diff --git a/server/models/users.js b/server/models/users.js
index 1d0d9799..28f3919e 100644
--- a/server/models/users.js
+++ b/server/models/users.js
@@ -128,7 +128,8 @@ module.exports = class User extends Model {
       tfaIsActive: false,
       tfaSecret: tfaInfo.secret
     })
-    return qr.imageSync(`otpauth://totp/${WIKI.config.title}:${this.email}?secret=${tfaInfo.secret}`, { type: 'svg' })
+    const safeTitle = WIKI.config.title.replace(/[\s-.,=!@#$%?&*()+[\]{}/\\;<>]/g, '')
+    return qr.imageSync(`otpauth://totp/${safeTitle}:${this.email}?secret=${tfaInfo.secret}`, { type: 'svg' })
   }
 
   async enableTFA() {