外掛標籤
開發者團隊
原文外掛簡介
You have a WordPress site and you want to protect it from hackers? This plugin is made for you!
Today, a simple password is no longer enough. Hackers have tools to guess, steal or intercept them. Two-factor authentication (2FA) is like adding an extra lock to your door: even if someone finds your key, they cannot get in without the second lock.
Holovid® Secure Connect offers you two ways to protect your site:
TOTP mode (temporary code)
A 6-digit code that changes every 30 seconds. You find it in the Holovid® ID app on your phone (or in Google Authenticator, Authy, etc.). You type the code, and you are in. It is the most common system, compatible with all authenticator apps.
Secure Connect mode (codeless)
This one is even simpler: you do not type anything at all. A QR Code appears on your WordPress login page, you scan it with the Holovid® ID app, you confirm with a tap on your phone, and you are logged in. Fast, effortless.
But Secure Connect is not just convenient. It protects you against a particularly sneaky category of attacks: proxy phishing (known as “AiTM” attacks, such as Tycoon 2FA or EvilProxy). These attacks create a fake copy of your login page to intercept your TOTP code in real time. With Secure Connect, this technique does not work, because the signature is bound to the real domain of your site.
Both modes can coexist on your site. Each user chooses the one they prefer from their profile.
What makes this plugin different
Two levels of protection to choose from: a classic temporary code or a codeless login from your phone.
Resistant to proxy phishing: Secure Connect prevents hackers from intercepting your authentication, even if they copy your login page.
Nothing leaves your server: TOTP mode works without calling any external service. The QR Code is generated directly by your server, in pure PHP, without going through Google or any other service.
Your secrets are encrypted: TOTP keys are protected with AES-256-GCM encryption in your database. Even if the database leaks, they remain unreadable.
One device = one account: each WordPress account is linked to a single phone. If someone tries to log in with a different device, the plugin detects it and denies access.
Backup codes: in TOTP mode, 10 single-use codes are generated in case you lose your phone.
Lightweight and dependency-free: no external library, no third-party service on the TOTP side. The plugin does everything itself.
French and English: the interface automatically adapts to your WordPress language.
In a nutshell
TOTP (temporary code)
Secure Connect (codeless)
How does it work?
You type a 6-digit code
You scan a QR Code and confirm
Compatible with other apps?
Yes (Google Authenticator, Authy, etc.)
No, Holovid® ID only
Works offline?
Yes
No (requires internet)
Resistant to proxy phishing?
No
Yes
Backup codes?
Yes (10 codes)
No (an admin can deactivate)
External services
This plugin connects to the Holovid® ID server for the Secure Connect (codeless) authentication mode. The TOTP mode does not use any external service.
Holovid® ID API (api.holovid.net)
When Secure Connect is enabled, the plugin communicates with the Holovid® ID API hosted in Gravelines, France, in the following situations:
Registration: when a user activates Secure Connect, the plugin requests a cryptographic challenge from the API. The site domain name is sent.
Login: when a user logs in with Secure Connect, the plugin polls the API to check whether the user has confirmed the authentication on their phone. The challenge nonce and session token are sent.
Device verification: when a device change is detected, the plugin checks with the API whether the previous device registration is still active. The account identifier and site domain are sent.
Login page: the Secure Connect login page loads a JavaScript SDK from the API server to display the QR Code and handle the authentication flow.
No personal data (name, email, password) is ever sent to the API. Only cryptographic identifiers (nonce, session token, account ID) and the site domain are transmitted.
This service is provided by Holovid SAS (Bergerac, France).
Terms of Service
Privacy Policy
