WordPress.org

Ready to get started?Download WordPress

Forums

visualCaptcha
Plugin issues and suggestions (10 posts)

  1. Jacob Schweitzer
    Member
    Posted 1 year ago #

    Hey guys, great concept, I really want to use it but it is not completely working. The pictures show up, I can drag them in the circle and everything, BUT I don't need to. I can login without touching the captcha... Might just be a matter of getting the hooks correct.. but right now it offers no security out of the box for me. I'm on WordPress 3.5. I tried two logins, one admin and one regular user (thinking maybe I didn't need the captcha because I was an admin the first time).

    I'm using BuddyPress, don't have any other login or registration plugins. I tried to add an option in the backend but didn't understand how to implement that, and I'm a WordPress developer. I'd like to put it on the BuddyPress registration page.

    I'd love to help you with this, I've actually already translated most of it to Russian language, and modified your code to include the following line for allowing translation files (and the letting the plugin be translate-able):

    load_plugin_textdomain( 'visualcaptcha', false, dirname( plugin_basename( __FILE__ ) ) . '/languages/' );

    I put the above line into visualcaptcha.php for translation. I also made the folder /languages/ to hold the language files.

    I like that the plugin doesn't require an API like most others, so good job on making it accessible. Allowing translation would be one more step to making it available to more WordPress users. Adding BuddyPress support would be another feature I would expect many people to be searching for. We have been getting spammers signing up and making spammy groups with links in the description.. Please help us implement this properly so we can use this cool thing :)

  2. jmigcosta
    Member
    Plugin Contributor

    Posted 1 year ago #

    hello primetimejas,
    sorry to hear that you are having problems using visualCaptha for WordPress :/
    It is kind of difficult to help without seeing the problem :) but my best guess is that you have a custom login form, or you are using an custom template or even that you are using a different script to validate or submit the login form.. but it would be great if I could take a look at the problem :) [I think that BuddyPress has a custom login form and uses different hooks to check the login.. I will check it on Monday]
    here you can find a list of buddyPress hooks/actions/filteres
    http://etivite.com/api-hooks/

    To implement a new set of hooks you need to be familiar with wordpress codex and know your way around php (and in your case you need to know the inside outs of buddyPress).
    So this are the fields you will need to fill:
    - the "option name" is the name that will appear on the "add visualCaptcha to" list;
    - the "display hook", well this is the hook where you want to display visualCaptcha;
    - the "validation hook" is the hook/filter/action where visualCaptcha will check if the correct option was dragged to the circle.
    - the check box: this is only to remind users that they could crash the wordpress installation if they don't know what they are doing.
    You will need to take a look at the php files from the plugins and find the correct hooks (or if so you will need to create new hooks)

    About the translation, thanks for the code :) We are thinking about doing some changes on visualCaptcha to make it easier to customize and to take it to an all new level of security... and we will need to rethink the translation process :)

    visualCaptcha for wordpress it is just taking its first steps, and we are learning so much from the feedback we are having. That's why we would like to sincerely thank you for your feedback and you suggestions. They are very important for us and will helps us build a better plugin.
    cheers

  3. Jacob Schweitzer
    Member
    Posted 1 year ago #

    Hey I still wasn't able to get it working, here is what I tried. I tried selecting the included options. On the login form the captcha appears, I can move the icon to the box and everything. But, it doesn't matter if I do something with the captcha or not, I login with the correct password no matter what the situation.

    BuddyPress as far as I can tell isn't using a custom login form or anything, and the captcha appears so part of it is working correctly. I think the hook for checking/authenticating the captcha is wrong or something is messing with it (I have no caching plugins on, this is a local development site i'm testing on).

    Here are the login hooks I found for WordPress:
    login_form
    login_init
    login_form_postpass
    login_form_logout
    login_form_lostpassword
    login_form_retrievepassword
    login_form_resetpass
    login_form_rp
    login_form_register
    login_form_login

    I know that login_form you are already using for the display hook and that is working. But which hook is the default you are using for authentication? Maybe the priority of the hook needs to be changed to make it later, it might be an issue with that. But it is not authenticating the captcha.

    Also, here are some hooks I found for the BuddyPress registration page:
    bp_signup_blog_privacy_errors
    bp_after_blog_details_fields
    bp_before_registration_submit_buttons
    bp_after_registration_submit_buttons
    template_notices
    bp_before_registration_confirmed
    bp_after_registration_confirmed
    bp_custom_signup_steps
    bp_after_register_page

    Those are the order in which they load on the BP registration page. I think adding BP support would help the popularity of your plugin if you added it by default.

    I also tested by adding my own option like this:
    name:
    loginoption
    display hook:
    login_form_login
    validation hook:
    login_init

    Then disabled all the other default options to only test the option I created.

    Hope that helps you..

  4. jmigcosta
    Member
    Plugin Contributor

    Posted 1 year ago #

    hello primetimejas,
    sorry for the delay..

    primetimejas I just installed wordpress 3.4 and 3.5 (with visualCaptcha and BuddyPress) and they are working correctly out the box without any kind of manipulation required.

    Please check this questions and send me some feedback on them:

    1- please confirm me what is your buddypress theme:
    /wp-content/plugins/buddypress/bp-themes/

    2 - do you have js erros on your login page?

    3 - You say :"BuddyPress as far as I can tell isn't using a custom login form or anything" in standard wordpress there is only one login form, Buddypress implements more login types in example the sidebar login. We are talking about the wp-login login right?

    4 - please install the hook sniffer and check the hook sequence
    http://wordpress.org/extend/plugins/wordpress-hook-sniffer/
    for login we are using the authenticate filter so please check if this filter is used. it should be something like this:
    "Firing Sequence [number]: authenticate --> visualcaptcha_do_filter"

    My best guess about you problem is that you have some kind of custom script that doesn't respect the wp hook sequence or some script that is not standard.
    cheers

  5. Jacob Schweitzer
    Member
    Posted 1 year ago #

    Hey I'm happy to report I got it working.

    Thanks for that tip on the hook sniffer, that plugin actually works still even in WordPress 3.5.1 .

    Here is what I found with the hook sniffer:
    add_filter( 'authenticate', 'wp_authenticate_username_password', 20, 3 )
    add_filter( 'authenticate', 'visualcaptcha_do_filter', 1000, 3 )
    add_filter( 'authenticate', 'bp_core_boot_spammer', 30 )
    add_filter( 'authenticate', 'bp_core_signup_disable_inactive', 30 )
    add_filter( 'authenticate', 'wp_authenticate_cookie', 30, 3 )

    Firing Sequence 99: authenticate --> wp_authenticate_username_password --> Time fired: 1363549456.2313
    Firing Sequence 100: authenticate --> bp_core_boot_spammer --> Time fired: 1363549456.2315
    Firing Sequence 101: authenticate --> bp_core_signup_disable_inactive --> Time fired: 1363549456.2315
    Firing Sequence 102: authenticate --> wp_authenticate_cookie --> Time fired: 1363549456.2316
    Firing Sequence 103: authenticate --> visualcaptcha_do_filter --> Time fired: 1363549456.2317

    So here was my solution.. The visualcaptcha is firing at priority 1000, so I changed it to before any of the other ones at priority 10.

    visualcaptcha.php line 34
    BEFORE:
    add_filter( $visualcaptcha_hook_data[ 'filter' ], 'visualcaptcha_do_filter',1000,3);

    AFTER:
    add_filter( $visualcaptcha_hook_data[ 'filter' ], 'visualcaptcha_do_filter',10,3);

    Do you think that is too early to check the captcha or ? Maybe it should go after the WordPress username/password authentication ? I'm not sure.. There might be other spam blocking plugins and such that check pretty early so you have to get your captcha check in before them as well, it is a bit tricky indeed.

    Muito Obrigado Irmão! Agradeço, valeu :)

  6. jmigcosta
    Member
    Plugin Contributor

    Posted 1 year ago #

    great! glad I could help :)
    visualCaptcha is using a low priority [1000] because (in my point of view) it should be the last thing to be checked. First we should look if it is a valid user and pass and then we should check if the visualCcaptcha is correct or not :)
    but this really depends on the way the developer wants to work.

    In my opinion you should use 99 instead of 10 (has the priority) right before the "bp_core_boot_spammer". This way visualCaptcha will only work if we are processing a valid user request. But you can also leave it before the "wp_authenticate_username_password" and protect the login from attacks. that is really up to you :)

    The problem were was the bp_** filters. They have some sort of redirection that is not present on my local test installations. Sorry for not spotting it, but I don't have that problem on my local server :/

    primetimejas sincerely thank you for your feedback and for presenting us this problem, we will consider using a different priority level in the future.

    Obrigadão! Sempre que achar que podemos ajudar, disponha.
    cheers

  7. Jason
    Member
    Posted 9 months ago #

    great! glad I could help :)
    visualCaptcha is using a low priority [1000] because (in my point of view) it should be the last thing to be checked. First we should look if it is a valid user and pass and then we should check if the visualCcaptcha is correct or not :)
    but this really depends on the way the developer wants to work.

    The real security issue with that is the attacker can fail the captcha forever while guessing passwords and get a different message when once they've guessed the right password. Then they can manually solve the captcha once they know the password.

    Recently there was a massive attack on wordpress sites using weak passwords. Many with captchas should have been harder to crack because the captcha is supposed to slow down the bots. In this case it would allow an automated attack to discover the admin's password.

    And yes, I'm SURE of it. The priority should be increased.

  8. jmigcosta
    Member
    Plugin Contributor

    Posted 9 months ago #

    hey Jason,
    Nice point there.
    I would never imagine that there could be an brute force attack on web.
    To be honest, in most of the cases there are easier ways to hack an site, and they don't involve passwords.

    By the way, brute force bots don't go trough the normal login process: they just post passwords to the server and wait for the success redirection. If they used the form, they would blow out the server resources (due to the massive requests) and doing that they would kill the site.
    So I really sure that the bots don't even read the error messages..

    I will increase the priority ASP.
    Thank you for your comment
    cheers

  9. Jason
    Member
    Posted 9 months ago #

    I would never imagine that there could be an brute force attack on web.
    To be honest, in most of the cases there are easier ways to hack an site, and they don't involve passwords.

    Actually, a dictionary attack is the most popular attack on wordpress :(

    I have the log files to prove it!

    Also, this: http://www.forbes.com/sites/anthonykosner/2013/04/13/wordpress-under-attack-how-to-avoid-the-coming-botnet/

    Ditch The Admin Username: The attackers are in possession of 90,000 IP addresses from which they are trying to crack the default “admin” accounts on WordPress installations. So if you are still using “admin,” create a new user with admin privileges (you will need to use a different email address than the one attached to the current admin) and give it a strong password as defined above. Then log back in as the new user and delete the old admin account and assign all of the posts in that account to the new user. Five minutes, tops.</b-quote>

    I would love the captcha to be ajaxed to prevent the form from even posting IMO with a refresh button to manually grab a new captcha to solve.

  10. Jason
    Member
    Posted 9 months ago #

    By the way, brute force bots don't go trough the normal login process: they just post passwords to the server and wait for the success redirection. If they used the form, they would blow out the server resources (due to the massive requests) and doing that they would kill the site.
    So I really sure that the bots don't even read the error messages..

    http://ubotstudio.com/index2

    Is setting up the process, they actually outline how to read the messages to see the reply you desire. I could set one up to look for a screen that says "captcha failed" without "wrong password" without any programming

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic