Title: Bug Report &#8211; 2FA Reset Function Leaves Corrupted Data Causing Login Issues
Last modified: October 28, 2025

---

# Bug Report – 2FA Reset Function Leaves Corrupted Data Causing Login Issues

 *  Resolved [jessicalynncodes](https://wordpress.org/support/users/jessicalynncodes/)
 * (@jessicalynncodes)
 * [7 months, 2 weeks ago](https://wordpress.org/support/topic/bug-report-2fa-reset-function-leaves-corrupted-data-causing-login-issues/)
 * Hi WPMU DEV Support,
 * I’ve discovered a bug in Defender Security’s “Reset two factor” functionality
   that leaves users in a corrupted state and unable to log in.
 * **Environment:**
    - Defender Security version: 5.6.1
    - WordPress version: 6.8.3
 * **Issue Description:** When an administrator uses the “Reset two factor” link
   from the Users list page (wp-admin/users.php) and that user only has “fallback
   email” set up for authentication, it only partially clears the user’s 2FA data.
   This leaves the user unable to log in and the option to reset 2FA disappears 
   from the user interface.
 * **Steps to Reproduce:**
    1. User sets up 2FA using the Fallback Email method
    2. Administrator clicks “Reset two factor” link for that user from Users list
    3. User attempts to log in – experiences issues or gets stuck in 2FA loop
    4. When user (or admin) views the user page in the admin, there are no details 
       about enabled 2FA options nor link to reset 2FA
    5. In database, `wd_2fa_default_provider` and `wd_2fa_enabled_providers` are empty,
       but other 2FA meta remains
 * **Root Cause:** The reset function in `src/component/class-two-fa.php` at lines
   810-811 only clears two user meta fields:
 *     ```wp-block-code
       update_user_meta( $user_id, self::DEFAULT_PROVIDER_USER_KEY, '' );
       update_user_meta( $user_id, self::ENABLED_PROVIDERS_USER_KEY, '' );
       ```
   
 * However, it leaves behind:
    - `wd_2fa_backup_email` (stored as defenderAuthEmail)
    - `wd_2fa_backup_code` (stored as defenderBackupCode)
    - `defender_two_fa_token`
    - `wd_2fa_attempt_fallback-email`
 * This partial cleanup creates a corrupted state where Defender thinks 2FA is disabled(
   empty providers) but authentication tokens and secrets still exist.
 * **Expected Behavior:** The reset function should delete ALL 2FA-related user 
   meta, similar to how the `remove_data()` function works in `src/controller/class-
   two-factor.php` (lines 1053-1070).
 * **Database Evidence:** For the affected user, we found:
    - `wd_2fa_default_provider`: empty
    - `wd_2fa_enabled_providers`: empty
    - `defenderAuthEmail`: still has email address
    - `defenderBackupCode`: still has serialized backup codes
    - `defender_two_fa_token`: still has active token
    - `wd_2fa_attempt_fallback-email`: still has attempt counter
 * **Temporary Workaround:** We resolved the issue by manually deleting all 2FA 
   meta for the affected user via phpMyAdmin.
 * **Suggested Fix:** The `admin_notices()` method should call a comprehensive cleanup
   function that removes all 2FA data for the user, not just the two provider fields.
   Consider creating a helper method like `clear_user_2fa_data($user_id)` that can
   be reused in multiple places.
 * **Impact:** Users affected by this bug cannot log in and may be completely locked
   out if they don’t have database access. This is a critical issue for production
   sites.
 * Please let me know if you need any additional information or access to reproduce
   this issue.
 * Thank you!

Viewing 2 replies - 1 through 2 (of 2 total)

 *  [Kris – WPMU DEV Support](https://wordpress.org/support/users/wpmudevsupport13/)
 * (@wpmudevsupport13)
 * [7 months, 2 weeks ago](https://wordpress.org/support/topic/bug-report-2fa-reset-function-leaves-corrupted-data-causing-login-issues/#post-18698139)
 * Hi [@jessicalynncodes](https://wordpress.org/support/users/jessicalynncodes/)
 * I hope you are doing well today.
 * I have followed your steps and I’m not able to replicate this issue.
    1. I created editor role and I was able to log in to the site without any issue
       with Defender disabled
    2. As admin I have enabled Defender and 2FA without “Force Authentication” feature
    3. As editor user, after login I manually enabled Fallback Email method, and after
       log out I was able to log in again with my OTP code from the email
    4. As admin, I click on “Reset two factor” for that editor user, and as editor,
       I was able to log in without OTP code
    5. As admin I have enabled the “Force Authentication” for admins and editor roles.
    6. As editor I log in again and I was forced to set up method and again I pick 
       up “Fallback Email” and I was able to log in
    7. As admin I click once again on “Reset two factor” for that editor role.
    8. As editor role, I try to log in, and again “Force Authentication” forced me 
       to pick up the method. Again, I picked up the “Fallback Email” and I was able
       to log in after I entered the OTP code
 * Can you let us know which other settings you have set up in 2FA? Maybe this is
   about the WooCommerce feature or a specific role? Let us know more details, so
   that we can be on the same page.
 * Kind Regards,
   Kris
 *  Plugin Support [Amin – WPMU DEV Support](https://wordpress.org/support/users/wpmudev-support2/)
 * (@wpmudev-support2)
 * [7 months ago](https://wordpress.org/support/topic/bug-report-2fa-reset-function-leaves-corrupted-data-causing-login-issues/#post-18713536)
 * Hello [@jessicalynncodes](https://wordpress.org/support/users/jessicalynncodes/)
 * We haven’t heard from you in some time, so I will mark this thread as resolved.
   If you have any more questions or need further assistance, please let us know!
 * Kind Regards,
    Amin

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Bug Report – 2FA Reset Function Leaves Corrupted Data Causing Login Issues’
is closed to new replies.

 * ![](https://ps.w.org/defender-security/assets/icon-256x256.gif?rev=3435930)
 * [Defender Security - Malware Scanner, Login Security & Firewall](https://wordpress.org/plugins/defender-security/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/defender-security/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/defender-security/)
 * [Active Topics](https://wordpress.org/support/plugin/defender-security/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/defender-security/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/defender-security/reviews/)

 * 2 replies
 * 3 participants
 * Last reply from: [Amin – WPMU DEV Support](https://wordpress.org/support/users/wpmudev-support2/)
 * Last activity: [7 months ago](https://wordpress.org/support/topic/bug-report-2fa-reset-function-leaves-corrupted-data-causing-login-issues/#post-18713536)
 * Status: resolved