Wordfence is a Wordpress plugin used to protect against automated attacks. Provided with access to MySQL (and MySQL credentials), you can recover the TOTP secret for an account. As discussed in this blog post, Wordfence stores 2FA secrets in plain-text (technically in binary, in a MySQL table). This still works as of Wordfence 8.0.3, but you can check the TOTP source code to see if additional security has been added.
-
Obtain the database credentials. This can be found in
wp-config.php
in the WP root. You want$table_prefix
(if multiple WP installs),DB_NAME
,DB_USER
, andDB_PASSWORD
.DB_HOST
is assumed to belocalhost
. -
Connect to the database:
$ mysql $DB_HOST --user=$DB_U