Recommended password settings for Clef’s WordPress plugin

Summary: this guide recommends password settings for Clef’s WordPress plugin according to security level. At a minimum, we recommend enabling the disable passwords for Clef users option and bookmarking an override URL.

  1. Highest security: disable passwords for all users.
  2. Higher security: disable passwords for select WordPress roles.
  3. High security: disable passwords for Clef users.
  4. Low security: allow passwords for all users.

1. Highest security: disable passwords for all users.

Choose this option if

What happens when I select this option?

  1. Passwords are disabled for all users both at the Dashboard and at the API.
  2. Password resets are disabled for all users.
  3. The Clef Wave is the only log in method on wp-login.php.

Should I allow passwords for the WordPress API?

No. Since WordPress’ API authentication procedure sends your password in plain text, and since enabling API access opens the door to several of the password-based attacks mentioned above, we recommend

  1. enabling this option only if your users absolutely must use API-dependent resources such as the WordPress mobile app,
  2. and protecting your site with TLS/SSL before enabling API access.

Should I set an override URL?

Yes. If you disable passwords, we highly recommend creating and bookmarking a secret override URL that allows password logins in cases of emergency.

2. Higher security: disable passwords for select WordPress roles.

Choose this option if

  • You want to protect high-privilege roles (e.g., super admin, admin, and editor accounts) against
    • bruteforce and botnet attacks
    • weak, reused, and leaked passwords
    • logging in via insecure (non-ssl) connections
    • password phishing and malware attacks
    • account takeovers via email account breaches and password resets
  • You want to disable passwords for high-privilege roles while also providing password logins for low-privilege users.
  • You have a large number of low-privilege users (e.g., subscribers) who do not have smartphones. (See also How does Clef accommodate WordPress logins for users who do not have smartphones?)

What happens when I select this option?

  1. Passwords are disabled for all WordPress users with the selected roles both at the Dashboard and at the API.
  2. Password resets are disabled only for the selected roles.
  3. You can choose whether to show the Clef Wave or the password login form on wp-login.php by using the Show Clef wave as primary login option.

Does Clef support disabling passwords for custom roles?

Yes. If you have added custom roles to your WordPress site, they will be shown directly below the standard roles:

Should I allow passwords for the WordPress API?

No. Since WordPress’ API authentication procedure sends your password in plain text, and since enabling API access opens the door to several of the password-based attacks mentioned above, we highly recommend

  1. enabling this option only if your users absolutely must use API-dependent resources such as the WordPress mobile app,
  2. and protecting your site with SSL before enabling API access.

Should I set an override URL?

Yes. If you disable passwords for select roles, we highly recommend creating and bookmarking a secret override URL that allows password logins in cases of emergency.

3. High security: disable passwords for Clef users.

Choose this option if

  • You want to protect all Clef-enabled users (i.e., WordPress users whose Clef mobile accounts are linked with their WordPress accounts) against
    • bruteforce and botnet attacks
    • weak, reused, and leaked passwords
    • logging in via insecure (non-ssl) connections
    • password phishing and malware attacks
    • account takeovers via email account breaches and password resets
  • You want to disable passwords for users who have smartphones while also providing password logins for users who do not have smartphones. (See also How does Clef accommodate WordPress logins for users who do not have smartphones?)

What happens when I select this option?

  1. Passwords are disabled for Clef-enabled users both at the Dashboard and at the API.
  2. Password resets are disabled only for Clef-enabled users.
  3. You can choose whether to show the Clef Wave or the password login form on wp-login.php by using the Show Clef wave as primary login option.

Should I allow passwords for the WordPress API?

No. Since WordPress’ API authentication procedure sends your password in plain text, and since enabling API access opens the door to several of the password-based attacks mentioned above, we highly recommend

  1. enabling this option only if your users absolutely must use API-dependent resources such as the WordPress mobile app,
  2. and protecting your site with SSL before enabling API access.

Should I set an override URL?

Yes. If you disable passwords for Clef users, we highly recommend creating and bookmarking a secret override URL that allows password logins in cases of emergency.

4. Low security: allow passwords for all users.

Choose this option if

  • We highly recommend that you only use this configuration for testing and training purposes.

What happens when I select this option?

  1. Clef does not protect WordPress against password-based attacks or password resets.
  2. All WordPress users may choose to log in either with Clef or with passwords. Thus the sole security benefit of this mode is that, when users choose to use Clef instead of passwords, their login takes place over a secure connection (i.e., they are not sending credentials over an unencrypted connection).