How can we help?

Search for answers or browse our knowledge base.

Table of Contents

Considerations when migrating a WordPress website while WP 2FA is activated

When migrating or cloning a WordPress site from staging to production, and you have active WP 2FA (Two-Factor Authentication) policies enabled for users, there are some important considerations to keep in mind. This will prevent the plugin from malfunctioning after the process is completed.WP 2FA secures user information by encrypting it with its own keys, typically stored in the wp-config.php file. If the plugin detects that the wp-config.php file is unwritable, this secret key will be stored in the database instead. On some sites, this is done on purpose for security reasons.

We have a separate article that will help you move this secret key from the site’s database to the wp-config.php file, where it should be located.

Below is an example of what you should see when opening the wp-config.php file and checking for our plugin encrypt key:

define( 'WP2FA_ENCRYPT_KEY', '8YB+38vAQvAfdMG73zLRCA==' );

Migration procedure

If the plugin is active during migration, it might regenerate the encrypt keys, rendering existing 2FA configurations invalid.

To avoid this:

  1. Deactivate the plugin before migration and reactivate once migration is complete.
  2. Preserve the WP2FA_ENCRYPT_KEY value before migration. If it changes after migration, replace the new key with the old one.
  3. Ensure the WP_USERMETA table, containing wp_2fa_ database entries, remains unchanged.
  4. Ensure that inside the WP_OPTIONS table, wp_2fa_ prefixed entries remain unchanged (these are responsible for the plugin settings and configuration)

By following these steps, you can maintain 2FA encryption integrity post-migration/cloning without any issues.

Take the Melapress Security Survey 2024

Share your perspective
and WIN