A lot of web sites, even well known ones (newspapers, telcos, ...) adopts
WordPress as their CMS. WordPress is a great platform, however it
can happen that password leaking or guessing might lead to unauthorized
access to the platform. A potential attacker can be therefore able to
change articles, part of the web site and/or make the website unavailable,
with image and economic damages for a company or for a blogger.
This is even more true if your website is not SSL protected.
SecurePass is a SaaS service offering an easy and affordable solution
for One Time Passwords (OTP) and strong authentication in general. They
offer 5 users for free included with their standard (=basic) account, which
is more than enough for standard blogs and web sites. Companies can purchase
additional users, if needed.
More information on the section "Setup and configure SecurePass" in Other Notes.
To open a SecurePass account go to
http://www.secure-pass.net/open
- Create a 'wp-securepass' directory in '/wp-content/plugins/'
- Copy 'securepass.php' and 'radius.class.php' in '/wp-content/plugins/wp-securepass/'
- Open the file 'securepass.php' and change the variable $radius_secret with your own secret as set in SecurePass admin
- Create a local user that matches a user in SecurePass. Note: The admin user will be no longer checked locally.
- Activate the plugin through the 'Plugins' menu in WordPress
More information
Edit the securepass.php file and change $radius_secret variable to reflect
the secret password as specified in the "Device" specified in the SecurePass
administration panel. The variable $radius_host contains the primary
RADIUS server of SecurePass, located in Switzerland (Lugano).
A secondary RADIUS is available in Italy (Milan), if you prefer this
location change $radius_host to '
radius2.secure-pass.net'.
WARNING!!! Before activating this plugin, create an user in wordpress that
matches a username in SecurePass and grant full administrative powers.
This because the admin user will be no longer checked locally. In case you
won't be able to login anymore, a workaround is moving the securepass plugin
directory to another directory name, ex: "mv securepass securepass.old".