A lot of web sites, even well known ones (newspapers, telcos, …) adopts
WordPress as their CMS. WordPress is a great platform, however it
can happen that password leaking or guessing might lead to unauthorized
access to the platform. A potential attacker can be therefore able to
change articles, part of the web site and/or make the website unavailable,
with image and economic damages for a company or for a blogger.
This is even more true if your website is not SSL protected.
SecurePass is a SaaS service offering an easy and affordable solution
for One Time Passwords (OTP) and strong authentication in general. They
offer 5 users for free included with their standard (=basic) account, which
is more than enough for standard blogs and web sites. Companies can purchase
additional users, if needed.
More information on the section “Setup and configure SecurePass” in Other Notes.
To open a SecurePass account go to http://www.secure-pass.net/open
Setup and configure SecurePass
If you don’t own already an account with SecurePass, you can sign-up for a new account here: http://www.secure-pass.net/open
Note: Use “misec2011” as promo code, it will give you an entitlement for using
SecurePass up to 10 users for 2 years free-of-charge. Without any promo code,
you will have 5 users for 20 years for free. It depends on what you need (more users or more years).
Connect to the admin interface on https://admin.secure-pass.net
and create a new device (basically a RADIUS client).
In the admin interface, go to the “Device” section and add a new device.
You will need to set the public IP Address of the server, a fully qualified
domain name (FQDN), and the secret password for the radius authentication.
It’s ok if your web server is behind a firewall and/or NAT, ensure that
your server has rights to send (and receive) RADIUS authentication requests,
i.e. UDP port 1812.
This plugin web site:
SecurePass web site:
UK on-line shop for SecurePass (they sell hardware tokens):
- Create a ‘wp-securepass’ directory in ‘/wp-content/plugins/’
- Copy ‘securepass.php’ and ‘radius.class.php’ in ‘/wp-content/plugins/wp-securepass/’
- Open the file ‘securepass.php’ and change the variable $radius_secret with your own secret as set in SecurePass admin
- Create a local user that matches a user in SecurePass. Note: The admin user will be no longer checked locally.
- Activate the plugin through the ‘Plugins’ menu in WordPress
Edit the securepass.php file and change $radius_secret variable to reflect
the secret password as specified in the “Device” specified in the SecurePass
administration panel. The variable $radius_host contains the primary
RADIUS server of SecurePass, located in Switzerland (Lugano).
A secondary RADIUS is available in Italy (Milan), if you prefer this
location change $radius_host to ‘radius2.secure-pass.net’.
WARNING!!! Before activating this plugin, create an user in wordpress that
matches a username in SecurePass and grant full administrative powers.
This because the admin user will be no longer checked locally. In case you
won’t be able to login anymore, a workaround is moving the securepass plugin
directory to another directory name, ex: “mv securepass securepass.old”.
Contributors & Developers
“SecurePass authentication” is open source software. The following people have contributed to this plugin.Contributors
Interested in development?
Initial code of the plugin