9th Node Networks joins Safer Hosts

We’re really excited to share that 9th Node Networks is now a member of Safer Hosts. As a member of the program, they’ll be letting users install Clef as part of their default WordPress install — helping us make better security the default for the masses.

If you haven’t heard about 9th Node Networks, it’s probably because they’ve been too busy taking amazing care of their customers. Based in Colorado Springs, CO, they’ve been providing top-tier web hosting services since 2008. In the words of their founder, Aaron Ditto:

We at 9th Node are continually looking at ways to improve security for our customers, and help protect them from online attacks. With the rise of cyber attacks increasing every day, we’ve grown familiar with over a dozen other tools to help protect our clients sensitive data. Clef helps simplify not only the login process and management of passwords for hundreds of websites at one time, but instantly helps protect against common brute force and other password breaking techniques on WordPress based websites.

Adding 9th Node Networks to the Safer Hosts program was a no-brainer — and we’re only just beginning. In the coming months, we’ll be working together to release some exciting plugins that bring Clef to new platforms. We couldn’t be happier to have them as a partner.

If you’re looking for awesome, personal hosting, check out 9th Node Networks here.

Raid Host joins the Safer Hosts program

Today, we’re happy to announce that Raid Host is part of Clef’s Safer Hosts program. As part of the program, Raid Host is letting users install Clef by default in their standard WordPress setup process!

For those who don’t know, Raid Host is a UK based web host with thousands of customers worldwide. They provide affordable hosting with a focus on reliability, flexibility and security. Since Raid Host serves customers’ websites in isolated virtual file systems, customers can rest assured that their sites are protected and other compromised sites will never affect their own.

We talked to Raid Host’s Director of Infrastructure, William Eccles, about why Clef’s security matters to them:

Passwords can be cracked, “brute-forced” or even shared among many websites. Clef is the perfect solution for these weaknesses.
As a web host, if an account is breached, we often need to help restore the account and stop spam from being sent. Clef protects the customer, and results in less sysops work for us.

We are so pleased that Raid Host is joining us in making good security the default.

If you’re looking for an affordable host that cares about security from top to bottom, check out Raid Host’s shared hosting plans here.

Announcing Clef for Joomla

joomlashareableToday, we are so pleased to announce that the secure, easy experience of logging in with Clef is now available for Joomla, one of the largest content management systems on the web. You can download the free extension for your Joomla sites here.

Why Joomla?

Joomla is the second largest platform for building websites behind WordPress and powers over 30 million websites. Its ubiquity makes it a high profile target for hacking and defacement especially since hacked sites can be added to a zombie army that attacks even more sites across the web.

As we’ve improved our WordPress plugin, many users have asked us for the same pain-free, secure login experience for Joomla. Joomla administrators often manage many Joomla sites at the same time, and maintaining strong password habits with so many accounts becomes a major frustration. It’s been in our timeline for a while, but we wanted to make sure that we could offer the same elegant, one-click installation process as WordPress.

anything-digital

Lucky for us, a few months ago, Scott Offord connected us with Anything Digital, a premier Joomla company run by Vic Drover, who also volunteers as treasurer of the foundation behind Joomla. They love Clef and build amazing extensions with an eye for security like Watchful and sh404SEF, so it was a natural fit. With our guidance, they’ve built a seamless Clef experience for Joomla with all the same features you’ve come to expect from our WordPress plugin. In addition to easy administrator login, Clef for Joomla supports Clef logins for your site’s regular users out of the box. You can download it here.

We’re so excited to have great developers building on our platform and making Clef available for more people in more places. Between our work with developers and hosts, we’re proud to be making good security the default for the web.

You can download the free Clef extension for Joomla here.

Protecting millions of WordPress users by default

saferhosts

Four weeks ago, we announced Safer Hosts, a program to encourage hosts to enable two-factor logins for their customers. Today, we’re excited to announce the founding members: SiteGround, RaidHostArvixe, and 9th Node Networks.

As part of the program, we’ll be featuring these hosts as preferred and letting them offer easy, secure two-factor authentication for free to every one of their WordPress customers. Clef will be bundled with WordPress installs for new customers and existing customers will have the opportunity to add our technology with a single click.

These companies provide hosting for millions of customers and we are very excited that they are taking concrete steps to make good security the default.

SHIP’s largest founding member

Over the next few weeks, we’ll be taking an in-depth look at every new member of SHIP, starting with one that we’re really excited to have on board: SiteGround. To celebrate, SiteGround is offering a 70% discount to Clef customers through this link.

 

siteground

 

SiteGround is one of the largest hosts in the WordPress community: they manage more than 300,000 domains across multiple platforms and are well known for sponsoring WordCamps around the world. Founded in 2004, they have become legendary for their simple security and outstanding support.

We first met the SiteGround team at WordCamp Chicago; they were a sponsor and our CEO, Brennen, was giving a talk on the security problems with passwords. After a long conversation at the speaker’s dinner, we realized that they shared one of our core goals: a desire to make more of the web secure by default.

Two weeks later, we were excited to bring them on as one of the founding members of SHIP — they’ll be making Clef available with every new WordPress installation, giving users easy, secure, free two-factor authentication from the get go.

We take security extremely seriously and have always had a very proactive approach to creating our own security systems to give our customers the peace of mind that their sites are safe and secure with us. We are also constantly building and looking for tools that can make the user experience of our customers as easy as possible. Clef 2-factor authentication is definitely something that improves login security and given the growing requests from our existing clients, we are now pleased to partner with Clef and have it available for all SiteGround clients.

- Reneta Tsankova, Chief Operations Officer at SiteGround

With SiteGround as a member of SHIP, the web is a safer place. To learn more about SiteGround, you can sign up for a 70% discount on your first year of shared hosting here.

Get 70% off SiteGround

Only the beginning

We’re so excited by the amazing response we’ve gotten to SHIP: in just a few weeks, we’ve partnered with five of the best hosts on the web to protect more of their customers by default.

But this is just the beginning. We’re determined to protect all of the web, by default, and we’ll need your help to do it.

If you’re a host who wants to keep your customers safe, get in touch about being a preferred host here.

If you’re a customer that wants a safer web, tweet at your host below and tell them to join SHIP!

Two steps forward

Clef+SoftaculousThe Threat

We will all remember 2014 as the Year of Security for WordPress. Powering more than 20% of sites on the Internet, WordPress has become a prime target for hackers. This year we’ve felt the impact with the Heartbleed, Jetpack, and HTTP cookie vulnerabilities, but it’s the threat on the horizon we need to pay attention to.

The zombie army, also known as “botnets”, is a massive collection of infected computers and compromised sites that attack WordPress sites at random.

Each computer in the zombie army guesses a few different passwords on your site and, with millions of computers in the army, most sites fall in seconds.

The zombie army feeds on the weakest and worst-maintained sites in our community to grow and become more powerful. As more sites fall, we all become more vulnerable.

The Answer

Today we’re only protecting the people who seek out and research security on their own. Instead, we must decide as a community that good security should be on by default.

Specifically, two-step logins are a tool that everyone in our community should have access too.

Automattic offers two-step logins on WordPress.com because “The weakest link in the security of anything you do online is your password.” Automattic has led the way, but we need other hosts to follow them.

Hosts

The next big challenge with WordPress is raising the baseline security of new sites coming online. With Clef, we found a way to make huge gains in security while also improving user experience. Working together is a no brainer.

- Brijesh Kothari, Head of Sales @ Softaculous

Today, we’re announcing a partnership with Softaculous to make two-factor easy for any host to enable. With this new integration, any host using Softaculous can include Clef in WordPress installations to give users access to secure two-factor logins out of the box.

Softaculous has become a dominant installer of WordPress and is used by hosts all over the world because their user interface is simple and their scripts are secure. Most new sites in our ecosystem come through Softaculous or another installer, making them a fantastic place for us to improve the baseline security of our community.

It’s one step for any host that uses Softaculous to enable this by going to the Softaculous Admin panel -> Software -> Advanced Settings and checking the box to enable Clef. The admin setup instructions are here and you can see a demo settings page here.

Clef Host Incentive

To help encourage hosts to enable two-step logins for their customers, we’ve created the Safer Host Incentive Program (SHIP).

Any host that offers two-step logins for newly created sites is eligible for (SHIP) and will be able to use Clef on their own domain for free. Clef will still always be free for sites with less than 100 users.

We’re also going to be featuring and promoting SHIP hosts on the Clef blog and hosts page to make sure they get the love they deserve!

You can read more about the hosts program here.

Call to Action

The zombie army gets stronger every day. We’re all responsible for helping to protect this community and your voice can help make sure that our most vulnerable users get access to the tools they need.

Ask your host to offer two-step logins on Twitter by clicking an icon below, or craft your own with the hashtag #twostepsforward.

Bringing easy, secure two-factor authentication to CyberChimps’ themes

cyberchimps-shareable-wide (1)

When we launched Clef for WordPress 2.0 in February, we set off to bring the ease and security of password-less login to everyone who logs in to a WordPress site.

Today, we’re excited to announce a big milestone in this effort: Clef is now officially recommended for every user of the Responsive theme.

Responsive is one of the most popular WordPress themes on the web. With over 1 million downloads, it provides a beautiful responsive base for hundreds of thousands of designers every day.

Unfortunately, the constant threat of password breaches and site hacks means many of these designers spend time worrying about managing and changing passwords, when they should be allowed to focus on what they actually care about — good design. When Heartbleed was announced, the team behind Responsive knew that they needed to do something. In their words,

Clef makes securing your website easy enough for website owners/administrators to implement and communicate with all users. That’s why CyberChimps is recommending using Clef with all its themes. It’s a level of security that just isn’t optional any more. 

We couldn’t be more excited to work with CyberChimp and Responsive users to secure the beautiful sites they create.

If you haven’t already used Responsive, give it a go for your next site.

clef for professionals

Today we are announcing new features for Clef that are built specifically for professional developers. Freelancers and agencies have been using Clef since the WordPress plugin was first built by David Michael Ross, a 10up engineer, last year. Over the last few months, and especially since releasing Clef 2.0, we’ve seen a drastic increase in the number of professionals using Clef and have gotten a lot of feedback about the extra tools that would be useful for these power users.

The new Professional tiers will give freelancers and agencies better tools to customize Clef logins, team management tools for production and development sites, priority support, and a completely ad-free experience.

Clef Pricing Tiers

As a part of this release, we’re also rolling out a small ad below the Clef Wave on new sites. If you want to check out how these ads look, just visit our demo site and click the login button! This helps ensure that we can continue to provide free, secure logins to everyone. An individual site can get rid of the ad forever for a one time fee or by including the Clef badge in their footer.

Clef is dedicated to our users privacy and we will never use tracking ads anywhere on Clef. These ads are carefully curated from WordPress services we love and already recommend to our customers. Every site that already uses Clef has been upgraded to Clef Plus, so only new sites will see ads. In addition, any agency or freelancer who was using Clef before today is eligible for a free year of the premium tier. Email team@getclef.com and we’ll get you set up.

A few weeks ago we announced Clef 2.0 to make easier to set up and use. As Clef continues to mature, the tools supporting Clef and our users will too. We have a lot more great improvements in the pipeline, and we’re very excited about getting rid of more passwords.

Some questions and answers about this upgrade

 

1. Do the ads interfere with Clef Wave scanning?

No! Definitely not. If you want to see how the ads look, visit demo.getclef.com and log in. We hand curate all of the advertisers and make the ads unobtrusive and beautiful (if ads can be beautiful).

2. Are ads only about things related to WordPress?

Almost exclusively. Right now, we’re also advertising Clef t-shirts (buy one!) and in future, we may add other non-WordPress ads, but they will always be tasteful.

3. How noticeable are these ads?

Noticeable, but we hope they aren’t bad. Again, check them out at demo.getclef.com.

4. How much is the fee to get rid of these ads?

You can remove ads on a site forever for $29. You can also pay $19/month to remove ads on all of your sites.

5. What is “Easy Team Management” under the Agency pricing tier?

Essentially, we’re adding features that make setting up sites as a team much better. This will allow multiple Clef users to control a Clef application, enable inviting of new users, and make sharing with clients easy.

6. How much does Clef earn from these ads?

We can’t disclose the details, but our goal is just to earn enough to support the company.

7. Can you become a Clef advertising partner?

Yes! Interested in targeting thousands of highly engaged WordPress users? We’d love to get you set up! Email team@getclef.com and we’ll make it happen.

 

Clef 2.0 for WordPress Makes Logins More Accessible, Integratable

Clef for WordPress 2.0

Over the last 6 months, the Clef plugin has been downloaded almost 4,000 times. Cloudflare recommends Clef to all of its WordPress sites, several small hosts bundle Clef on installation for their users, and Clef is being used by professional WordPress consultants and agencies all over the world. We’ve made huge progress in protecting the administrators of WordPress sites.

With Clef 2.0, we’re focusing on bringing the ease and security of passwordless login to everyone else who logs in to a WordPress site. We wanted to make every step of using Clef easier, more approachable, and more accessible for everyone. A quick summary of the new features:

  • a new ajax-based settings page with beautiful visualizations
  • a smoother setup process
  • a smoother experience of connecting your clef account
  • user invitations to get Clef set up for all users
  • a more modular code-base for better integration and customization by our partners

We’re also partnering with WPMU to make Clef work for all of the customer logins offered by their popular plugins. For plugins like Membership, the Clef plugin now works seamlessly for login and registration.

This will let Clef protect a much broader audience, and give more of the WordPress community access to free, safer, easier logins.

We couldn’t be more excited to be protecting your sites, and we’re looking forward to protecting your visitors.

 

 

WPMU DEV and Clef Integration Makes Membership Logins Safer and Easier

If visitors are logging into your site, chances are they’re doing it through one of WPMU DEV’s plugins. WPMU builds plugins like Membership that let visitors log in to restricted areas of the sites. WPMU is the source for professional WordPress visitor logins, and today you can use Clef to log in to to their plugins.

Clef’s login is safer, easier, and faster than using a username and password, but until today it was mostly reserved for administrators and site creators. Clef’s integration with WPMU DEV’s plugins finally lets your visitors in on the fun. WordPress.com added support for two-factor authentication in 2013, but Clef is the first two-factor solution WPMU DEV has recommended.

“Clef will definitely help our users kick in more secure logins with heaps less pain and a lot more security. It’s a really cool idea.” – James Farmer, CEO of WPMU DEV

Users with version 2.0 of the Clef plugin can activate the WPMU DEV integration from the Clef settings page. Passwords will still be available by default for users that want them, but sites that are serious about security can require their users log in with Clef.

WPMU DEV is the latest of several high-profile recommendations of Clef. Last week, CloudFlare officially recommended Clef to their WordPress customers. Web hosts like Arvixe have begun bundling Clef with their WordPress installation, and in December the New York Times described the Clef login as “magical“.

“WPMU DEV is the clear leader in this space, and we couldn’t be more excited to work together. We know that the only security that matters is the security that actually gets used, so it’s our mission to make safer logins an easy choice for everyone. This is a huge step forward for us as a company, but we’re still just getting started.” – Brennen Byrne, CEO of Clef

If you already use WPMU plugins and Clef, this integration can be easily turned on in the Clef settings panel. Clef is a free tool, so if you haven’t tried Clef yet, you can visit getclef.com to see it in action or get the plugin from the WordPress repo at wordpress.org/plugins/wpclef. The complete list of WPMU DEV plugins can be found here.

WordPress Multisite Two-Factor Security Advisory

Note: this issue does NOT affect single site installations. It only affects multisite installations where Clef is disabled network wide, and activated on one site but not another.

Overview

We have become aware of an issue in WordPress multisite installations in which it is possible to bypass two-factor authentication, instead relying on standard usernames and passwords to authenticate. This issue only affects very specific configurations of a WordPress multisite install:

  • Normal WordPress installs are NOT affected
  • WordPress multisite installs with Clef enabled network-wide are NOT affected
  • ONLY WordPress multisite deployment that have chosen to deploy and configure Clef on a site-by-site basis are affected
  • In the WORST case, the user must still enter a username and password to authenticate into a site

This issue is not unique to the Clef for WordPress plugin. Because the root cause is in the way WordPress core handles multisite authentication, other two-factor plugins are similarly affected. We’re actively collaborating with these vendors and the WordPress development community to ensure that this issue is resolved everywhere.

Solution

If you are using Clef on a WordPress multisite installation, we strongly recommend activating and enabling Clef network-wide. If that is not possible, we strongly recommend enabling Clef on all sites in the multisite network. These solutions ensure that if password login is disabled for a user, they will be unable to bypass Clef authentication.

We do not recommend disabling the Clef plugin. Disabling the Clef plugin eliminates the security benefits that it provides and forces a site to rely solely on the strength of users’ usernames and passwords.

We are working internally on a solution  to this issue which does not depend on user configuration. After completing the implementation, we will thoroughly test that the issue has been resolved.

Technical details

With a WordPress multisite installation, a user of one site in the multisite network is able to authenticate to the dashboard by logging in from another site in the network that they are not a direct member of.

Thus, if a user is a member of Site A but browses to the login page of Site B (both in the same network), the user may log in using the login page of Site B, which will authenticate them and redirect back to Site A.

For WordPress multisites where Clef is not enabled network-wide, is enabled on Site A, but is not enabled on Site B, a user of Site A may navigate to Site B’s login page, input their username and password and be redirected to Site A, even if passwords have been disabled on Site A.

This is possible because, while Clef is active and preventing direct login attempts with usernames and passwords on Site A, the plugin is not active and preventing login attempts on Site B. Since the user is then redirected by WordPress back to Site A, they are able to bypass password-less login on Site A with knowledge of their username and password.

Normally, disabling passwords on a site prevents all login attempts with a username and passwords using the login form or with remote requests.

Note: this does NOT affect single site installations. It only affects multisite installations where Clef is disabled network wide, and activated on one site but not another.

Impact

A user with knowledge of their own username and password may be able to bypass disabled passwords or two-factor authentication on a site in a multisite network by using the login form of another site which does not have passwords disabled or two-factor authentication.

Timeline

2014-02-13

  • Clef becomes aware of the possible bypass of 2FA plugins on specific configurations of WordPress multisites (9:31am)
  • Clef begins investigation into the issue (9:31am)
  • A member of the Duo Security Team alerts Clef to same issue (2:35pm)
  • Clef confirms issue and continues investigation into solution (4:15pm)

2014-02-14

  • Implementation of solution begins (8:00am)
  • Security advisory is published and shared (2:37pm)

Please email security@getclef.com with any questions or feedback regarding this issue. Again, only users of a multisite network where Clef is disabled network-wide, enabled on one site, but disabled on another, are affected.