Ghost CLI Backups Broken? Blame 2FA — and Here’s the Workaround.

⚠️ Worth mentioning: We at SNUBmonkey™ was the first to report this issue to the Ghost community —all the way back on April 19, 2025.
Well, here's the ugly truth:
the ghost backup
CLI command —yes, the one we've relied on for ages —is now dead in the water. We're stuck with a broken backup system and no official fix.
Why?
Because Ghost decided to implement 2FA (Two-Factor Authentication) for staff logins. Great for security (in theory), but an absolute mess for automation and CLI-based processes.
The Error
You'll likely see this annoying and freaky response:
✖ Backing up site
An error occurred.
Message: 'Response code 500 (Internal Server Error)'
That's it. No real hint, no proper explanation.
Just a vague HTTP 500 response after trying to run your regular backup process.
Why?
Because the CLI tool doesn't understand or support 2FA.
Ghost added a security layer —but didn't think through its impact on their own tooling.
Let's say this louder and clear:
If you're going to force 2FA, your CLI tools should support it. Period. Otherwise, you're breaking production workflows.
Imagine This…
Imagine not being able to back up all your blog posts, images, themes —everything you've built over years of work. Just locked out, with no way to safely archive or migrate your data. That's not acceptable.
Backups are not optional. They are the core of modern security hygiene —especially today, when ransomware, DDoS attacks, and zero-days are daily headlines. We're no longer living in the early 2000s. This is 2025. The world is hostile, and your content must be protected.
When a platform blocks you from making backups —whether intentionally or through poor planning — it’s a serious problem.
The Dirty Workaround
After digging (and cursing) through Ghost forums and testing in production (yeah, we went there), here's the temp fix:
Inside your Ghost config file (config.production.json), you must disable device verification:
"security": {
"staffDeviceVerification": false
}
That's the magic line.
This tells Ghost not to email you a 2FA code every time it sees a new login —which breaks the CLI backup command.
"security": {
"staffDeviceVerification": false
}
You'll find config.production.json in the root of your Ghost install.
After making your edits, don't forget to restart Ghost so the changes can take effect:
$ ghost restart
⚠️ Important Notes
- This reduces your security —obviously. Use at your own risk.
- Ghost needs to come up with a real fix — ike allowing CLI tokens or OAuth-based auth for automation.
We are all for better security, but breaking your own tools in the name of it? That's not security —that's just poor design. Until Ghost addresses this with a real update to the CLI tool, this workaround is your only option.
That's it.
We hope this has been a help!