Two steps forward

Clef+SoftaculousThe Threat

We will all remember 2014 as the Year of Security for WordPress. Powering more than 20% of sites on the Internet, WordPress has become a prime target for hackers. This year we’ve felt the impact with the Heartbleed, Jetpack, and HTTP cookie vulnerabilities, but it’s the threat on the horizon we need to pay attention to.

The zombie army, also known as “botnets”, is a massive collection of infected computers and compromised sites that attack WordPress sites at random.

Each computer in the zombie army guesses a few different passwords on your site and, with millions of computers in the army, most sites fall in seconds.

The zombie army feeds on the weakest and worst-maintained sites in our community to grow and become more powerful. As more sites fall, we all become more vulnerable.

The Answer

Today we’re only protecting the people who seek out and research security on their own. Instead, we must decide as a community that good security should be on by default.

Specifically, two-step logins are a tool that everyone in our community should have access too.

Automattic offers two-step logins on because “The weakest link in the security of anything you do online is your password.” Automattic has led the way, but we need other hosts to follow them.


The next big challenge with WordPress is raising the baseline security of new sites coming online. With Clef, we found a way to make huge gains in security while also improving user experience. Working together is a no brainer.

– Brijesh Kothari, Head of Sales @ Softaculous

Today, we’re announcing a partnership with Softaculous to make two-factor easy for any host to enable. With this new integration, any host using Softaculous can include Clef in WordPress installations to give users access to secure two-factor logins out of the box.

Softaculous has become a dominant installer of WordPress and is used by hosts all over the world because their user interface is simple and their scripts are secure. Most new sites in our ecosystem come through Softaculous or another installer, making them a fantastic place for us to improve the baseline security of our community.

It’s one step for any host that uses Softaculous to enable this by going to the Softaculous Admin panel -> Software -> Advanced Settings and checking the box to enable Clef. The admin setup instructions are here and you can see a demo settings page here.

Clef Host Incentive

To help encourage hosts to enable two-step logins for their customers, we’ve created the Safer Host Incentive Program (SHIP).

Any host that offers two-step logins for newly created sites is eligible for (SHIP) and will be able to use Clef on their own domain for free. Clef will still always be free for sites with less than 100 users.

We’re also going to be featuring and promoting SHIP hosts on the Clef blog and hosts page to make sure they get the love they deserve!

You can read more about the hosts program here.

Call to Action

The zombie army gets stronger every day. We’re all responsible for helping to protect this community and your voice can help make sure that our most vulnerable users get access to the tools they need.

Ask your host to offer two-step logins on Twitter by clicking an icon below, or craft your own with the hashtag #twostepsforward.


  1. Thanks, that’s certainly a good start to helping the web community.

    On top of that in your talks with Softaculous you should discuss about abolishing the default username admin, preventing simple passwords, and changing the default table prefix of wp_ to a randomized set of number and letters, and also randomizing the admin id user number to anything different from 1.

    There’s a lot that can be done to help our end users, and some one told me recently how do you defeat a bad guy that has so many friends, you need all the good guys to get on board to overpower the bad guys. If we do it alone, we will never win, but do it together, and we will certainly start squashing this problem.

Leave a Reply

Your email address will not be published. Required fields are marked *