Did Google Authenticator Lock You Out of Your WordPress.org Account?

I can’t remember when I turned on two-step authentication for my Google accounts, but I’ve adopted it for every other account that supports it, including Twitter, Facebook, Dropbox, and WordPress. For those who are not familiar with two-step authentication, it is an extra layer of security that requires you to provide two keys: something you know and something you have in your possession. Accessing a protected account requires two steps, hence the name: entering your account password (something you know) and entering a random code from your phone (something you have).

Google Updates Authenticator

A popular and widely supported iPhone app for generating these codes is Google Authenticator. Earlier this week, Google updated Authenticator, which was a surprise to me. It hadn’t been updated in over a year and had an annoying bug that prevented you from editing your existing accounts. I feared Google had abandoned it because it also didn’t support the nearly-year-old 1136 x 640 iPhone 5 display.

Google Breaks Authenticator

As welcomed as the update was for me, it turned out to be a hot mess. When I updated the app, it deleted all of my existing accounts. Without those codes, I could not access them because I need both the account password and the Authenticator code to log in to those protected accounts. Once the app was wiped, I couldn’t get any of those precious codes.

Fortunately, for me, it was more of an inconvenience than a disaster because I accessed my accounts using the emergency backup codes that I had safely stashed away.

WordPress and Google Authenticator Plug-In

There was however one account that doesn’t have emergency codes. It is the Google Authenticator plugin that adds two-step authentication for this self-hosted WordPress site. I’m unsure if you can add this plugin to hosted WordPress.com sites, but I suspect you cannot since there’s no plugin area for those hosted blogs.

To regain access to a self-hosted WordPress account that has been locked due to two-factor authentication, it requires you to have SFTP or SSH access to your web hosting account.

  1. Log in to your SSH or SFTP account.
  2. Navigate to the wp-content directory.
  3. Create a directory called disabled or something else that won’t interfere with WordPress. This will be a temporary measure.
  4. Navigate to the wp-content/plugins directory.
  5. Rename (or move) the google-authenticator directory to the wp-content/disabled directory. Type something like…
    mv google-authenticator ../disabled
  6. On your web browser, load your wp-admin page. You’ll see that you will not be prompted for a Google Authenticator code.
  7. Using SSH or SFTP, move the google-authenticator directory back to the plugins directory. If you are still in the plugins folder, type something like…
    mv ../disabled/google-authenticator .
  8. Delete the disabled directory.
    rm -rf disabled
  9. With your web browser, go to your Dashboard and then to the Plugins area. Reactivate the Google Authenticator plugin.
  10. On your Profile page, scan the barcode to add this WordPress account to your Google Authenticator app.

Or you could stop at step five, delete the plugin, and be done with two-step authentication altogether.

Leave a Comment

7 Comments