Today we are reviewing the Rublon plugin. This is a plugin that hardens your WordPress login process. In other words, it makes your login process more secure.
Rublon is a very exciting new technology, created by a father and son team in Poland. Let me give you an introduction to this technology before we take a look at WordPress specifics.
This system is all about security. In today’s day and age, we all own multiple online accounts. Just take a moment and try to think of all the accounts you own (Gmail, Facebook, Twitter, Ebay, and the list goes on and on).
Your online accounts can be accessed from anywhere in the world, using any device that can connect to the internet. The only thing between a person and your account is usually the username and password. Of course, we’ve all experienced or know someone who has gone through a hacking mishap, being it their website or a personal account such as email.
A common reason is that the username and password were obtained in some way (brute forcing, social engineering, etc.). So wouldn’t it be better to have an extra layer of security? That’s why Rublon was invented. It protects your personal data, as well as business and financial operations, by restricting access from unknown devices.
The service enables developers to integrate two-factor authentication using the Rublon technology as one of the authentication factors. The basic idea behind Rublon is that whenever a user logs into a website that has implemented two-factor authentication, a mobile device with the Rublon app installed is required to authenticate the user. This process involves a combination of QR code scanning and handling so-called “trusted devices”.
Use Rublon to manage and define the devices you trust, such as your laptop, tablet and mobile phone. Rublon secured accounts will only be accessible from your Trusted Devices. The Rublon mobile app allows you to add or remove Trusted Devices anytime, anywhere you are.
So Rublon works on top of any existing authentication process (traditionally the username and password combination). This means that you still have to type your username and password or use a social login button (e.g. Facebook Connect) to sign in, but it must be done on a Trusted Device in order to access your account. And if you want to sign in using a new device, simply confirm your identity using Rublon, and then add it to your Trusted Devices.
You can secure your account with Rublon on every web service that uses the Rublon security system.
The overall goal is that many major websites will be adopt Rublon authentication for their users. The welcome email also provides some example websites which have already implemented Rublon:
Granted, those might not be the most famous websites around, but they are a very good example/use-case for other major sites to follow. The big question is whether this technology will gain enough traction to become a staple on the major websites. It will probably boil down to how well it is marketed, more than anything else.
As WordPress users, we already have everything necessary to start taking advantage of Rublon today. All it takes is a simple download of the Rublon plugin onto your site, and you’re ready to introduce the extra layer of Rublon security.
Setting up Rublon is very easy.
I first installed the free Rublon plugin from the .org repository. Then I went into the Google Play store (I’m using a Samsung Galaxy with Android, other mobile OSs are also supported) to download the Rublon mobile app. Once that was done I had to enter my email address on my mobile, following which I received a confirmation email. The confirmation email led me to my Rublon account where I was able to verify that the email is mine by scanning the QR code with my mobile. That’s all.
Your primary email address will be used to:
- protect your online accounts with Rublon,
- communicate with you,
- deactivate your Rublon account (e.g. if you lose your smartphone),
- re-activate your Rublon account on a new smartphone.
You can also add more email addresses if you need to. This is useful for those who, like myself, use different email accounts to login to different online services.
As of today, the web interface is available in English, German and also Polish. I imagine that the number of languages available will expand as usage of Rublon picks up.
I’ve encountered a few PHP notices upon activating the plugin, since I’ve got the WP_DEBUG variable set to true in wp-config.php. Granted, most users won’t have it set to true and won’t see these notices, but they’re there for a reason and all developers should develop with WP_DEBUG to make sure any potential issues are ironed out prior to shipping their plugin. The notices persisted throughout the whole dashboard so its definitely something that needs to be fixed, to be able to continue my review I had to turn WP_DEBUG off.
Once you’ve got your account set up, it’s time to implement Rublon on your WordPress website. Just download and activate the Rublon plugin. Once activated it will instruct you to install the mobile app as well.
Once you downloaded the mobile app, you can click the ‘Protect your account’ button, and you will be taken to the Rublon website to scan the QR code.
Scan the QR code and you’ll get that device verified. The first step is to scan the code.
You will then be asked a question, basically whether you trust that device or not.
Once you’ve gone through the whole process, the next time you login you will see the Rublon icon added to your login form, showing that the site is protected by Rublon.
Once that device is verified, you will login as usual from then onwards, using your username and password. The smartphone is only needed when you sign in from a new device. It is used to prove your identity and allows you to add such a device to your trusted devices. Rublon works as an invisible security layer during the sign in process.
I went ahead and record a short video of me using the plugin, it also contains a few thoughts about Rublon, check it out.
Documentation and Support
On Rublon.com, the developer section provides all the implementation details needed, and also explains the authentication process in a bit more details than what the normal end users see.
I haven’t used the support system myself, purely because it is a very straightforward system to set up, and you’re only bound to contact support if something goes totally wrong (maybe an incompatible PHP version or something of the sort) rather than getting stuck in the usage process. However I’ve also read some reviews which said that they received replies in less than 8 hours, which is a very good response time from support.
The Rublon app for your smartphone is available free of charge, as is the WordPress plugin. The money is made from web service providers who want to integrate Rublon into their service, so insofar as WordPress is concerned, this is a totally free product.
Everywhere I checked the user feedback for this system was great. The Android app had a good number of enthusiastic commenters, while on the WordPress.org plugin repository, although the number of downloads is still quite low, there are already a number of glowing reviews. In fact, all the reviews are 5 star ratings, way to go for a new plugin!
Conclusion and Recommendations
Apart from the little mishap with the PHP notices (which is easily fixed), I really enjoyed using this plugin and think that it is a very useful technology. While it might or might not take off with regards to the big websites (speaking of Facebook, Amazon etc.), I think the developer has chosen the right approach by creating this WordPress plugin. Lets not forget that WordPress powers 20% of the web, and if many WordPress users start using Rublon, then the big players will definitely take note and probably follow suit.
It is worth pausing a little to discuss the alternatives to Rublon. Second factor authentication in fact is not a new thing. There are other plugins for WordPress which deal with this. Some of them use an SMS-based code system, for example Authy. While it ensures that the person logging in is the owner of the phone the SMS has been sent to, it has its disadvantages – the website’s owner has to deal with the international SMS rates and this method gives the user little control over this process which – for web-active users – can be tedious, to say the least. Rublon is less of a hassle to use since you only set things up once on that device.
Irrespective of whether or not the big players will eventually implement Rublon, it is already a mature technology that can be used today to provide that extra layer of security for your WordPress website. Given the number of hacking attempts (including a brute forcing attack that affected thousands earlier this year), it makes a lot of sense to implement two factor authentication technology, and Rublon provides a no-gimmick, easy-to-setup system that will have your new security barrier implemented in less than 10 minutes.
Would you like to feature your plugin or theme on WPMayor? Check out our sponsored post and paid review service page.