WP Admin Page with CLEF

  • Hi Team,

    First, congrats on comming up with such a cool app ??

    Here is my question / concern:

    1. Our WP login is secured with a captcha to mitigate brute force attacks.
    2. With CLEF, having a captcha is pointless since all a valid user has to do is to scan his/her phone to login (this is a good thing)
    3. With CLEF, you can force users to only use the ‘clef wave’ while tucking away the login/password URL in a safe location. (this is a good thing too)
    3. However, I notice that if i login as an “unauthorized user” who has a CLEF app , it accepts my credentials but it then shows me the login page. (and my captcha is gone) Hence how can we mitigate such a scenario as this brings us back to be open to brute force attacks? Ideally it should reject the user and not show the login page.

    Thanks.

    https://www.ads-software.com/plugins/wpclef/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Contributor inthylight

    (@inthylight)

    Hi xarain,

    Thanks for the encouragement, we appreciate it.

    On your question, there are two things here:

    a) I’m not sure what you mean by #3 above. If you’d like to follow up on this, can you email [email protected] with the URL of the site in question, and we’ll take a look.

    b) There are many ways to handle the brute-force vector. Clef 2FA stops brute-force cold at the application layer (i.e., you don’t need Clef 2FA + captcha). Depending on your server setup, traffic volume, and security goals, it may make better sense to consider pre-application layers of defense rather than sorting out a plugin conflict between Clef 2FA and a captcha plugin; see the second half of this guide.

    Thread Starter xarain

    (@xarain)

    Hi Laurence,

    Sorry for my long winded posted. Basically what i am trying to say is If i found another site using CLEF and if i used my CLEF WAVE, while it rejects my login the login page (ID/PWD) will be shown to me which to me makes it less secure (kinda like guessing the backdoor URL address to login via ID/PWD)

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘WP Admin Page with CLEF’ is closed to new replies.

Tags