Beef up your WordPress login security with Clef

[Blaugust Day 24]

If you don’t already know this, I’m going to tell you: passwords are ridiculously insecure.


Even if you have a relative complex password that you never use on any other site and never tell to anyone, it still wouldn’t be that difficult to crack. Which is why more and more sites are using two-factor authentication.

If you’ve played WoW, then you probably already know about this in the form of their authenticator (available in both physical and mobile forms). No matter which you use, it means you have to enter a second input in addition to your username and password when you log in. It’s a little more work but it makes things more secure. Even if it’s not quite foolproof.

Now, I’ve been using a security plugin on my WordPress installs for a while (either iThemes Security or Wordfence). One of the things that the plugin does is block hackers from breaking into my site through brute force attacks or other means, and lets me know when this has happened. The amount of times that hackers have attempted this was…disturbingly high. Like multiple times a day high. So I went searching for some two-factor authentication for the WordPress login and came upon Clef.

I’ve been using Clef on this blog for about 2 months now and I have to say that it’s pretty amazing. To log in, I just start the Clef app on my phone, enter my PIN, hold it up to my computer screen, and a few seconds later, I’m logged in. Not only do I not have to enter a second authentication, but I don’t even have to enter my username and password.

This is all I see when I log in now
This is all I see when I log in now

It seems way too easy for something that’s suppose to increase security and I was certainly skeptical about it at first. But everything I’ve read seems to point to it working well and only gaining in popularity. There’s a PDF that goes into detail about how its security works but here’s the gist of it:

  • Instead of using a username and password for logging someone in, it uses a digital signature in the form of that waveform in the screenshot. “This signature is 300 characters long, is specifically tied to the computer where the user is logging in, cannot be used on any other computer, and expires after a few minutes.” AS XKCD pointed out above, it’s going to take a long time to guess that one, even for a computer.
  • The private key that generates the signature is created and stored on your phone, not a central server that can be hacked into. A hacker would have to have your phone in hand to be able to get into your site.
  • Even if someone does manage to get a hold of your phone, the app is protected by a fingerprint (if you’re using an iPhone 6) or a 4-number PIN.
  • If your phone gets lost or stolen, Clef is able to deactivate it through their site.
  • If someone manages to intercept the signature being sent (man-in-the-middle attack), the signature is useless because it’s tied to the specific computer and time you logged in.
  • Keyloggers don’t work because there’s no typing involved.
  • If someone steals your computer or you forget to log off at a public location, your site is still safe. By default, the Clef app keeps you logged in for an hour before logging you out. The timer can be increased or decreased as needed, or you can set it to keep you logged in indefinitely. There’s a button in the app to manually log your account out whenever you want as well.

I’m not saying that Clef is “uncrackable” (because nothing is) but it certainly goes to great lengths to ensure that your site is safe.

If there’s one slight inconvenience I discovered while using Clef, it’s that you can only be logged in on one computer at a time. But considering how easy it is to log in again, it’s not really an issue.

Setting it up is super easy as well and Clef has a good guide for how to do it on a WordPress site. There’s a couple of options for it in the admin panel that you can tune to your liking. Since I’m the only person who logs into this blog, I’ve turned off passwords completely and use Clef exclusively to log in. There’s a secret login page that I’ve bookmarked where I can still log in with my username and password if need be.


What really convinced me to give it a try though were articles such as the one on ManageWP, and the fact that they’ve partnered with some names I recognize in the web hosting community, particularly Softaculous and SiteGround.

If you have a self-hosted WordPress blog, I highly recommend getting Clef. If you don’t but use Chrome as your browser, they’ve created a password manager plugin called Waltz using the same technology. I use Firefox myself so I look forward to the day that Waltz is available for other browsers.

August 25, 2015 No comments / /

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.