October 2, 2018 by Paul G. | Features, Shield Pro

Recover Your WordPress Account with Two-Factor Authentication Backup Codes

Shield Image

Two-Factor Authentication (2FA) is a wonderful thing as it does a great job of protecting our accounts.

But it has its weaknesses. You’ll know this if you’ve ever lost your phone with your Google Authenticator codes. It can be a painful journey to recover our accounts in these instances.

What if there was a way we could make this recovery process a little less painful?

Login Backup Recovery Codes with Shield Security v6.10

Starting with Shield Security v6.10, we’re introducing backup recovery codes.

These backup codes are 1-time-only passwords that grant 2FA access to your account if, for whatever reason, your other factors aren’t unavailable.

Many service providers that offer Google Authenticator (GA) offer backup codes. They know that losing your GA device can be trouble, as they’ll need to verify your identity and reset your account.

There’s no good reason why your WordPress accounts can’t have them either.

Why Do Login Recovery Codes Matter?

There are a number of reasons why allowing recovery codes, for you and your users, is important.

  1. A better user experience. When a user drops their phone in the bath, they lose their ability to generate GA codes. They’re now locked out of their accounts and they can’t do anything of their own volition to fix the problem (except contact an admin).
    With recovery codes, they can get back in to make changes to their account (i.e. disable their GA and recreate it) without contacting anyone else for help.
  2. A better admin experience. The less a user must come to you for support, the better your life (and theirs) will be. If a user can solve their own problems without your help, they’re happier, and so are you.
  3. A better security experience. With added security comes added complexity for everyone. It also presents some anxiety, as we need to be prepared for when it breaks and locks us out. With recovery codes, if you’re having email deliverability issues, recovery codes will help everyone work around the problem, smoothing out any bumps in the road.

Important Characteristics of Shield Recovery Codes

Please bear in-mind the following important characteristics when using recovery codes:

  1. Single-use only. When you use a recovery code, it cannot every be re-used.
  2. One at a time. There is only 1 recovery code available at a time, per account. If you generate a new code, it replaces the existing code.
  3. Manual code (re)generation. You must manually generate your codes from your WP user profile page. If you use the code, you must manually recreate another.
  4. It overrides multi-factor authentication. If you’ve configured your system to require all factors (i.e. multi-factor authentication) while logging-in, a backup code will still work. I.e. providing a recovery code will always work to complete your login, regardless of how many factors are missing.
  5. Backup codes are entirely optional. There is a site-level option to turn on/off backup codes, and individual users can generate and delete their backup codes, as they desire.

A recovery code clearly doesn’t replace your account username and password, but you should store this code in a safe place. If your password is compromised, and you haven’t securely stored your backup code, you’re putting your account at risk.

How To Setup Backup Recovery Codes Using Shield

The 1st step is to allow users on the site to use the recovery codes feature:

Shield Security: Login Recovery Codes Option

Shield Security: Login Recovery Codes Option

Once enabled, any user on the site will have a new option in their profile to generate a backup code.

Shield Security: Login Recovery Codes User Profile Options

Shield Security: Login Recovery Codes User Profile Options

Please note: if the option to generate codes does not appear on their profile, this means that there is no 2FA factor active on their account. This is a recovery system, and not designed to be a standard 2FA option for everyday use.

How To Get Access To The Recovery Codes Feature

This feature is available with Shield Security v6.10, and is a pro-only feature.

If you wish to make use of this pro feature, and all the other pro-features, you can upgrade today for the equivalent of just $1/month.

Any questions or comments, please leave them below.  Thank you!

ShieldPRO Testimonials
@alezzzzz's Gravatar @alezzzzz


Easy to use and straighforward, so far seems to be doing its job silently and effectively.

@manjunathpmf's Gravatar @manjunathpmf

Excellent performance.

Excellent performance. No database bloat. Two-factor authentication keeps your website hack proof. Does what it says. Honest and fair marketing. No gimmicks. Really liked its overall features. Update 25-12-2016 After 3 months of use, I can’t image running a WordPress blog without this plugin. Update 02-02-2018 After using it for…

@franck-fremont's Gravatar @franck-fremont

The best security plugin!

A real effort has been done to help users. The dashboard is now clearer. Thanks! 🙂 Back to 5 stars! ===== old review ===== Unfortunately I have to change my review. I find the Shield & iControlWP pricing over complicated. The solutions themselves become more and more uneasy to use.…

@samuelstraka's Gravatar @samuelstraka

Good decision

After upgrading to last version of WordPress I think about change my security plugin. I used Wordfence in the past but actually I use WP Simple Firewall and I think it was very good decision. It is strong, but simple for setup and I hope it will save our web…

Hey there good-lookin'! Do you like what you've read here? :)

If this cool feature is something you'd like, but you haven't gone PRO yet, click here to get started today. (no risk, with a 14-day satisfaction guarantee!)

You'll get all PRO features, including Malware Scanning, WP Config Protection, Plugin FileGuard, import/export, customer support, and so much more. Not only that, you'll get that warm, fuzzy feeling that comes from supporting our work and future development.

I Was Born To Go Pro →

Leave a Comment

Your email address will not be published. Required fields are marked *

Click to access the login or register cheese