Temporarily Disabling the WordPress Google Authenticator Plugin from the Command Line

T

This WordPress site uses the Google Authenticator plugin to provide two-factor authentication (2FA) when logging-in to the administration area. Occasionally I need to temporarily disable 2FA in order to publish posts from the blogging software I use. Traditionally toggling 2FA is achieved from the WordPress backend. This post looks at two alternative methods of doing this locally from the command line.

Method 1 – Using the MySQL Command Line Client

The Google Authenticator plugin settings are stored on a per-user basis in the *_usermeta table. Before taking a look at these settings from the command prompt of your server’s remote shell you’ll need the following information from your site’s wp-config.php file:

mysql-user-name:     DB_USER
mysql-user-passwordDB_PASSWORD
database-name:       DB_NAME
table-prefix_:       $table_prefix

To get the appropriate wp-user-id take a look at How to Find a WordPress User ID but instead of username, hover over the number of posts and look for author=

Armed with this information, use the following command to interrogate the database (you’ll be prompted for the mysql-user-name password):

Dummy Content
mysql -u mysql-user-name -p -e "USE database-name; SELECT user_id, meta_key, meta_value FROM table-prefix_usermeta WHERE user_id=wp-user-id AND meta_key LIKE 'googleauthenticator_%';"
+---------+----------------------------------+-----------------------------------------------------------------------+
| user_id | meta_key                         | meta_value                                                            |
+---------+----------------------------------+-----------------------------------------------------------------------+
|       2 | googleauthenticator_description  | My Site                                                               |
|       2 | googleauthenticator_enabled      | enabled                                                               |
|       2 | googleauthenticator_lasttimeslot | 52734943                                                              |
|       2 | googleauthenticator_passwords    | {"appname":"Default","password":"HCACyh@eH-XnL*ALCJJ3-yrKVBVw2m62jm"} |
|       2 | googleauthenticator_pwdenabled   | disabled                                                              |
|       2 | googleauthenticator_relaxedmode  | disabled                                                              |
|       2 | googleauthenticator_secret       | 2TXZUABQROZJAH2E                                                      |
+---------+----------------------------------+-----------------------------------------------------------------------+

 

 

The option we’re interested in is googleauthenticator_enabled which can either have a value of enabled (active) or disabled (inactive). To change the value to disabled use the following command:

Dummy Content
mysql -u mysql-user-name -p -e "USE database-name; UPDATE table-prefix_usermeta SET meta_value='disabled' WHERE user_id=wp-user-id AND meta_key='googleauthenticator_enabled';"

 

 

To confirm the change is successful and the value is now disabled:

Dummy Content
mysql -u mysql-user-name -p -e "USE database-name; SELECT user_id, meta_key, meta_value FROM table-prefix_usermeta WHERE user_id=wp-user-id AND meta_key='googleauthenticator_enabled';"
+---------+----------------------------------+-----------------------------------------------------------------------+
| user_id | meta_key                         | meta_value                                                            |
+---------+----------------------------------+-----------------------------------------------------------------------+
|       2 | googleauthenticator_enabled      | disabled                                                              |
+---------+----------------------------------+-----------------------------------------------------------------------+

 

 

We could combine the command to update the option with the command to confirm the update was successful, but the resulting command is a little lengthy so we could place the necessary SQL statements into a file named say disable-ga.sql:

Dummy Content
USE database-name;
UPDATE table-prefix_usermeta SET meta_value='disabled' WHERE user_id=wp-user-id AND meta_key='googleauthenticator_enabled';
SELECT user_id, meta_key, meta_value FROM table-prefix_usermeta WHERE user_id=wp-user-id AND meta_key='googleauthenticator_enabled';

 

 

The command to disable 2FA and confirm the change is now:

Dummy Content
mysql --table -u mysql-user-name -p < /path/to/disable-ga.sql
+---------+----------------------------------+-----------------------------------------------------------------------+
| user_id | meta_key                         | meta_value                                                            |
+---------+----------------------------------+-----------------------------------------------------------------------+
|       2 | googleauthenticator_enabled      | disabled                                                              |
+---------+----------------------------------+-----------------------------------------------------------------------+

 

 

Note the addition of the mysql command line option --table which is necessary when running mysql in batch mode to ensure results are displayed in a tabular format.

Similarly, we could create another file named say enable-ga.sql in order to enable 2FA:

Dummy Content
USE database-name;
UPDATE table-prefix_usermeta SET meta_value='enabled' WHERE user_id=wp-user-id AND meta_key='googleauthenticator_enabled';
SELECT user_id, meta_key, meta_value FROM table-prefix_usermeta WHERE user_id=wp-user-id AND meta_key='googleauthenticator_enabled';

 

 

Now, to enable 2FA:

Dummy Content
mysql --table -u mysql-user-name -p < /path/to/enable-ga.sql
+---------+----------------------------------+-----------------------------------------------------------------------+
| user_id | meta_key                         | meta_value                                                            |
+---------+----------------------------------+-----------------------------------------------------------------------+
|       2 | googleauthenticator_enabled      | enabled                                                               |
+---------+----------------------------------+-----------------------------------------------------------------------+

 

 

We now have a way of disabling/enabling 2FA from the command line, but this is being actioned server-side remotely. On a Unix-like OS such as Linux or macOS the same can be achieved from a local shell:

Dummy Content
ssh -p 22 user@12.34.56.789 "mysql --table -u mysql-user-name -p < /path/to/disable-ga.sql"
Enter password: ERROR 1045 (28000): Access denied for user 'mysql-user-name'@'localhost' (using password: YES)

 

 

We're simply placing our command in double-quotes and prefixing it with the SSH credentials required to login to the server. However, this will cause an error as we're unable to enter the password for mysql-user-name. To avoid this error amend or create the file .my.cnf in your home directory on the server:

Dummy Content
[client-database-name]
user=mysql-user-name
password='mysql-user-password'

 

 

This provides mysql with the password for the MySQL user mysql-user-name. Note the group name in square brackets: client-database-name. It must begin with the word client, but can be followed with any string. I chose - followed by the database-name.

Now, to disable 2FA from a local shell:

Dummy Content
ssh -p 22 user@12.34.56.789 "mysql --defaults-group-suffix=-database-name --table -u mysql-user-name < /path/to/disable-ga.sql"
+---------+----------------------------------+-----------------------------------------------------------------------+
| user_id | meta_key                         | meta_value                                                            |
+---------+----------------------------------+-----------------------------------------------------------------------+
|       2 | googleauthenticator_enabled      | disabled                                                              |
+---------+----------------------------------+-----------------------------------------------------------------------+

 

 

Note the addition of the mysql command line option --defaults-group-suffix= and its value -database-name which instructs mysql to use the settings associated with the group named client-database-name in the ~/.my.cnf file.

Optionally, create shell aliases to each of these commands by adding the following code to your user profile. For bash, this file is either ~/.bashrc or ~/.bash_profile. For zsh this is ~/.zshrc.

To create an alias named disga:

Dummy Content
alias disga='ssh -p 22 user@12.34.56.789 "mysql --defaults-group-suffix=-database-name --table -u mysql-user-name < /path/to/disable-ga.sql"'

 

 

To create an alias named enga:

Dummy Content
alias enga='ssh -p 22 user@12.34.56.789 "mysql --defaults-group-suffix=-database-name --table -u mysql-user-name < /path/to/enable-ga.sql"'

 

 

Now, to disable or enable 2FA simply type disga or enga respectively at the local command prompt:

Dummy Content
enga
+---------+----------------------------------+-----------------------------------------------------------------------+
| user_id | meta_key                         | meta_value                                                            |
+---------+----------------------------------+-----------------------------------------------------------------------+
|       2 | googleauthenticator_enabled      | enabled                                                               |
+---------+----------------------------------+-----------------------------------------------------------------------+

 

 

Method 2 - Using WP-CLI

The second method uses WP-CLI, the command line interface for WordPress and requires WP-CLI to be installed both locally and remotely with some configuration required for the local install. However, once installed it can be used for not only toggling 2FA. See Installing and Configuring WP-CLI on macOS for details.

The following commands use the WP-CLI user meta get and user meta update commands.

To check the status of 2FA provided by the Google Authenticator plugin using WP-CLI locally:

Dummy Content
wp @production user meta get "wp-user-id" googleauthenticator_enabled
enabled

 

 

To disable 2FA using WP-CLI locally:

Dummy Content
wp @production user meta update "wp-user-id" googleauthenticator_enabled "disabled"
Success: Updated custom field 'googleauthenticator_enabled'.

 

 

To enable 2FA using WP-CLI locally:

Dummy Content
wp @production user meta update "wp-user-id" googleauthenticator_enabled "enabled"
Success: Updated custom field 'googleauthenticator_enabled'.

 

 

These commands can also be aliased. To create an alias named disgawp:

Dummy Content
alias disgawp='wp @production user meta update "wp-user-id" googleauthenticator_enabled "disabled"'

 

 

To create an alias named engawp:

Dummy Content
alias engawp='wp @production user meta update "wp-user-id" googleauthenticator_enabled "enabled"'

 

 

About the author

A native Brit exiled in Japan, Steve spends too much of his time struggling with the Japanese language, dreaming of fish & chips and writing the occasional blog post he hopes others will find helpful.

Add comment

Steve

Recent Comments

Recent Posts