Connect your WordPress with Identity + and enable invisible 2 factor authentication, secured SSO, SSL Client Certificate based access on select pages
|Identity Plus Inc. (profile at wordpress.org)
|WordPress version required:
|WordPress version tested:
|Added to WordPress repository:
Click to start download
Identityplus is a novel security solution based on PKI (Public Key Infrastructure) called a network of trust. It features an all-in-one 2 (ocasionally 3) factor authentication and TLS level authentication making your site more secure than ever. Additionally it enables site owners to collaborate in defending against criminality by allowing them to send feedback on certificates and their oweners. With Identityplus, when a spam is reported, we are not only preventing the same spam being posted anywhere else, we are effectively preventing the spammer sending any other kind of spam, anywhere else. Keep on reading for a brief intro into this powerful technology.
Log In, Before A Login Page
Why Identityplus Is Better Than Any 2 Factor Authentication …
Whenever you deal with application level login, whether it’s one factor, two factor or any factor for that matter, you need a login page. This page must load before it gets the chance to see who is visiting, which is why Worpress has a protection against repeated login attempts. This can stop bots, to a certain degree, but if you happen to have an application vulnerability that can be used by a hacker to bypass login, whether you forgot to updated your WordPress or something totally out of your control like zero day vulnerability in PHP, your blog is toast, regardless of how many factors of authentications you have.
Identityplus uses TLS level authentication, which means the visiting device is authenticated before the login page loads. If the proper PKI credentials are not presented by the device, the page will never, ever load. The visitor is simply directed away from the sensitive page and hence is unable to perform any kind of attack, be that brute force, credential theft or zero day for that matter. No login page, no problem …
A VPN Into Your Admin Panel
Make Your Admin Panel Accessible Only From Your Computers …
Having a PKI indenity in your browser is a powreful thing. Because the server expects that identity to be there, it does not only limit access by the user, it also limits access based on computer. As such, your admin panel becomes literally inaccessible from any other computer in the world. To access your admin panel, a hacker must steal your computer and access it from there.
SSO Like Never Before
Simpler, Faster, More Secure. Sign In Without Having To Do Anyting …
Once you start using Identityplus, you will see you are hardly asked to do anything, you’ll just notice you are logged in. Don’t get scared, you are logged in because your computer is certified and it’s being identified before you would have the chance to do anything. But since you also logged in with your password or your fingerprint into the device you are using (laptop / mobile phone), you are actually performing 2 factor authentication without even noticing it. You will occasionally notice however, as your certificate becomes idle, that you are being asked for your Identityplus PIN. That’s actually the third factor authentication, all in one solution
A Network Of Trust
Reward Good Deeds And Block The Spammer, Not The Only Spam …
When devices wear an impossible to forge identity, something amazing happens: if you restrict access to your comment section to devices with Identityplus certificates, whever you approve a comment, you are sending tokens of trust to the owner of that certificate telling Identityplus that you trust the owner. Now other blogs can trust him too, and he is steadily building a profile that defferentiates him from any malicius bot. Conversely, when you mark a comment as spam, you’ll be telling Identityplus that this is a malicious entity, and we block the certificate making sure the device can’t be used to post spam again. Now we are no longer only stopping spam, we are collectively working on stopping the spammer.
Enjoy 10 Connected Users For Free
Free Certificates, Free API Up To 10 Connected Users, Unlimited Validations For Free …
A connected user is a user that can be signed in automatically via Identityplus into a service using Identityplus. If that service is your personal blog, you probably don’t have more than 10 users who regularly sign into the administrative section of your WordPress installation. If that’s the case, you will never have to pay for Identityplus. Visitors that comment with Identityplus accounts that are not connected to local accounts do not count. For this reason the plugin will only connect administrator accouns by default. If you need log more than 10 users into your back-end, you’ll need a business account, the cost of which scales with the number of your active users. Check our the pricing section for details.
Tested with WordPress 6.1.1
Minor bug fixes and tested with WordPress 6.0
Minor bug fixes
Tested with WordPress 5.7
Minor update and tested with WordPress 5.5
Tested with WordPress 5.3.2
We’ve replaced the necessity to validate the domain with an uploaded file with an automatic callback to achieve even less friction when you install the plug in.
This is a major update. We recommend deactivating the “Enforce Identity + Device Certificate” flag for safety during certificate update.
Added automatic & one click API certificate renewal. This grately improves user experience for maitaining the Identity Plus plugin and prevents accidental certificate expiration, which may cause service outage.
Integrated the new service installation proces via automated wizard. It is no longer needed for the user to log into identity plus account and issue certificate before installation. Using the mobile application, or registered device, you can now onboard the service, issue the certificate and activate identity plus in one short flow.
We’ve also moved the certificate storage from file to the database for enhanced security.
Minor bug fix
Moved the legacy certificate validation endpoint from https://get.identity.plus to https://signon.identity.plus. The get endpoint will now exclussively handle the certificate issuing and installation process.
If you encounter problems while using legacy redirect and you land on get. subdomain, simply click the “back to single sign on” link to return to original flow. Please update your plugin to avoid this behavior. Sorry for the inconvenience.
Minor bug fix
Minor bug fix
Migrated to v1.1 Identityplus API. Identityplus plugin now allows individual wordpress users to connect their accounts on-demand. This new version also lifted the 10 accounts limit for non-corporate certificates, meaning that not-for-profit sites (public benefit or personal sites that produce no revenue) can connect any number of accounts at no cost.
Verified compatibility with WordPress 4.9.8.
Corrected minor bugs.
Verified compatibility with WordPress 4.9.1.
Corrected minor bugs.
Corrected WordPress coding practice issues and fixing
We’ve restricted automatic login for pages that are filtered so that bots would not be bothered by the presence of the plugin.
Version 1.0 beta is the first version of the Identityplus plugin, and it contains the minimum set of functionality and configuration options. Nevertheless, it will give your site an incredible security boost and at the same time it will improve user experience. Please take a moment to familiarize yourself with the core concepts so that you can take maximum advantage of this powerful security technology.