If your authenticator app (Google Authenticator, Authy, Microsoft Authenticator, etc.) generates codes that WP Ghost rejects, work through these checks in order.
Device time and date out of sync
TOTP codes are time-based. If your phone’s clock is off by more than 30 seconds, codes won’t match. Go to your device’s Settings > Date & Time and enable Set Automatically (or Use network-provided time on Android). This is the most common cause of invalid codes.
Code has expired
Each code is valid for only 30 seconds. If the code in your authenticator app is about to expire (the countdown timer is nearly empty), wait for the next code and enter it immediately. Don’t copy a code and then take time before pasting it.
Wrong account selected
If you have multiple WordPress accounts or multiple sites in your authenticator app, make sure you’re using the code for the correct user on the correct site. Each user has a unique 2FA secret key, so codes are not interchangeable between accounts.
Reset the secret key and re-scan
If codes still fail after checking the above, reset the 2FA connection: go to Users > Edit User in WordPress, scroll to the WP Ghost 2FA section, and click Reset Key. Then open your authenticator app, delete the old entry for this site, and scan the new QR code. The old codes stop working immediately after the key is reset.
Server time drift
In rare cases, the server’s clock may be out of sync rather than the device. Contact your hosting provider to verify the server time is accurate. You can also widen the acceptance window using the hmwp_totp_time_step_allowance filter to accept codes from adjacent 30-second windows:
add_filter('hmwp_totp_time_step_allowance', function($steps) {
return 2; // Accept codes within ±60 seconds instead of ±30
});If you’re completely locked out, use the emergency disable guide to regain access, or log in with a backup recovery code.