WordPress Login Security

In the WordFence Security Plugin for WordPress post I touched on the login security capabilities built into WordFence. Since I wrote that post I became aware of another interesting login security plugin for WordPress: Clef. I actually started a trial of the Clef plugin on this website and my photography website, Cardinal Acres Photography. While that trial was mostly successful, along the way I came across yet another login security plugin for WordPress: BruteProtect. BruteProtect was recently acquired by Automattic, the folks behind wordpress.com and one of the major supporters of the WordPress open source project. If Automattic thought BruteForce was worth acquiring, it HAD to have something going for it.

So, instead of my initial plan to do a review of Clef alone, I have decided to do a review of both Clef and BruteProtect to compare and contrast their capabilities.


Clef is a “two factor” authentication plugin for WordPress (there are also Clef plugins for Joomla, Drupal, Magento and Plesk). As such it consists of two pieces of software: a plugin for all your WordPress installations (Clef natively supports multiple WordPress websites at once but must be installed on all of them) as well as a smartphone app (currently Clef is available for iOS and Android).

Clef works by eliminating the default username/password login prompt and replaces it with the Clef “wave” which is a dynamic, graphical representation of a 2048 bit RSA key. To login, you go to the normal WordPress login page which will display the Clef “wave”. Then, on your smartphone, you launch the Clef app which will prompt you for either a PIN or your fingerprint (if you have an iPhone with TouchID capability). Once past the authentication on your smartphone, you point your phone’s camera at the Clef “wave” on your computer screen to complete the login process.

The advantages to this system are that traditional brute force hacking techniques simply don’t work against this type of login system. Your phone stores the “private key” of the RSA public/private key pair, which is sent to the Clef servers to compare with the “public key”. If the comparison succeeds you are logged in. Since this system is “two factor” authentication it uses both something you know (the URL for your website’s login prompt) and something you have (your smartphone plus your PIN or fingerprint).

Of course, this means if you don’t have your smartphone with you at all times you can potentially be locked out of your website. Fortunately, Clef gives you two options for allowing normal username/password authentication to address this situation. The first is a plugin setting that will include a link on the login page which links to the normal WordPress login prompt.


The second is the ability to set an “override URL” which when accessed will allow authentication via the normal WordPress login prompt (it is a good idea to set this so you have access should your smartphone be damaged or out of power). The settings also include options for disabling passwords for only certain user levels (useful if you have a membership site and don’t want to force everyone to use Clef).

One last feature of Clef is that once you authenticate via Clef you are automatically logged into every website on which you have Clef installed and linked to the same Clef account. Conversely, when you logout via the Clef app on your smartphone, you will logged out of all your websites that use Clef authentication.

I used Clef on three of my personal WordPress sites and found it mostly easy to use and to work as advertised. However, I found one irritating stumbling block to using Clef: in order to have a seamless hand-off from the Clef  login screen to the WordPress administrative back-end  your web browser must accept cookies from a third-party. If your web browser security settings prevent third-party cookies, instead of having the Clef “wave” displayed on your site’s login page (as in the screenshot above), instead you get a login prompt where you must click a link to a page on the getclef.com website where the “wave” is displayed. Once your phone has recognized the displayed “wave” you do get redirected back to the administrative back-end of your WordPress site, though.

Generally, I set my web browser to only accept cookies from the site that I am visiting for security reasons. Having to change this setting or deal with an extra click to get logged in was an annoyance for me and led me to abandon Clef.


BruteProtect is a security plugin that works by centrally tracking all failed login attempts for WordPress websites on which it is installed. That database is then used to determine the IP address(es) of malicious brute force login attacks and any attempt to login via those IP addresses is blocked. For obvious reasons, the BruteProtect folks don’t really give much detail on the heuristics used to determine whether a failed login attempt is malicious or not so this plugin is something of a “black box”.

That said, Automattic, the folks behind WordPress itself, have recently acquired BruteProtect and are working to integrate it into the JetPack suite of WordPress plugins. The fact that Automattic felt the plugin was worth adding to JetPack gives me quite a bit of confidence that it is well designed and coded.

Installing and configuring BruteProtect is about as simple as it gets. Once you activate BruteProtect it will ask to connect to WordPress.com; simply authenticate when prompted (or verify that the WordPress.com account you’re already logged into is the one you wish to use) and you’re done.

As with Clef, I have installed BruteProtect on three of my personal WordPress sites and have found it to work as advertised and to be completely transparent. Essentially the only user facing aspect of BruteProtect is the dashboard widget that shows how many malicious login attempts have been thwarted:


Since I’m not forced to change my web browser settings to get the best user experience (like Clef), BruteProtect has become my WordPress site security plugin of choice. With Automattic now in charge of developing the plugin, I’m certain that it will only get better and be more tightly integrated with the JetPack suite of plugins in the future.