Bringing easy, secure two-factor authentication to CyberChimps’ themes

cyberchimps-shareable-wide (1)

When we launched Clef for WordPress 2.0 in February, we set off to bring the ease and security of password-less login to everyone who logs in to a WordPress site.

Today, we’re excited to announce a big milestone in this effort: Clef is now officially recommended for every user of the Responsive theme.

Responsive is one of the most popular WordPress themes on the web. With over 1 million downloads, it provides a beautiful responsive base for hundreds of thousands of designers every day.

Unfortunately, the constant threat of password breaches and site hacks means many of these designers spend time worrying about managing and changing passwords, when they should be allowed to focus on what they actually care about — good design. When Heartbleed was announced, the team behind Responsive knew that they needed to do something. In their words,

Clef makes securing your website easy enough for website owners/administrators to implement and communicate with all users. That’s why CyberChimps is recommending using Clef with all its themes. It’s a level of security that just isn’t optional any more. 

We couldn’t be more excited to work with CyberChimp and Responsive users to secure the beautiful sites they create.

If you haven’t already used Responsive, give it a go for your next site.

clef for professionals

Today we are announcing new features for Clef that are built specifically for professional developers. Freelancers and agencies have been using Clef since the WordPress plugin was first built by David Michael Ross, a 10up engineer, last year. Over the last few months, and especially since releasing Clef 2.0, we’ve seen a drastic increase in the number of professionals using Clef and have gotten a lot of feedback about the extra tools that would be useful for these power users.

The new Professional tiers will give freelancers and agencies better tools to customize Clef logins, team management tools for production and development sites, priority support, and a completely ad-free experience.

Clef Pricing Tiers

As a part of this release, we’re also rolling out a small ad below the Clef Wave on new sites. If you want to check out how these ads look, just visit our demo site and click the login button! This helps ensure that we can continue to provide free, secure logins to everyone. An individual site can get rid of the ad forever for a one time fee or by including the Clef badge in their footer.

Clef is dedicated to our users privacy and we will never use tracking ads anywhere on Clef. These ads are carefully curated from WordPress services we love and already recommend to our customers. Every site that already uses Clef has been upgraded to Clef Plus, so only new sites will see ads. In addition, any agency or freelancer who was using Clef before today is eligible for a free year of the premium tier. Email and we’ll get you set up.

A few weeks ago we announced Clef 2.0 to make easier to set up and use. As Clef continues to mature, the tools supporting Clef and our users will too. We have a lot more great improvements in the pipeline, and we’re very excited about getting rid of more passwords.

Some questions and answers about this upgrade


1. Do the ads interfere with Clef Wave scanning?

No! Definitely not. If you want to see how the ads look, visit and log in. We hand curate all of the advertisers and make the ads unobtrusive and beautiful (if ads can be beautiful).

2. Are ads only about things related to WordPress?

Almost exclusively. Right now, we’re also advertising Clef t-shirts (buy one!) and in future, we may add other non-WordPress ads, but they will always be tasteful.

3. How noticeable are these ads?

Noticeable, but we hope they aren’t bad. Again, check them out at

4. How much is the fee to get rid of these ads?

You can remove ads on a site forever for $29. You can also pay $19/month to remove ads on all of your sites.

5. What is “Easy Team Management” under the Agency pricing tier?

Essentially, we’re adding features that make setting up sites as a team much better. This will allow multiple Clef users to control a Clef application, enable inviting of new users, and make sharing with clients easy.

6. How much does Clef earn from these ads?

We can’t disclose the details, but our goal is just to earn enough to support the company.

7. Can you become a Clef advertising partner?

Yes! Interested in targeting thousands of highly engaged WordPress users? We’d love to get you set up! Email and we’ll make it happen.


Clef 2.0 for WordPress Makes Logins More Accessible, Integratable

Clef for WordPress 2.0

Over the last 6 months, the Clef plugin has been downloaded almost 4,000 times. Cloudflare recommends Clef to all of its WordPress sites, several small hosts bundle Clef on installation for their users, and Clef is being used by professional WordPress consultants and agencies all over the world. We’ve made huge progress in protecting the administrators of WordPress sites.

With Clef 2.0, we’re focusing on bringing the ease and security of passwordless login to everyone else who logs in to a WordPress site. We wanted to make every step of using Clef easier, more approachable, and more accessible for everyone. A quick summary of the new features:

  • a new ajax-based settings page with beautiful visualizations
  • a smoother setup process
  • a smoother experience of connecting your clef account
  • user invitations to get Clef set up for all users
  • a more modular code-base for better integration and customization by our partners

We’re also partnering with WPMU to make Clef work for all of the customer logins offered by their popular plugins. For plugins like Membership, the Clef plugin now works seamlessly for login and registration.

This will let Clef protect a much broader audience, and give more of the WordPress community access to free, safer, easier logins.

We couldn’t be more excited to be protecting your sites, and we’re looking forward to protecting your visitors.



WPMU DEV and Clef Integration Makes Membership Logins Safer and Easier

If visitors are logging into your site, chances are they’re doing it through one of WPMU DEV’s plugins. WPMU builds plugins like Membership that let visitors log in to restricted areas of the sites. WPMU is the source for professional WordPress visitor logins, and today you can use Clef to log in to to their plugins.

Clef’s login is safer, easier, and faster than using a username and password, but until today it was mostly reserved for administrators and site creators. Clef’s integration with WPMU DEV’s plugins finally lets your visitors in on the fun. added support for two-factor authentication in 2013, but Clef is the first two-factor solution WPMU DEV has recommended.

“Clef will definitely help our users kick in more secure logins with heaps less pain and a lot more security. It’s a really cool idea.” – James Farmer, CEO of WPMU DEV

Users with version 2.0 of the Clef plugin can activate the WPMU DEV integration from the Clef settings page. Passwords will still be available by default for users that want them, but sites that are serious about security can require their users log in with Clef.

WPMU DEV is the latest of several high-profile recommendations of Clef. Last week, CloudFlare officially recommended Clef to their WordPress customers. Web hosts like Arvixe have begun bundling Clef with their WordPress installation, and in December the New York Times described the Clef login as “magical“.

“WPMU DEV is the clear leader in this space, and we couldn’t be more excited to work together. We know that the only security that matters is the security that actually gets used, so it’s our mission to make safer logins an easy choice for everyone. This is a huge step forward for us as a company, but we’re still just getting started.” – Brennen Byrne, CEO of Clef

If you already use WPMU plugins and Clef, this integration can be easily turned on in the Clef settings panel. Clef is a free tool, so if you haven’t tried Clef yet, you can visit to see it in action or get the plugin from the WordPress repo at The complete list of WPMU DEV plugins can be found here.

WordPress Multisite Two-Factor Security Advisory

Note: this issue does NOT affect single site installations. It only affects multisite installations where Clef is disabled network wide, and activated on one site but not another.


We have become aware of an issue in WordPress multisite installations in which it is possible to bypass two-factor authentication, instead relying on standard usernames and passwords to authenticate. This issue only affects very specific configurations of a WordPress multisite install:

  • Normal WordPress installs are NOT affected
  • WordPress multisite installs with Clef enabled network-wide are NOT affected
  • ONLY WordPress multisite deployment that have chosen to deploy and configure Clef on a site-by-site basis are affected
  • In the WORST case, the user must still enter a username and password to authenticate into a site

This issue is not unique to the Clef for WordPress plugin. Because the root cause is in the way WordPress core handles multisite authentication, other two-factor plugins are similarly affected. We’re actively collaborating with these vendors and the WordPress development community to ensure that this issue is resolved everywhere.


If you are using Clef on a WordPress multisite installation, we strongly recommend activating and enabling Clef network-wide. If that is not possible, we strongly recommend enabling Clef on all sites in the multisite network. These solutions ensure that if password login is disabled for a user, they will be unable to bypass Clef authentication.

We do not recommend disabling the Clef plugin. Disabling the Clef plugin eliminates the security benefits that it provides and forces a site to rely solely on the strength of users’ usernames and passwords.

We are working internally on a solution  to this issue which does not depend on user configuration. After completing the implementation, we will thoroughly test that the issue has been resolved.

Technical details

With a WordPress multisite installation, a user of one site in the multisite network is able to authenticate to the dashboard by logging in from another site in the network that they are not a direct member of.

Thus, if a user is a member of Site A but browses to the login page of Site B (both in the same network), the user may log in using the login page of Site B, which will authenticate them and redirect back to Site A.

For WordPress multisites where Clef is not enabled network-wide, is enabled on Site A, but is not enabled on Site B, a user of Site A may navigate to Site B’s login page, input their username and password and be redirected to Site A, even if passwords have been disabled on Site A.

This is possible because, while Clef is active and preventing direct login attempts with usernames and passwords on Site A, the plugin is not active and preventing login attempts on Site B. Since the user is then redirected by WordPress back to Site A, they are able to bypass password-less login on Site A with knowledge of their username and password.

Normally, disabling passwords on a site prevents all login attempts with a username and passwords using the login form or with remote requests.

Note: this does NOT affect single site installations. It only affects multisite installations where Clef is disabled network wide, and activated on one site but not another.


A user with knowledge of their own username and password may be able to bypass disabled passwords or two-factor authentication on a site in a multisite network by using the login form of another site which does not have passwords disabled or two-factor authentication.



  • Clef becomes aware of the possible bypass of 2FA plugins on specific configurations of WordPress multisites (9:31am)
  • Clef begins investigation into the issue (9:31am)
  • A member of the Duo Security Team alerts Clef to same issue (2:35pm)
  • Clef confirms issue and continues investigation into solution (4:15pm)


  • Implementation of solution begins (8:00am)
  • Security advisory is published and shared (2:37pm)

Please email with any questions or feedback regarding this issue. Again, only users of a multisite network where Clef is disabled network-wide, enabled on one site, but disabled on another, are affected.

Make WordPress easy with Arvixe (and Clef)

We’re always on the lookout for easy ways to host a WordPress site  (and protect it with Clef).

We love any platform that lets us go from nothing to a fully secured blog in less than 5 minutes. A few weeks ago, we wrote about a developer friendly WordPress setup with Digital Ocean and today we’re going to write about the awesome install process and support from Arvixe.

So, how can you get started on Arvixe?

1. Visit the Clef landing page for Arvixe.

2. Sign up (you’ll get a free domain name)!

3. Visit the your new domain and log in to the new WordPress site that Arvixe automatically configured.

4. Add Clef (and if you have any problems, Arvixe has will do it for you 24/7 x 365, just email).

It’s pretty awesome. Plus, things only get better after the install process. Arvixe provides free, 24/7 phone support to all of their customers — making us proud to list them as a preferred hosting provider of Clef.

Have a super easy WordPress setup? Interested in becoming a preferred Clef hosting provider? We want to know! Email and we’ll set it up.

WordPress Security Checklist

With WordPress powering more than 20% of the modern web, sites created on the platform are increasingly under attack by hackers.  While the core WordPress platform is strictly audited for security, it’s easy to make mistakes in your own WordPress installation that could lead to serious vulnerabilities. Clef and BruteProtect have put together this WordPress Security Checklist to help you ensure you’re following best practices when you deploy your site. Follow along and be safe!

  1. Check that you have the latest version of WordPress. Learn more.
  2. Check that automatic updates are turned on. Learn more.
  3. Check that you have the latest version of all plugins. Learn more.
  4. Check that you have strong passwords. Learn more.
  5. Check that you have 2-factor enabled. Learn more.
  6. Check that you have a plugin to protect you from brute force password attacks. Learn more.
  7. Check that, if you’re using passwords to login, your login form is HTTPS only. Learn more.
  8. Check that there’s no account named admin for your site. Learn more.
  9. Check that you are not developing over an insecure channel (like FTP). Learn more.
  10. Check that the folders in your WordPress installation have the correct permissions. Learn more.
  11. Check that the files in your WordPress installation have the correct permissions. Learn more.
  12. Check that your separate WordPress sites use separate databases. Learn more.
  13. Check that your database is not using the default wp_ table prefix. Learn more.
  14. Check that your database user has the minimum necessary set of permissions. Learn more.
  15. Check that your wp-config.php file is protected. Learn more.
  16. Check that your wp-includes folder is protected. Learn more.
  17. Check that you have a secure .htaccess file. Learn more.
  18. Check that file editing from the dashboard is disabled. Learn more.
  19. Check that you actually know that you’re doing (we all make mistakes). Learn more.

If you follow all of these steps correctly, your WordPress site will be protected from 99.9% of the attacks around — then you can focus on the important things.

How do I do all this stuff?

Check that you have the latest version of WordPress

With every release, the security and stability of the WordPress platform improves — ensuring you have the latest and greatest is the most important thing you can do.

Visit your WordPress dashboard, hover over the Dashboard menu item, and click Updates — if you see a new version of WordPress, download and install it!

Check that automatic updates are turned on

Since 3.7, WordPress will automatically apply security updates for your site. While these updates are rare, getting them fast is essential to the security of your site.

Install the Background Update Tester and ensure your site is configured correctly.


Check that you have the latest version of your plugins

While WordPress core has a team of security experts constantly auditing the platform, the said can’t be said for every platform you install. Updating to the latest version of your plugins will ensure that your site gets fixes for any known security vulnerabilities in your plugins.

Visit your WordPress dashboard, hover over the Dashboard menu item, and click Updates — if you see any plugin updates, download and install them!

Check that your login is secured

More often than not, attackers compromise WordPress sites through the easiest route — simply logging in. Weak passwords will leave you extremely vulnerable and even strong passwords can fall to large-scale brute force attacks.

1. Install a two-factor authentication WordPress plugin like Clef or Duo Security

2. Install a brute force attack prevention plugin like Brute Force.

3. Ensure that, when you do use passwords, you use strong ones. Luckily, since WordPress 3.7 (which you should most definitely have) there’s a great password strength meter built in.

4. If you’re using passwords to log in to your WordPress installation, enable HTTPS on your site and force HTTPS logins at all times.

Check that you there’s no account named admin on your install

The admin account is the most targeted account in brute force attacks against WordPress sites. Deleting it will make a huge swath of these ineffective.

If you have an admin account, create a new administration account and delete admin.

Check that you’re accessing your WordPress installation for development in a secure way

If you’re not accessing your WordPress installation for development through SFTP or SSH, you’re doing it wrong. Like logging in over HTTP (rather than HTTPS), accessing your site for development through an insecure protocol can expose your credentials (and other information) — leaving you vulnerable to attack.

Ensure that you always use SFTP or SSH to access your server remotely. Never use FTP.

Check that the files in your WordPress installation have the correct permissions

If you have too lenient permissions on the files in your WordPress installation, a small breach can quickly escalate into a full-scale takeover. Ensure that you lock down your file permissions as much as possible and only loosen permissions on specific files when you need them.

1. If you have shell access to your server, run these commandsIf you don’t have shell access, change them using your SFTP (yes, SFTP not FTP) client.

2. Verify that you have the correct permissions with a handy plugin.

Check that your database is secure

Hackers are going to target the most important part of your site — the database. Securing it is of the upmost importance in preventing small breaches from growing.

1. If you run multiple blogs on the same server, ensure that you use separate databases for each one.

2. Make sure you’re not using the default `wp_` table prefix. If you are, change it.

3. Ensure that your WordPress user has the as few database privileges as possible — revoke any ones that you don’t absolutely need (like DROP, ALTER, and GRANT).

Check that you have a secure .htaccess file

If you don’t know what a .htaccess file is, you may want to leave this one to your developer. Essentially, the .htaccess file dictates which files people visiting your website can and can’t see — an insecure .htaccess file can directly lead to a site compromise.

1. Secure wp-includes by adding these lines to your .htaccess file.

2. Secure your wp-config.php by adding these lines to your .htaccess file.

3. For a more exhaustive guide to securing your .htaccess file, follow this Moz post.

Check that you have disabled file editing

If an attacker gets into your site, the first thing they will try to do is edit your PHP files through the Dashboard interface. Preventing this can limit the breadth of an attack.

Add the line `define(‘DISALLOW_FILE_EDIT’, true);` to your wp-config.php file.

Check that you know what you’re doing

Security is hard. WordPress takes a lot of the concerns away, but even small thing can drastically reduce the security of your site. When you’re taking steps to secure your site, you need to ensure that you’re making good choices — even the best of us can make mistakes.

1. Run your security setup by an expert. This can be a technical friend who’s been building WordPress sites for longer than you, or a paid consultant. Either way, getting a second set of eyes on your configuration is extremely important.

2. If the tasks above scare you, let the experts handle it for you. Add a free plugin like Better WP Security, a paid plugin like Sucuri or pay an expert to setup the security side of your site. These solutions will keep you secure and allow you to focus on the parts of your site that you care about.

If you found this guide useful, share it on Twitter or Facebook — spreading the love keeps our whole community more secure.

If you have an suggestions or questions about this guide, please don’t hesitate to email


Welcome Waltz — Use Clef on Gmail, Facebook, and everywhere else

Our goal at Clef is to get rid of passwords everywhere, and today marks a huge step towards that goal. Today there’s a new way to use Clef that makes it work for all of your favorite sites immediately. It’s called Waltz, and it’s a browser extension that’s available today for Google Chrome users here ( Waltz is completely free and open source.

You can read the New York Times article about Waltz here.

I wish that I could take credit for building Waltz, but the acknowledgement all belongs to an amazing group of developers that have been using Clef for the past few months and were impatient to use it everywhere. You can see a post from Joe Wegner, the lead of the project, on the Waltz blog here. Waltz is something that we have wanted to exist for a long time, but didn’t have the development cycles to build ourselves. Working with our community to help them build and open source Waltz has been an amazing pleasure.

Using Waltz is as easy as using Clef, but now you can do it on Facebook, Gmail, and many of the other services that have not yet adopted Clef logins.

Since Clef launched less than 6 months ago, it has been installed on over 2000 sites and usage has grown by more than 70% each month. This has been helped along greatly by the press coverage we have received in The New York Times, The Economist, BBC, Inc., and many other important publications.

Even with such fast growth, our users have been asking us for much, much more. I think Waltz is the next step in delivering on that desire. This moves us way ahead on our path towards replacing passwords completely.

Today, the best thing you can do to help out is install Waltz at, send us your feedback (, and share Waltz with your friends. We think you’ll love it.

Read the New York Times article about Waltz here.

Tracking the weather with Clef

This week, we’re excited to highlight one of the latest Clef integrations: AllisonHouse.

AllisonHouse, founded in 2006, is a data aggregation and integration company that provides dependable, high resolution weather data to thousands of individuals and companies all across the country. Their clients include television stations, professional sports stadiums, the US Air Force, and hobbyist meteorologists.

When they reached out to us last month, I (Jesse) was particularly excited about the chance to work with them. Growing up in DC, I was an avid snow storm tracker. I would spend hours on the American Weather Forums, stay up late to watch the latest runs of all the weather models, and rush out of class to see the latest storm movements on the radar. Supporting a business that made this experience better for people all across the country is really a dream come true.

After finding Clef through the piece on us in Inc last week, Ryan Hickman, the CTO of Allison House, decided to add Clef for security and convenience reasons.

Instead of adding Google Authenticator or other Two-Factor Authentication, we wanted to add something that would make it easier for my customers to sign in. The fact that it supports both Single Sign ON and Single Sign OFF is even better.

We’re excited to be supporting a business that’s having such a direct effect on small (and large) businesses across the country — without the easy to access weather data that AllisonHouse provides, thousands of businesses wouldn’t be able to run.

Need weather data? Check out AllisonHouse today.

Need secure and convenient sign in (and sign off) on your website? Get Clef.



WordPress and Digital Ocean: A Great Combination

We’ve spent a lot of time making the installation of our WordPress plugin as easy as possible. We want users to be able to go from no blog to a blog secured with Clef in less than 5 minutes.

While the majority of our optimizations come after you install the Clef plugin, in the process of building, testing, and deploying our code, we’ve had to set up a ton of WordPress sites from scratch. We’ve used Amazon EC2, 1and1 Hosting, A Small Orange, WPEngine, and tens of other hosting providers.

Up until a month ago, we still hadn’t found one that really fit our needs. We wanted one-click deploys of a secure WordPress install, but we also wanted fine grained control of the machines we were using. We needed the easy SSH access, scaling and snapshots that we love from EC2 without the hassle of doing a manual WordPress download or writing our own deploy scripts. Everything we tried was either too handhold-y or too hands-off — we’re developers, but we don’t want to worry about things we don’t need to.

Then we found Digital Ocean.

Easy set up

With Digital Ocean, you can have a new instance of WordPress up and running in less than a minute. Just select the WordPress on Ubuntu 12.10 application, click create droplet, and you’re ready to go! Seriously, try it out. It’s fast, well documented, and beautiful.

Wordpress3 (1)

Easy access

We always need SSH access to our WordPress installs. Digital Ocean makes this really easy. In the setup process, you can choose any public key and it will be automatically added to the new machine.

Screen Shot 2013-10-25 at 7.37.03 AMWhen your machine is booted up (usually <30 seconds), just SSH to the IP and you’re in. Want to use passwords instead (I hope not…)? Don’t add a public key and Digital Ocean will email you a password for the machine (change it on your first log in!).

Easy extending

Since you’re running a virtual machine, extending the default install  (and saving that extension as a boot-image)  is easy. Need a GUI for MySQL admin? Just `apt-get` it. Want to switch from Apache to nginx? Same thing.


Easy scaling

For development and low-traffic sites, you won’t need much more than the 512MB of RAM and 20GB of SSD that Digital Ocean provides in the base tier. If you start serving more traffic, however, you may want to upgrade the RAM and CPU of your virtual machine — that’s not a problem. With just a minute of downtime, you can bump up your specs to whatever you need.

A perfect combination

Since finding Digital Ocean, we haven’t done a WordPress install on a different platform. With the easy boot-up, installing Clef on a new WordPress site has never been easier — you really can go from nothing to a full-featured, secure blog in less than 5 minutes. And it looks like we’re not the only happy customers.

Are you looking for a new hosting provider for WordPress (or getting sick of your old one)? Give Digital Ocean a try and let us know what you think in the comments! Have another one that you love? We’d love to hear about it too!

Clef for WordPress is the easiest way to securely manage your WordPress site. Use secure 2-factor authentication (without passwords!), with single-sign-on, on all of your WordPress sites by installing the plugin!