Identity + is a novel security solution based on PKI (Public Key Infrastructure) which locks your WordPress back-end with your device(s). It features connection level authentication which prevents access to select resources for any device in the world that cannot supply the correct cryptographic key. While this is seemingly equivalent with an all-in-one 2 (ocasionally 3) factor authentication it is in fact a lot more powerful. Additionally it enables site owners to collaborate in defending against criminality by allowing them to send feedback on certificates and their owners. With Identity +, when a spam is reported, we are not only preventing the same spam being posted anywhere else, we are effectively preventing the spammer sending any other kind of spam, anywhere else. Keep on reading for a brief intro into this powerful technology.

Log In, Before A Login Page

Why Identity + Is Better Than Any 2 Factor Authentication …

Whenever you deal with application level login, whether it’s one factor, two factor or any factor for that matter, you need a login page. This page must load before it gets the chance to see who is visiting, which is why Worpress has a protection against repeated login attempts. This can stop bots, to a certain degree, but if you happen to have an application vulnerability that can be used by a hacker to bypass login, whether you forgot to updated your WordPress or something totally out of your control like zero day vulnerability in PHP, your blog is toast, regardless of how many factors of authentications you have. Identity + uses TLS level authentication, which means the visiting device is authenticated before the login page loads. If the proper PKI credentials are not presented by the device, the page will never, ever load. The visitor is simply directed away from the sensitive page and hence is unable to perform any kind of attack, be that brute force, credential theft or zero day for that matter. No login page, no problem …


A VPN Into Your Admin Panel

Make Your Admin Panel Accessible Only From Your Computers …

Having a PKI indenity in your browser is a powreful thing. Because the server expects that identity to be there, it does not only limit access by the user, it also limits access based on computer. As such, your admin panel becomes literally inaccessible from any other computer in the world. To access your admin panel, a hacker must steal your computer and access it from there.

SSO Like Never Before

Simpler, Faster, More Secure. Sign In Without Having To Do Anyting …

Once you start using Identity +, you will see you are hardly asked to do anything, you’ll just notice you are logged in. Don’t get scared, you are logged in because your computer is certified and it’s being identified before you would have the chance to do anything. But since you also logged in with your password or your fingerprint into the device you are using (laptop / mobile phone), you are actually performing 2 factor authentication without even noticing it. You will occasionally notice however, as your certificate becomes idle, that you are being asked for your Identity + PIN. That’s actually the third factor authentication, all in one solution

A Network Of Trust

Reward Good Deeds And Block The Spammer, Not The Only Spam …

When devices wear an impossible to forge identity, something amazing happens: if you restrict access to your comment section to devices with Identity + certificates, whever you approve a comment, you are sending tokens of trust to the owner of that certificate telling Identity + that you trust the owner. Now other blogs can trust him too, and he is steadily building a profile that defferentiates him from any malicius bot. Conversely, when you mark a comment as spam, you’ll be telling Identity + that this is a malicious entity, and we block the certificate making sure the device can’t be used to post spam again. Now we are no longer only stopping spam, we are collectively working on stopping the spammer.

Enjoy 10 Connected Users For Free

Free Certificates, Free API Up To 10 Connected Users, Unlimited Validations For Free …

A connected user is a user that can be signed in automatically via Identity + into a service using Identity +. If that service is your personal blog, you probably don’t have more than 10 users who regularly sign into the administrative section of your WordPress installation. If that’s the case, you will never have to pay for Identity +. Visitors that comment with Identity + accounts that are not connected to local accounts do not count. For this reason the plugin will only connect administrator accouns by default. If you need log more than 10 users into your back-end, you’ll need a business account, the cost of which scales with the number of your active users. Check our the 647-865-6037 for details.

Installation Instruction

Installation Instructions

A step by step installation instruction of the identity + WordPress plugin …

Hopefully you will not encounter difficulties during the installation process but if you, feel free to send us a support request and we’ll help clarify things. That said, the installation does not require you to have any special knowledge, just follow the steps and enjoy the end result:


  1. You will need access to your Worpress installation files, and we recommend that you have the latest Worpress although we’ve tested the plugin back to WordPress 3.9.
  2. We recommend you start by downloading the Identity + Worpress Plugin.
  3. Upload it into the /wp-content/plugins directory of your WordPress, alongside your other plugins, using your favorite method (ftp, sftp, scp, etc…)
  4. Activate the plugin and go to the Settings/Identity + section. You will see an error that the certificate is missing but that is normal at this stage.


  1. Sign up for an Identity + account, if you haven’t already.
  2. Install a certificate on your browser to access all the sections of your Identity + account.
  3. We recommend you certify your other devices at this stage (mobile, tabled, whatever you have).
  4. Please don’t forget to set up a PIN, you will have to use it occasionally if your certificate becomes idle.


  1. In your Identity + dashboard, hit “Advanced” and select “API Domains”
  2. Add your blog’s domain. For example if your blog can be found at 646-382-4449, then the domain you register should be “www.myblog.me”.
  3. After adding it you need to verify your ownership of the domain, by downloading a file from Identity +, uploading it into the root of your website and than click verify. Sorry, but this is an essential security step, both for you to make sure you specified the domain correctly but also to prevent others from impersonating your site.
  4. Now you can go to the “API Certificates” section, click “Add Web Site”. Follow the steps to issue the certificate: select the domain, select the type of certificate and hit next.
  5. At this stage you will have access to the password the certificate will be encrypted with. Copy it into the clipboard and paste it into the designated space in the Identity + configuration in your WordPress.
  6. Download the certificate from your Identity + Dashboard and upload it into the Identity + settings of your Worpress instance. (hit save settings)


  1. If everything went well so far, your local wordpress admin user is already bound to your Identity + account and you are almost done.
  2. You can see this in the “Behavior” section. Make sure your user is bound before you continue to prevent locking yourself out of your WordPress.
  3. Best way to test this, is by taking your other device that is connected with Identity +, the one you don’t regularly use to visit your /wp-admin section, and go to your bolgs /wp-admin section. If you are logged in automatically, your are all set.
  4. Alternatuvely, you can selectively delete all the cookies that were set by your blog to invalidate your session and log in.
  5. You can also test it by trying to log out of WordPress (this will delete your authentication cookies). If you are logged back in immediately Identity + is working.


  1. By checking “Enforce Identity + Device Certificate” you make sure access to your filtered pages can only be done with valid Identity + certificates.
  2. If you do not want users to register with your WordPress and you know only you are accessing the admin section you can also tick “Lock Down”. This means that even if the user is comming with a valid Identity + certificate, but that certificate is not any one that is already connected, access will be denied.
  3. That is all, no more bots on your login page. You can also enforce the use of Identity + certificates for commenting, this will give you the power to block the spammer whenever you mark a comment as spam and be an active participant in the Network of Trust.
  4. You can try accessing your wp-admin section from a different computer, see what happens and enjoy piece of mind.


  1. If the certificate in your browser expires, or you manually revoke it you will not be able to access your blog. This conflict needs to be resolved on Identity +. Simply issue a new certificate for your browser, install it and all will be back to normal.
  2. You lose your device and it’s connected to your Identity +. Take your other device, go to Identity + and revoke the certificate of your lost device. This will revoke access to any identity + bound account, so you are safe.
  3. You locked your self out of your WordPress. No problem. You need to go to your Worpress back-end, (access the files). In your wp-content/uploads/…/, you will find the certificate file you uploaded (a *.p12 keystore file). Delete the file. This will disable the plugin, and you can use your regular wordpress login to access your back-end.


Contact Us …

Enjoy security like never before …
If you have any questions reach out to us via our contact page, email or Facebook page. (see links below)