Support » Plugin: Captcha » CAPTCHA is inefficient – form tries to login first, then checks CAPTCHA value

  • Resolved crysman


    That means if I fill-in the correct username, wrong password and wrong CAPTCHA, the login page returns:

    ERROR: The password you entered for the username <my_famous_username> is incorrect. Lost your password?

    Which means it first tries to login, then verifies CAPTCHA. This is incorrect and makes CAPTCHA (as protection against automated login atempts) inefficient, because this way the attacker gets to know the correct and real username!

Viewing 13 replies - 1 through 13 (of 13 total)
  • Hello crysman,

    The captcha doesn’t affect to password. But we will check the possibility of this error.
    Please provide your plugin version and WordPress version, and a list of installed plugins and themes.

    Kind regards,
    Support Team

    I am using the latest plugin version available today.
    I am using my own custom theme.
    It is actually also being discussed in another thread:

    So it seems we have duplicate thread now. That only shows I am not the only one considering this an important issue…




    Hi crysman,

    Please write here and provide an access to your admin area so that we could analyze the problem.

    Support Team

    Why are you deleting my posts? I’ve just posted something like this right here in this thread:


    I cannot give you the access to the admin interface due to security issues. Just check your own WP installation, I believe you’ll get the same result and issues as we do… or you don’t?

    I am wondering why this is “resolved”, when it is NOT… The same here in the duplicate bug report:


    And now I can see it’s not here! So I am posting it here again now. I hope it will remain here until it actually gets trully resolved

    Moderator Jan Dembowski


    Brute Squad and Volunteer Moderator

    Cross posting topics is never a good idea. Really it just muddies up the support model even more as your installation is different than others.

    If you have something new to add to this topic i.e. “I also tried X, Y, and Z and that didn’t work” then that adds value. If you are just bumping the topic then please don’t do that. Those get deleted when found.

    Dear crysman,

    we mark the topic as “Resolved” since there isn’t another opportunity of marking it as “Duplicating”. We suggested that you should write ether in our open forum or create a private ticket at “and provide an access to your admin area so that we could analyze the problem.” We are still waiting for your imformation.

    Support Team

    You still don’t get it. There is no need to give you any access to any admin area, because it is just not working anywhere, not even on a fresh WP install. Just try it yourselves – where is the problem?

    I will repeat the problem, maybe you do not understand:
    The problem is that your current captcha implementation checks the captcha input form field last – after user and password. That is incrrect. It should check the captcha input field first and if it’s incorrect not even try to log-in.
    Because this way (as it is now) anyone is able to get existing username and password! It just stops him/her from logging-in. OK, so what – if I am the attacker, I know all the credentials now (got them via brute force attack e.g.), so I just enter the correct captcha value myself now…

    I hope it is clear now… (?)

    I’ve made a video for you, should be clear perfectly now:

    Dear crysman,

    Unfortunately, WordPress DOES NOT have an opportunity to check captcha input BEFORE entering the rest of the fields. Do you suggest that WordPress Core should be CHANGED so that our captcha could function “correctly”? We are FOR it, please contact WordPress developers.

    BestWebSoft Support Team

    Crysman, you posted, “It should check the captcha input field first and if it’s incorrect not even try to log-in.”

    Your argument is not persuasive unless and until you can demonstrate another CAPTCHA plugin that follows the rules you think should be implemented in WordPress. If you cannot find such a plugin, then you can create a plugin which does what you want it to do, which is likely not a simple task. Or, as BWS suggest, contact the WordPress Core development team.

    @bestsoftweb: that is a pitty 🙁 I haven’t known that. I’ve created a thread on WP core developers forum here:
    So you may comment and participate there, too.

    @celeste1212: my argument is true and legit independently of any existing plugin, because what I say and request is not related to the number of properly-functioning-captcha plugins available. It is a concept. If it’s a problem of every and any CAPTCHA, OK, we must change the concept, because otherwise all CAPTCHAs at WP login pages are inefficient.

    OK guys, as explained here

    it is not a WP core related bug. Moreover, you are able to fix it yourselves by following what Sergey suggest:

    …The plugin should just hook into the same filter with an earlier priority…

    So that’s a good news, isn’t it?! Just let us know if you are going to fix it or not – so we might eventually migrate to the correctly behaving plugin Sergey mentions. Personally, I would prefer you fix it, because except for this bug I like your plugin.

    Dear Crysman,

    Thank you for the information, we are going to study this issue and make the necessary changes.

    BestWebSoft Support Team

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘CAPTCHA is inefficient – form tries to login first, then checks CAPTCHA value’ is closed to new replies.