovery codes ensures you won’t need to go through this process again.

Recover FreeOTP Codes

First you have to instal adb and get it running on your smartphone.

$ adb shell

Afterwards issue the following command. Be aware that the output will be saved in the same folder:

adb backup -f freeotp-backup.ab -apk org.fedorahosted.freeotp

Use the Android Backup extractor to get decrypt the ab file:
https://github.com/nelenkov/android-backup-extractor

abe.jar unpack freeotp-backup.ab freeotp-backup.tar

Unpack the .tar file and the only file you care about ist tokens.xml.

Use the following pyton script to get the tokens ( assuming tokens.xml is in the same folder as your python script):

#!/usr/bin/env python

import base64, json
import xml.etree.ElementTree as ET

verbose = False

root = ET.parse ('org.fedorahosted.freeotp/sp/tokens.xml').getroot()
for secrets in root.findall ('string'):
    name = secrets.get ('name')
    if name == 'tokenOrder':
        continue

    secret_json = secrets.text
    print ("secret name: {}".format(name))
    if verbose: print ("secret json: {}".format(secret_json))
    token = json.loads(secret_json);
    token_secret = token["secret"]
    if verbose: print("token secret: {}".format(token_secret))
    secret = bytes((x + 256) & 255 for x in token_secret)
    if verbose: print("token secret bytes {}".format(secret))
    code = base64.b32encode(secret)
    print("token secret base64: {}".format(code.decode()))

Headless Raspberry Pi

Step 1. Download a lite Raspbian image

Download the version you need. As we want to install a headless version download the Raspian XXXXX Lite version.

Step 2. Copy the image

From a Linux terminal use the following command to find your SD Card:

sudo fdisk -l

This will show you something like

Disk /dev/sdc 14.86 Gib ......

Ensure you select here the correct disk.

Afterwards copy the image with the following comand. Replace /dev/sdX by the correct path.

sudo dd bs=4M if=2019-07-10-raspbian-buster.img of=/dev/sdX conv=fsync

Step 3. Enable ssh

To activate ssh at the first start you just have to create a file ssh in the boot folder.

touch /run/media/your_username/boot/ssh

The path above might be different on your system.

Step 4. Add network info

Create a file in /run/media/your_username/boot/ called: wpa_supplicant.conf.

sudo nano /run/media/your_username/boot/wpa_supplicant.conf

Then paste the following into it (replace your country code, SSID and Password):

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev 
update_config=1 
ap_scan=1 
fast_reauth=1 
country=JP 
network=
{ ssid="network SSID" 
  psk="network password" 
  id_str="0" 
  priority=100 
}

Step 5. Find your Raspberry Pi in your network

One solution is to login to your router.

In case you do not have access to your router you can scan your ip range with nmap. Use the following command and search for your Raspberry Pi:

sudo nmap -sP 192.168.0.0/24

Adjust 192.168.0.0 to your ip range. In many cases it is 192.168.1.0 or 192.168.100.0

Step 6. Login to your Raspberry Pi

Use the following command to login:

ssh pi@192.168.0.150

Password by default: raspberry

ip route for wifi

In case you want to route the traffic of your linux machine of a specific IP through a specific interface ip routecommand should be used.

One example below asuming wlp2s0 is your wifi.

sudo ip route add 155.100.200.0/24 via 192.168.1.1 dev wlp2s0

This will lead all the traffic with target ip range 155.100.200.0/24 trough the interface of your wifi (assuming 192.168.1.1 is the wifi router).

I did not yet found a solution to route the traffic of a target “domain” through a specific interface. Happy for any input.

Pi-Backup automation

My Raspberry Pi has many little applications and it happend already 2 times that the microsd was not working anymore. Therefore I decided to automate a weekly backup for my NAS.

To get the job done. First you have to mount your NAS towards your Raspberry Pi.

Make a mount towards the NAS
Create the folder /mnt/backup
Edit the the fstab file
sudo nano /etc/fstab

In my case it looks liket this

//192.168.100.2/folder/on-your-nas /mnt/backup cifs iocharset=utf8,uid=1001,gid=1001,x-systemd.automount,x-systemd.requires=network-online.target,vers=1.0,credentials=/home/user/.ds414-pi-backup.creds

create a file for the credentials
```
nano ~/.ds414-pi-backup.creds
```
You might want to set chmod / chown permission to ensure nobody else can check your .creds file.
It should look like this
```
username=myNASUSER
password=myPassword
```
To make your changes in the fstab effect type
```
sudo mount -a
```

Test your shared drive. You might want to re-start to check if the mount works fully automatically.

Once the shared drive is working download the following great script. https://github.com/lzkelley/bkup_rpimage
The script is fully based upon input from : The Raspberry Pi Backup Thread.

Put the file in the desired location. I have it in /mnt/backup
Make the script executable
```
chmod +x /mnt/backup/bkup_rpimage.sh
```

Test the script. I run it with the following command

sudo ./bkup_rpimage.sh start -L backup-$(date +%Y-%m-%d).log -czd /mnt/backup/$(uname -n)-$(date +%Y-%m-%d).img

Create a file calling the bkup_rpimage.sh with the correct variables
```
nano /mnt/backup/backup_pi.sh
```
The following content
```
#!/bin/bash
SHELL=/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games
. /mnt/backup/bkup_rpimage.sh start -czdl /mnt/backup/$(uname -n)-$(date +%Y-%m-%d).img
```
```
chmod +x /mnt/backup/backup_pi.sh
```
This will create a backup file, gzip it and removing the unzipped version once finished. Furthermore, it will ad a log file into the folder. The PATH part has to be adjusted to your needs.

Pay attention to change the PATH variable to your needs. You can find out more about your PATH by just typing env , or you use echo $PATH. Be aware that the cronjob is running with the user of the crontab. In this szenario I decided for root as the script needs multiple permissions only root has.
Therefore, the PATH has to be set correctly.
Create a cronjob in order to automate the backup
```
sudo crontab -e
```
Add the following line at the end of the crontab file
```
0 3 * * 1 /mnt/backup/backup_pi.sh
```
This will create a cronjob running every week at 3 a.m

In order to test the script you can also change the cronjob to be executed each minute. Just type * * * * * instead of 0 3 * * * * within the crontab.

Usefull stuff:

In order to see the currently running cronjobs:

ps fauxww | grep -A 1 '[C]RON'

# Then use
Sudo kill PID

To see the furhter logging details:

sudo tail /var/log/syslog

Restore of the Backup:

In order to restore the backup on a new sd card I just used the following program:
https://www.raspberrypi.com/news/raspberry-pi-imager-imaging-utility/

You just have to select “custom img” and select the previously unzipped gz file.

Pi-hole and pivpn

Website explaining how to use pivpn and pi-hole.

https://marcstan.net/blog/2017/06/25/PiVPN-and-Pi-hole/#targetText=Pi%2Dhole%20acts%20as%20a,tracking%20domains%20should%20be%20blocked

Unbound (DNS) https://docs.pi-hole.net/guides/unbound/