Two-Factor Authentication RecoveryPRO
Lost your phone? Can't access your authenticator app? Here's how to recover access to your WordPress account when 2FA is enabled.
Two-Factor Authentication is only available in Royal Security Pro. If you're using the Lite version, this guide doesn't apply to you.
Common Scenarios
- Lost/broken phone - Your authenticator app was on a phone you no longer have
- Deleted authenticator app - Accidentally removed the app without backing up
- New phone - Got a new device and didn't transfer your authenticator
- App reset - Authenticator data was cleared or corrupted
- Wrong time - Codes not working due to time sync issues
Recovery Methods
Method 1: Use Recovery Codes Try First
When you set up 2FA, Royal Security Pro generated backup recovery codes. If you saved them:
Go to your login page
Enter your username and password as normal.
Click "Use Recovery Code"
On the 2FA prompt, look for a link to use a recovery code instead.
Enter a recovery code
Type one of your saved recovery codes. Each code can only be used once.
Reconfigure 2FA
Once logged in, go to your profile and set up 2FA again with your new device.
Check your password manager, secure notes, printed backup, or email (you may have emailed them to yourself).
Method 2: Ask Another Administrator Quick Fix
If another admin can access the site, they can disable 2FA for your account:
Have the admin log in
Another administrator needs to access the WordPress dashboard.
Go to Users
Navigate to Users → All Users and edit your profile.
Disable 2FA for your account
Scroll to the Two-Factor Authentication section and click "Disable 2FA" or "Reset 2FA".
Log in and reconfigure
Now you can log in with just your password and set up 2FA again.
Method 3: Disable 2FA via Database No Admin Access
If you're the only admin, you'll need to disable 2FA through the database.
Access phpMyAdmin
Log into your hosting control panel and open phpMyAdmin.
Find your user ID
First, find your WordPress user ID:
Delete 2FA user meta
Remove the 2FA configuration for your user (replace 123 with your user ID):
Log in normally
2FA is now disabled for your account. Log in with just your password.
Set up 2FA again
Go to Royal Security → Two-Factor Auth and configure it again. Save your recovery codes this time!
Replace wp_ with your actual table prefix if different. Check wp-config.php for $table_prefix.
Method 4: Temporarily Disable Plugin Last Resort
If you can't access the database, disable the entire plugin via FTP:
Connect via FTP/SFTP
Use FileZilla or your hosting's file manager.
Rename the plugin folder
Go to /wp-content/plugins/ and rename royal-security to royal-security-disabled
Log in to WordPress
With the plugin disabled, 2FA is not enforced.
Re-enable and reconfigure
Rename the folder back, reactivate the plugin, and set up 2FA properly with recovery codes saved.
Time Sync Issues
If your codes are being rejected but you still have access to your authenticator:
- Check device time - TOTP codes depend on accurate time. Enable automatic time sync on your phone.
- Google Authenticator - Go to Settings → Time correction for codes → Sync now
- Server time - Ask your host to verify the server's NTP sync is working
- Try adjacent codes - The code changes every 30 seconds. Try the code just before or after it changes.
Prevent Future Lockouts
- Save recovery codes - Store them in a password manager or print them
- Use cloud-synced authenticator - Authy, 1Password, and Microsoft Authenticator can sync across devices
- Add backup device - Set up 2FA on a secondary phone or tablet
- Screenshot the QR code - Save the setup QR code securely (encrypted)
- Export authenticator backup - Most authenticator apps can export/import accounts
Authy - Cloud backup and multi-device sync
1Password - Stores 2FA with your passwords
Microsoft Authenticator - Cloud backup option