Support » Plugin: BulletProof Security » Annoying Forced JTC Lite

  • Resolved Pattaya_Web

    (@pattaya_web)


    Up until your most recent update I would have put BPS on the list of must have plugins. However, your forced use of JTC Lite now see’s me about to remove BPS. I run a secure website, I don’t need or want vendors telling what I should have running on my site. Is this some sort of tracker? Is it malware? I don’t know because YOU guys forced installed it. I couldn’t care if it is the best thing since sliced bread, but when I see stuff popping up on my login pages that I didn’t install and which take days and days to work out what it is I am pissed.

    How do I get rid of this ANNOYING and CONFUSING box on my sign in page that says ‘Hover or click text box below’?

    After days of cutting in to my 18 hour day already schedules I managed to find where this annoying and unwanted intrusion comes from and have disabled it for all forms, but this annoying and confusing text box still appears.

    This forced install and inability to kill SOMETHING I DON’T WANT on my website is totally unacceptable.

    The page I need help with: [log in to see the link]

Viewing 15 replies - 1 through 15 (of 22 total)
  • Plugin Author AITpro

    (@aitpro)

    I’m sorry JTC-Lite is causing problems for you. Do these steps and let me know if this successfully disables the JTC-Lite form field.

    1. Go to the JTC-Lite page and uncheck the Login Form checkbox.
    2. Click the Save Options button.

    Related forum thread: https://wordpress.org/support/topic/jtc-lite-enabled-by-default-2-thumbs-down/

    Thread Starter Pattaya_Web

    (@pattaya_web)

    After days and days of hunting where this annoying “feature” was coming from I turned off the option and the box and text are still appearing on our login form.

    Plugin Author AITpro

    (@aitpro)

    It sounds like there is some kind of wierd plugin conflict going on here. If the Login Form checkbox is unchecked then this Hook below should not be triggered/processed/executed. So my guess would be some kind of override or Action/Filter Hook problem going on with your membership plugin or theme where it is canceling out or completely overriding BPS conditional code??? Maybe, not really sure at this point since this is very odd. Could it be possible that this is a Browser cache or plugin cache problem? Try clearing/deleting your Browser cache and any caching plugin cache.

    The conditional code below executes one of these Filters depending on what the final executable condition would be in each individual environment or scenario > authenticate or wp_authenticate_user.

    	$BPSoptions = get_option('bulletproof_security_options_login_security');
    	$BPSoptionsJTC = get_option('bulletproof_security_options_login_security_jtc');	
    	$bpsPro_woocommerce = 'woocommerce/woocommerce.php';
    	$bpsPro_woocommerce_active = in_array( $bpsPro_woocommerce, apply_filters('active_plugins', get_option('active_plugins')));
    	
    	if ( ! function_exists( 'is_plugin_active_for_network' ) ) {
        	require_once( ABSPATH . '/wp-admin/includes/plugin.php' );
    	}
    
    	if ( $bpsPro_woocommerce_active == 1 || is_plugin_active_for_network( $bpsPro_woocommerce ) ) {
    	
    		if ( $BPSoptions['bps_enable_lsm_woocommerce'] == 1 && $BPSoptionsJTC['bps_enable_jtc_woocommerce'] == 1 ) {
    		
    			if ( $BPSoptions['bps_login_security_OnOff'] == 'On' && isset( $_POST['login'] ) || $BPSoptions['bps_login_security_OnOff'] == 'On' && isset( $_POST['wp-submit'] ) ) {
    				add_filter( 'authenticate', 'bpsPro_wp_authenticate_username_password', 20, 3 );
    			} elseif ( $BPSoptions['bps_login_security_OnOff'] == 'Off' && $BPSoptionsJTC['bps_jtc_login_form'] == '1' && isset( $_POST['login'] ) || $BPSoptions['bps_login_security_OnOff'] == 'Off' && $BPSoptionsJTC['bps_jtc_login_form'] == '1' && isset( $_POST['wp-submit'] ) ) {
    				add_filter( 'wp_authenticate_user', 'bpsPro_jtc_wp_login_page', 10, 2 );
    			}		
    
    		} elseif ( $BPSoptions['bps_enable_lsm_woocommerce'] == 1 && $BPSoptionsJTC['bps_enable_jtc_woocommerce'] != 1 ) {
    
    			if ( $BPSoptions['bps_login_security_OnOff'] == 'On' && isset( $_POST['login'] ) || $BPSoptions['bps_login_security_OnOff'] == 'On' && isset( $_POST['wp-submit'] ) ) {
    				add_filter( 'authenticate', 'bpsPro_wp_authenticate_username_password', 20, 3 );
    			} elseif ( $BPSoptions['bps_login_security_OnOff'] == 'Off' && $BPSoptionsJTC['bps_jtc_login_form'] == '1' && isset( $_POST['login'] ) || $BPSoptions['bps_login_security_OnOff'] == 'Off' && $BPSoptionsJTC['bps_jtc_login_form'] == '1' && isset( $_POST['wp-submit'] ) ) {
    				add_filter( 'wp_authenticate_user', 'bpsPro_jtc_wp_login_page', 10, 2 );
    			}
    
    		} elseif ( $BPSoptions['bps_enable_lsm_woocommerce'] != 1 && $BPSoptionsJTC['bps_enable_jtc_woocommerce'] == 1 ) {
    
    			if ( $BPSoptions['bps_login_security_OnOff'] == 'On' && isset( $_POST['wp-submit'] ) ) {
    				add_filter( 'authenticate', 'bpsPro_wp_authenticate_username_password', 20, 3 );
    			} elseif ( $BPSoptions['bps_login_security_OnOff'] == 'Off' && $BPSoptionsJTC['bps_jtc_login_form'] == '1' && isset( $_POST['login'] ) || $BPSoptions['bps_login_security_OnOff'] == 'Off' && $BPSoptionsJTC['bps_jtc_login_form'] == '1' && isset( $_POST['wp-submit'] ) ) {
    				add_filter( 'wp_authenticate_user', 'bpsPro_jtc_wp_login_page', 10, 2 );
    			}	
    		
    		} else {
    			
    			// WooCommerce is activated, but neither LSM or JTC is enabled for WooCommerce
    			// Standard WP Login: LSM & JTC Processing
    			if ( $BPSoptions['bps_login_security_OnOff'] == 'On' && isset( $_POST['wp-submit'] ) ) {
    				add_filter( 'authenticate', 'bpsPro_wp_authenticate_username_password', 20, 3 );
    			}		
    			// JTC Processing only
    			if ( $BPSoptions['bps_login_security_OnOff'] == 'Off' && $BPSoptionsJTC['bps_jtc_login_form'] == '1' && isset( $_POST['wp-submit'] ) ) {
    				add_filter( 'wp_authenticate_user', 'bpsPro_jtc_wp_login_page', 10, 2 );
    			}
    		}
    		
    	} else {
    		
    		// Standard WP Login: LSM & JTC Processing
    		if ( $BPSoptions['bps_login_security_OnOff'] == 'On' && isset( $_POST['wp-submit'] ) ) {
    			add_filter( 'authenticate', 'bpsPro_wp_authenticate_username_password', 20, 3 );
    		}		
    		// JTC Processing only
    		if ( $BPSoptions['bps_login_security_OnOff'] == 'Off' && $BPSoptionsJTC['bps_jtc_login_form'] == '1' && isset( $_POST['wp-submit'] ) ) {
    			add_filter( 'wp_authenticate_user', 'bpsPro_jtc_wp_login_page', 10, 2 );
    		}
    	}
    Thread Starter Pattaya_Web

    (@pattaya_web)

    No it’s not a cache issue.

    I’m just a newspaper editor. Not a programmer. I couldn’t care less about your filters and I’m not going to spend hours and hours and hours farking around with code instead of publishing a newspaer. I’ve wasted enough time on this. Easier to just delete BPS. Thanks for the memories, but you guys really overstepped the mark by forcing this on to people.

    • This reply was modified 4 years, 11 months ago by Pattaya_Web.
    • This reply was modified 4 years, 11 months ago by Pattaya_Web.
    Plugin Author AITpro

    (@aitpro)

    Ok I’m sorry for the inconvenience. I honestly do not know why this problem occurred on your website. BPS Pro JTC Anti-Spam|Anti-Hacker has been around for several years now and works fine on at least 40K websites. It appears that the BPS free JTC-Lite version works fine on at least 20K or 30K websites. Have a nice night and sorry for any inconveniences you experienced.

    Thread Starter Pattaya_Web

    (@pattaya_web)

    … “has been around for several years now and works fine on at least 40K websites”.

    Out of 74,652,825 WordPress sites. That’s about .05 of all WP sites.

    And if people wanted it on their website they’d choose to install it, not have it force installed.

    And its clear from comments around the net that I’m not the only one not happy about having it forced on them.

    Clearly no assistance forthcoming here.

    Deleting and ranking BPS 1

    Plugin Author AITpro

    (@aitpro)

    What I was trying to say is that everyone who has BPS Pro installed and is using JTC Anti-Spam|Anti-Hacker is not experiencing these problems that you are experiencing. BPS Pro and JTC are obviously not installed on all WordPress sites. Is that stated clearer/clearly?

    90% of people requested that JTC be automatically setup by the Setup Wizard and 10% did not want JTC automatically setup by the Setup Wizard. So we made a decision to choose to give the majority of folks what they want. Unfortunately, we expected to hear complaints from the other 10% of people who did not want JTC automatically setup.

    JTC is very easy/simple to turn off normally. So I really do not know why whatever problem was occurring on your website with JTC was occurring. I tried to work with you and offered assistance, but you refused any/all help.

    I’m sorry you feel like you need to attack us even though we tried to help you. Oh well good luck.

    I’m a website editor and writer, and in my modest opinion, BPS pro is insuperable.
    It’s true that it sometimes requires a little attention, but pros are always higher than cons by far.

    I’ve been using it for some years and I’m very pleased about the results. However, I can understand that for some people, especially for those who (like in my case) write texts day after day and, at the same time, technically control the site, it could be annoying the fact of having to disable any part of this or another plugin because that performance is not needed for the web. (although, as in this case, the procedure for disabling JTC lasts only a few seconds)

    Things similar to that has also happened to my website in a very few times during these years, but I think that in WordPress, like any other CMS, Murphys’s law that says “Anything that can go wrong anytime will go wrong” could be applicable, and if we also take into account that a lot of webmasters (me too) are testing different new plugins once in a while, issues like @pattaya_web describes are perfectly possible. Anyway, if anybody analyzes them, they are not massive issues but very particular ones, perfectly possible, by other hand, because one website always is different to any other.

    After all the above, I have to say that I totally trust in BPS and its excellent tech support.

    Plugin Author AITpro

    (@aitpro)

    @camperlife – Thanks for the honest feedback. Yeah, I believe it is not possible to create something that is going to work 100% right out of the box for every possible environment/situation in the world (if you hit 95% or above then in my opinion you are Rockin’ it), but we are always willing and do create any additional code that is needed when issues like this occur. I don’t think I made myself absolutely clear with @pattaya_web that I was just trying to document things all in one place as a reference point and that I had only begun to start troubleshooting whatever problem was occurring on his/her site. You can’t fix a problem until you know what is causing the problem. Oh well you can’t win ’em all. 😉

    • This reply was modified 4 years, 11 months ago by AITpro.
    • This reply was modified 4 years, 11 months ago by AITpro.
    Plugin Author AITpro

    (@aitpro)

    @camperlife – One simple sentence might have made a difference or not – “I am posting this info here as a reference point for myself while I research this issue on my own.” 😉

    Yep, that’s the point itself. Everything requires a bit of effort. There is no other possible solution to that but having a look at what is causing the problem.

    Thread Starter Pattaya_Web

    (@pattaya_web)

    My first post says:
    “I have disabled it for all forms”

    Your first reply says:
    1. Go to the JTC-Lite page and uncheck the Login Form checkbox.

    Your second reply is a bunch of code.

    Neither of these are helpful. And it’s totally overlooking the forced opt in use.

    Seriously, you’re miffed that people are upset when you force something on them that then disrupts their website and stops people from logging in?

    We publish ten pieces of fresh, new content between between 8am and 8.40am every week day and continue rolling out news stories throughout the day and early evening. It’s a very, very busy news cycle. And suddenly there’s something new and people can’t log in in the normal manner. That throws our entire roll out out the window and sends alarm bells ringing that something we haven’t knowingly authorised suddenly pops up on our login page with no easy way of identifying what it is, where it came from, or what it might really be doing. And when it’s finally tracked down as to where its coming from and disabled it still doesn’t go away.

    As I said in the initial post. Up until your most recent update I would have put BPS on the list of must have plugins. And as other people have said in other posts, forced opt ins when people are already likely to have similar products are intrusive and can be disruptive such as in this thread. https://wordpress.org/support/topic/jtc-lite-enabled-by-default-2-thumbs-down/

    Despite saying in the other thread that you were prepared for criticism on it, you obviously aren’t. This is peoples livelihoods, and in many cases (including mine) prize possessions that are being altered.

    We have a very stable website. I’ve worked hard to optimise it for loading, SEO, and include a whole bunch of features and functionality not found on many other news sites. Single licence premium plugins such as we use can’t be installed on our staging site without deauthorising them for our live site. So that means having to disable features and functions on a live news site to try and fault find something. I am sure if you had to disable functions on your live site in the same situation you wouldn’t be pleased either.

    • This reply was modified 4 years, 11 months ago by Pattaya_Web.
    Plugin Author AITpro

    (@aitpro)

    It is always smart to start with the basic things first even though it may have seemed to you like I did not see or understand that you had already tried this > “1. Go to the JTC-Lite page and uncheck the Login Form checkbox.”. I can recall dozens if not 100’s of times when restating the basic steps was all that was needed to fix an issue/problem. ie the person was not doing the basic steps correctly or completely or at all.

    See my other explanations above which explain things logically.

    I honestly do not want to accidentally cause any issues or problems for people, but accidents do happen in the real world. So the next logical step to take is to figure out what caused the problem and what needs to be done to fix the problem.

    I am sincerely sorry that you had a bad experience. Take care.

    • This reply was modified 4 years, 11 months ago by AITpro.
    • This reply was modified 4 years, 11 months ago by AITpro.
    • This reply was modified 4 years, 11 months ago by AITpro.
    • This reply was modified 4 years, 11 months ago by AITpro.
    Plugin Author AITpro

    (@aitpro)

    Oops there are 2 different threads going on regarding JTC-Lite. The “logical explanation” stuff was posted in this thread > https://wordpress.org/support/topic/jtc-lite-enabled-by-default-2-thumbs-down/page/2/#post-9565909. Once again sorry you had a bad experience.

    We do all of our user feedback/information gathering stuff with BPS Pro folks since we have contact info for them. One of these days we plan on creating some kind of online website based form thing where people can add feedback/ideas/suggestions/requests and of course complaints. We did attempt to do something like that a long time ago, but it did not work out very well because if you cannot verify someone is actually a BPS user and is genuinely interested in saying something productive then typically you will get a lot of obvious random verbal attacks, slander junk, useless, etc. feedback.

    The general rule with WP is that you do not automatically do something without telling the user what is going to be done. So it’s a catch 22 situation with the new JTC-Lite feature since it is now considered a standard BPS feature and not something extra or additional. ie since JTC-Lite is considered a standard feature/functionality then logically it should be turned On by default. On the other hand, for folks who already had BPS installed and JTC-Lite is a new feature that was automatically setup and turned On during the BPS upgrade then I believe where we dropped the ball was by not notifying folks of the new JTC-Lite feature. Doing that also generates complaints from folks since we have done that in the past with other new BPS features. ie “why am I all of sudden a Notice about something – just make it go and do not show me any dumb messages”.

    In my experience the reality of creating anything new comes with a transition period where someone is not going to be happy with whatever the new thing is. So we were expecting a fair amount of complaints since that is the norm that should settle down naturally after a month or so. It would be great if it were possible to make all of the people happy all of the time, but that is being idealistic and not realistic. 😉

    From a Developer perspective you try to achieve the highest possible satisfaction percentage you can achieve and then just expect some complaints no matter what you do. It is important to remind myself that typically when folks are happy about something I will never hear any feedback from them. Another important thing that I remind myself is to be detached when being attacked or dealing with someone who is upset or angry. I feel bad that they feel that way, but I do my best not to allow myself to get sucked into that negative state of mind because it is a non-productive/non-conducive state of mind. No one’s perfect, but the good news for me is I am getting better at not being reactive since that ends up making me feel negative too.

    • This reply was modified 4 years, 11 months ago by AITpro.
    Plugin Author AITpro

    (@aitpro)

    This additional note is for myself since I am still gathering clues for this issue and keeping all the info in one place for reference purposes. No need to reply.

    1. Even if JTC-Lite had not been automatically turned On in this particular scenario and website the same problem would have occurred. ie turning JTC-Lite Off did not fix the problem. ie something preventing JTC-Lite option settings from working correctly or at all.
    2. Need to track down the members plugin or theme causing this issue and test it to see why it is overriding BPS plugin settings. ie Actions and Filters. Important!!! See #5 – this could be a caching/compression/minification problem.
    3. Is a Custom Login page/Form and not a standard WP Login page/Form.
    4. Hash anchor used at end of URL??? Should always be a Query String and never a hash anchor for Forms.
    5. Autoptomize and WP SuperCache are caching this custom login form. Note: Forms should never be cached for any reason, especially not Login Forms or Contact Forms. Doing that mistake creates security vulnerabilities in itself and data input may be cached instead of inputting fresh/new data input on each form submission. Need to test this scenario.
    6. Probably not relevant, but noting anyway. Several Mixed Content errors can be seen using Chrome Dev Tools Console. Various other Comodo SSL errors noted > Parser-Blocking, cross site, etc.
    7. Not sure if a CDN is in use or not since the Source Code of the custom login form page is barely readable due to being minified/compressed??? Appears to be BootstrapCDN, AWS CloudFront.
    8. Probably not relevant, but noting anyway. Lots of 3rd party Ad stuff going on.

    Logical conclusion so far: I believe my initial logical guess was correct that this is some sort of caching/minification/compression problem. Login pages/Forms should never be cached for any reason. Additionally the custom login page is being minified/compressed. That is also a no-go that should never be done for any reason.

    Test environment: Create this same scenario and check the results. Technically I am creating a mistake to see why the mistake is causing problems for BPS JTC-Lite. Note to self. This is a very dangerous thing to do on a Live hosted site that opens up all kinds of security vulnerabilities > MUST ONLY be tested on a Local Development server.

    Additional Note: This is going to be a very rare isolated type of issue/problem due to all of the factors stated above and of course the most important factor is Login pages/Forms should never be cached/minified/compressed for any reason.

    • This reply was modified 4 years, 11 months ago by AITpro.
    • This reply was modified 4 years, 11 months ago by AITpro.
    • This reply was modified 4 years, 11 months ago by AITpro.
Viewing 15 replies - 1 through 15 (of 22 total)
  • The topic ‘Annoying Forced JTC Lite’ is closed to new replies.