This WordPress site uses the Google Authenticator plugin to provide two-factor authentication (2FA) when logging-in to the administration area. Occasionally I need to temporarily disable 2FA in order to publish posts from the blogging software I use. Traditionally toggling 2FA is achieved from the WordPress backend. This post looks at two alternative methods of doing this locally from the command line.
Method 1 – Using the MySQL Command Line Client
The Google Authenticator plugin settings are stored on a per-user basis in the *_usermeta table. Before taking a look at these settings from the command prompt of your server’s remote shell you’ll need the following information from your site’s wp-config.php file:
mysql-user-name: DB_USER
mysql-user-password: DB_PASSWORD
database-name: DB_NAME
table-prefix_: $table_prefix
To get the appropriate wp-user-id take a look at How to Find a WordPress User ID but instead of username, hover over the number of posts and look for author=
Armed with this information, use the following command to interrogate the database (you’ll be prompted for the mysql-user-name password):
mysql -u mysql-user-name -p -e "USE database-name; SELECT user_id, meta_key, meta_value FROM table-prefix_usermeta WHERE user_id=wp-user-id AND meta_key LIKE 'googleauthenticator_%';"
+---------+----------------------------------+-----------------------------------------------------------------------+
| user_id | meta_key | meta_value |
+---------+----------------------------------+-----------------------------------------------------------------------+
| 2 | googleauthenticator_description | My Site |
| 2 | googleauthenticator_enabled | enabled |
| 2 | googleauthenticator_lasttimeslot | 52734943 |
| 2 | googleauthenticator_passwords | {"appname":"Default","password":"HCACyh@eH-XnL*ALCJJ3-yrKVBVw2m62jm"} |
| 2 | googleauthenticator_pwdenabled | disabled |
| 2 | googleauthenticator_relaxedmode | disabled |
| 2 | googleauthenticator_secret | 2TXZUABQROZJAH2E |
+---------+----------------------------------+-----------------------------------------------------------------------+
The option we’re interested in is googleauthenticator_enabled which can either have a value of enabled (active) or disabled (inactive). To change the value to disabled use the following command:
mysql -u mysql-user-name -p -e "USE database-name; UPDATE table-prefix_usermeta SET meta_value='disabled' WHERE user_id=wp-user-id AND meta_key='googleauthenticator_enabled';"
To confirm the change is successful and the value is now disabled:
mysql -u mysql-user-name -p -e "USE database-name; SELECT user_id, meta_key, meta_value FROM table-prefix_usermeta WHERE user_id=wp-user-id AND meta_key='googleauthenticator_enabled';"
+---------+----------------------------------+-----------------------------------------------------------------------+ | user_id | meta_key | meta_value | +---------+----------------------------------+-----------------------------------------------------------------------+ | 2 | googleauthenticator_enabled | disabled | +---------+----------------------------------+-----------------------------------------------------------------------+
We could combine the command to update the option with the command to confirm the update was successful, but the resulting command is a little lengthy so we could place the necessary SQL statements into a file named say disable-ga.sql:
USE database-name; UPDATE table-prefix_usermeta SET meta_value='disabled' WHERE user_id=wp-user-id AND meta_key='googleauthenticator_enabled'; SELECT user_id, meta_key, meta_value FROM table-prefix_usermeta WHERE user_id=wp-user-id AND meta_key='googleauthenticator_enabled';
The command to disable 2FA and confirm the change is now:
mysql --table -u mysql-user-name -p < /path/to/disable-ga.sql
+---------+----------------------------------+-----------------------------------------------------------------------+ | user_id | meta_key | meta_value | +---------+----------------------------------+-----------------------------------------------------------------------+ | 2 | googleauthenticator_enabled | disabled | +---------+----------------------------------+-----------------------------------------------------------------------+
Note the addition of the mysql command line option --table which is necessary when running mysql in batch mode to ensure results are displayed in a tabular format.
Similarly, we could create another file named say enable-ga.sql in order to enable 2FA:
USE database-name; UPDATE table-prefix_usermeta SET meta_value='enabled' WHERE user_id=wp-user-id AND meta_key='googleauthenticator_enabled'; SELECT user_id, meta_key, meta_value FROM table-prefix_usermeta WHERE user_id=wp-user-id AND meta_key='googleauthenticator_enabled';
Now, to enable 2FA:
mysql --table -u mysql-user-name -p < /path/to/enable-ga.sql
+---------+----------------------------------+-----------------------------------------------------------------------+ | user_id | meta_key | meta_value | +---------+----------------------------------+-----------------------------------------------------------------------+ | 2 | googleauthenticator_enabled | enabled | +---------+----------------------------------+-----------------------------------------------------------------------+
We now have a way of disabling/enabling 2FA from the command line, but this is being actioned server-side remotely. On a Unix-like OS such as Linux or macOS the same can be achieved from a local shell:
ssh -p 22 user@12.34.56.789 "mysql --table -u mysql-user-name -p < /path/to/disable-ga.sql"
Enter password: ERROR 1045 (28000): Access denied for user 'mysql-user-name'@'localhost' (using password: YES)
We're simply placing our command in double-quotes and prefixing it with the SSH credentials required to login to the server. However, this will cause an error as we're unable to enter the password for mysql-user-name. To avoid this error amend or create the file .my.cnf in your home directory on the server:
[client-database-name] user=mysql-user-name password='mysql-user-password'
This provides mysql with the password for the MySQL user mysql-user-name. Note the group name in square brackets: client-database-name. It must begin with the word client, but can be followed with any string. I chose - followed by the database-name.
Now, to disable 2FA from a local shell:
ssh -p 22 user@12.34.56.789 "mysql --defaults-group-suffix=-database-name --table -u mysql-user-name < /path/to/disable-ga.sql"
+---------+----------------------------------+-----------------------------------------------------------------------+ | user_id | meta_key | meta_value | +---------+----------------------------------+-----------------------------------------------------------------------+ | 2 | googleauthenticator_enabled | disabled | +---------+----------------------------------+-----------------------------------------------------------------------+
Note the addition of the mysql command line option --defaults-group-suffix= and its value -database-name which instructs mysql to use the settings associated with the group named client-database-name in the ~/.my.cnf file.
Optionally, create shell aliases to each of these commands by adding the following code to your user profile. For bash, this file is either ~/.bashrc or ~/.bash_profile. For zsh this is ~/.zshrc.
To create an alias named disga:
alias disga='ssh -p 22 user@12.34.56.789 "mysql --defaults-group-suffix=-database-name --table -u mysql-user-name < /path/to/disable-ga.sql"'
To create an alias named enga:
alias enga='ssh -p 22 user@12.34.56.789 "mysql --defaults-group-suffix=-database-name --table -u mysql-user-name < /path/to/enable-ga.sql"'
Now, to disable or enable 2FA simply type disga or enga respectively at the local command prompt:
enga
+---------+----------------------------------+-----------------------------------------------------------------------+ | user_id | meta_key | meta_value | +---------+----------------------------------+-----------------------------------------------------------------------+ | 2 | googleauthenticator_enabled | enabled | +---------+----------------------------------+-----------------------------------------------------------------------+
Method 2 - Using WP-CLI
The second method uses WP-CLI, the command line interface for WordPress and requires WP-CLI to be installed both locally and remotely with some configuration required for the local install. However, once installed it can be used for not only toggling 2FA. See Installing and Configuring WP-CLI on macOS for details.
The following commands use the WP-CLI user meta get and user meta update commands.
To check the status of 2FA provided by the Google Authenticator plugin using WP-CLI locally:
wp @production user meta get "wp-user-id" googleauthenticator_enabled
enabled
To disable 2FA using WP-CLI locally:
wp @production user meta update "wp-user-id" googleauthenticator_enabled "disabled"
Success: Updated custom field 'googleauthenticator_enabled'.
To enable 2FA using WP-CLI locally:
wp @production user meta update "wp-user-id" googleauthenticator_enabled "enabled"
Success: Updated custom field 'googleauthenticator_enabled'.
These commands can also be aliased. To create an alias named disgawp:
alias disgawp='wp @production user meta update "wp-user-id" googleauthenticator_enabled "disabled"'
To create an alias named engawp:
alias engawp='wp @production user meta update "wp-user-id" googleauthenticator_enabled "enabled"'
