So I was contacted by the folks over at Rublon to take a look at their Free WordPress Security plugin called Rublon. Rublon adds a stronger authentication factor to your WordPress administration panel by requiring you to scan a QR Code on the login page to authenticate and access your WordPress site.
First you need to setup a Rublon account you do this by going to Rublon.com clicking on the User Panel at top right. Then you have to install the Rublon app on your smart phone and hold the scanner over the QR Code displayed, this will confirm and set your identity.
Installing Rublon is a breeze, just go to the Plugins -> Add New and search for Rublon, install and activate the plugin there is no need to register or sign up with anything from the WordPress settings.
Rublon also has the added security benefit of disabling the xm-lrpc outright which prevents and reduces attempts to hack and exploit your site which is common. xml-rpc is needed for external blogging software like Live Writer however, so if you still want to write in an external blogging software and publish to your blog, you need to remember to uncheck the default disable of xml-rpc in the Rublon settings.
After installing the plugin, remember to click “Protect Your Account” on this screen so that you register this site with Rublon. I think this screen could be redone to make it a little more clear, the steps could be spelled out a little more clearly on how to register your site so that it starts using Rublon for protection but I stumbled through it.
Once you see the “Protect your Account” change to Disable Protection you know your site is protected by Rublon and now you can logout and login via Rublon. Instead of using your username password, now you can login with your Rublon authentication.
See once your browser is registered with Rublon, you now can just login with your username and password and you won’t be prompted to login again with Rublon. But, should you try to login from another device, or from a private browser window, after entering your username or password you will be presented with the Rublon authentication screen.
The only way to login now is with Rublon unless your device is already listed as trusted.
You can revoke a device trust if you don’t want to continue to allow it to be trusted and force it to authenticate through Rublon again.
Comparing Rublon to Clef
- Rublon lacks session management so that you can use the Rublon application on the mobile device to sign out of WordPress or even maintain multiple active sessions across multiple WordPress blogs at the same time. This is something Clef offers that Rublon does not. You can remove all trusted devices, but this won’t sign you out of WordPress, where Clef will sign you out of WordPress if you logout from Clef.
- Rublon has faster QR Code scan recognition than Clef does with the moving wave, it is about a split second faster but noticeably faster with Rublon.
- Rublon will auto disable XML-RPC to make WordPress more secure and less vulnerable, Clef doesn’t disable XML-RPC.
- Clef allows you to remove username/password logins entirely for users or roles, this means you can use Clef as your only method of authentication, it doesn’t follow the trusted device system it requires a Clef authentication as either an alternate method of log-in or as a primary method of login. Once you log out of Clef, you have to log back in. This isn’t better per se, but it is different and offers more flexibility. You can force all Administrators for example to require Clef, while leaving regular users to still use username/password authentication if you allow multiple contributors.
- Clef has automatic timeout, default is 1 hour, where all sessions are terminated after 1 hour. This adds a measure of security knowing a session can only be valid for so long. Rublon has trusted device/browser and as long as it is trusted it won’t challenge again with the Rublon authentication factor unless revoked. It has no time out, no revoke and time out functionality as mentioned.
In summary I think Rublon is good and a fine choice if you run a single user blog and you are the administrator, you can simply register your browser and any mobile browsers as trusted devices and know that you have a secure factor backup in case somebody else compromises your password and tries to sign in they will be blocked by the Rublon authentication screen.
However, for multiple user blogs and for flexibility Clef controls sessions better and allows you to choose which types of users require using Clef, you can also disable username/password entirely. Either one will add greater security to your WordPress site than just plain username and password, and Rublon does disable XML-RPC by default which helps secure your site from that exploit whereas Clef does not however.