Want real WordPress login security? Use Clef

I can't tell you what a joy it is to finally be able to post this here.

Several months ago, Jesse Pollak got in touch with my regarding a few of my sites and asked me to give Clef a try. I gave him a bunch of feedback but was so impressed I put him in touch with Lexis Nexis and suggested that they try to move forward with him on their own Clef-based solution.

Today, I popped into my settings and discovered something wonderful. A feature I (and others) had given Jesse feedback on was in place. It is now possible to completely disable the native WordPress login system, replacing it with a smartphone based dual-factor authentication protocol. Furthermore, I can elect to require this only for certain roles and above, or for everybody.

Here's the option set:

Here's what my WP Admin page looks like:

And finally, here's what the login screen looks like:

Finally, if there is an emergency and you don't have your phone on you, there is an override URL:

http://mysite.com/wp-login.php?override={your override keyword here}

Again, you don't have to require this for everybody. For editors and up though? No brainer. Me? I've disabled non-clef logins for everyone, in order to eliminate brute force attempts on my site. Ahhhh... sweet silence. So golden. So very very golden.

If you chose the route of total lockout though, I'd strongly recommend either WPMU's Comments Plus plugin, or Disqus, so that you aren't requiring blog commentors to download a smartphone app before continuing!

If you want the free WordPress plugin right now, it's here: http://wordpress.org/plugins/wpclef/

You should probably click that.