Title: Plugin issues and suggestions Last modified: August 20, 2016 --- # Plugin issues and suggestions * [Jacob Schweitzer](https://wordpress.org/support/users/primetimejas/) * (@primetimejas) * [13 years, 2 months ago](https://wordpress.org/support/topic/plugin-issues-and-suggestions/) * Hey guys, great concept, I really want to use it but it is not completely working. The pictures show up, I can drag them in the circle and everything, BUT I don’t need to. I can login without touching the captcha… Might just be a matter of getting the hooks correct.. but right now it offers no security out of the box for me. I’m on WordPress 3.5. I tried two logins, one admin and one regular user( thinking maybe I didn’t need the captcha because I was an admin the first time). * I’m using BuddyPress, don’t have any other login or registration plugins. I tried to add an option in the backend but didn’t understand how to implement that, and I’m a WordPress developer. I’d like to put it on the BuddyPress registration page. * I’d love to help you with this, I’ve actually already translated most of it to Russian language, and modified your code to include the following line for allowing translation files (and the letting the plugin be translate-able): * load_plugin_textdomain( ‘visualcaptcha’, false, dirname( plugin_basename( __FILE__)).‘/ languages/’ ); * I put the above line into visualcaptcha.php for translation. I also made the folder /languages/ to hold the language files. * I like that the plugin doesn’t require an API like most others, so good job on making it accessible. Allowing translation would be one more step to making it available to more WordPress users. Adding BuddyPress support would be another feature I would expect many people to be searching for. We have been getting spammers signing up and making spammy groups with links in the description.. Please help us implement this properly so we can use this cool thing 🙂 Viewing 9 replies - 1 through 9 (of 9 total) * Plugin Contributor [jmigcosta](https://wordpress.org/support/users/jmigcosta/) * (@jmigcosta) * [13 years, 2 months ago](https://wordpress.org/support/topic/plugin-issues-and-suggestions/#post-3541397) * hello primetimejas, sorry to hear that you are having problems using visualCaptha for WordPress :/ It is kind of difficult to help without seeing the problem 🙂 but my best guess is that you have a custom login form, or you are using an custom template or even that you are using a different script to validate or submit the login form.. but it would be great if I could take a look at the problem 🙂 [I think that BuddyPress has a custom login form and uses different hooks to check the login.. I will check it on Monday] here you can find a list of buddyPress hooks/actions/filteres [http://etivite.com/api-hooks/](http://etivite.com/api-hooks/) * To implement a new set of hooks you need to be familiar with wordpress codex and know your way around php (and in your case you need to know the inside outs of buddyPress). So this are the fields you will need to fill: – the “option name” is the name that will appear on the “add visualCaptcha to” list; – the “ display hook”, well this is the hook where you want to display visualCaptcha;– the “validation hook” is the hook/filter/action where visualCaptcha will check if the correct option was dragged to the circle. – the check box: this is only to remind users that they could crash the wordpress installation if they don’t know what they are doing. You will need to take a look at the php files from the plugins and find the correct hooks (or if so you will need to create new hooks) * About the translation, thanks for the code 🙂 We are thinking about doing some changes on visualCaptcha to make it easier to customize and to take it to an all new level of security… and we will need to rethink the translation process 🙂 * visualCaptcha for wordpress it is just taking its first steps, and we are learning so much from the feedback we are having. That’s why we would like to sincerely thank you for your feedback and you suggestions. They are very important for us and will helps us build a better plugin. cheers * Thread Starter [Jacob Schweitzer](https://wordpress.org/support/users/primetimejas/) * (@primetimejas) * [13 years, 2 months ago](https://wordpress.org/support/topic/plugin-issues-and-suggestions/#post-3541461) * Hey I still wasn’t able to get it working, here is what I tried. I tried selecting the included options. On the login form the captcha appears, I can move the icon to the box and everything. But, it doesn’t matter if I do something with the captcha or not, I login with the correct password no matter what the situation. * BuddyPress as far as I can tell isn’t using a custom login form or anything, and the captcha appears so part of it is working correctly. I think the hook for checking/authenticating the captcha is wrong or something is messing with it (I have no caching plugins on, this is a local development site i’m testing on). * Here are the login hooks I found for WordPress: login_form login_init login_form_postpass login_form_logout login_form_lostpassword login_form_retrievepassword login_form_resetpass login_form_rp login_form_register login_form_login * I know that login_form you are already using for the display hook and that is working. But which hook is the default you are using for authentication? Maybe the priority of the hook needs to be changed to make it later, it might be an issue with that. But it is not authenticating the captcha. * Also, here are some hooks I found for the BuddyPress registration page: bp_signup_blog_privacy_errors bp_after_blog_details_fields bp_before_registration_submit_buttons bp_after_registration_submit_buttons template_notices bp_before_registration_confirmed bp_after_registration_confirmed bp_custom_signup_steps bp_after_register_page * Those are the order in which they load on the BP registration page. I think adding BP support would help the popularity of your plugin if you added it by default. * I also tested by adding my own option like this: name: loginoption display hook: login_form_login validation hook: login_init * Then disabled all the other default options to only test the option I created. * Hope that helps you.. * Plugin Contributor [jmigcosta](https://wordpress.org/support/users/jmigcosta/) * (@jmigcosta) * [13 years, 2 months ago](https://wordpress.org/support/topic/plugin-issues-and-suggestions/#post-3541463) * hello primetimejas, sorry for the delay.. * primetimejas I just installed wordpress 3.4 and 3.5 (with visualCaptcha and BuddyPress) and they are working correctly out the box without any kind of manipulation required. * Please check this questions and send me some feedback on them: * 1- please confirm me what is your buddypress theme: /wp-content/plugins/buddypress/ bp-themes/ * 2 – do you have js erros on your login page? * 3 – You say :”BuddyPress as far as I can tell isn’t using a custom login form or anything” in standard wordpress there is only one login form, Buddypress implements more login types in example the sidebar login. We are talking about the wp-login login right? * 4 – please install the hook sniffer and check the hook sequence [http://wordpress.org/extend/plugins/wordpress-hook-sniffer/](http://wordpress.org/extend/plugins/wordpress-hook-sniffer/) for login we are using the authenticate filter so please check if this filter is used. it should be something like this: “Firing Sequence [number]: authenticate– > visualcaptcha_do_filter” * My best guess about you problem is that you have some kind of custom script that doesn’t respect the wp hook sequence or some script that is not standard. cheers * Thread Starter [Jacob Schweitzer](https://wordpress.org/support/users/primetimejas/) * (@primetimejas) * [13 years, 2 months ago](https://wordpress.org/support/topic/plugin-issues-and-suggestions/#post-3541464) * Hey I’m happy to report I got it working. * Thanks for that tip on the hook sniffer, that plugin actually works still even in WordPress 3.5.1 . * Here is what I found with the hook sniffer: add_filter( ‘authenticate’, ‘wp_authenticate_username_password’, 20, 3 ) add_filter( ‘authenticate’, ‘visualcaptcha_do_filter’, 1000, 3 ) add_filter(‘ authenticate’, ‘bp_core_boot_spammer’, 30 ) add_filter( ‘authenticate’, ‘bp_core_signup_disable_inactive’, 30 ) add_filter( ‘authenticate’, ‘wp_authenticate_cookie’, 30, 3 ) * Firing Sequence 99: authenticate –> wp_authenticate_username_password –> Time fired: 1363549456.2313 Firing Sequence 100: authenticate –> bp_core_boot_spammer– > Time fired: 1363549456.2315 Firing Sequence 101: authenticate –> bp_core_signup_disable_inactive– > Time fired: 1363549456.2315 Firing Sequence 102: authenticate –> wp_authenticate_cookie– > Time fired: 1363549456.2316 Firing Sequence 103: authenticate –> visualcaptcha_do_filter– > Time fired: 1363549456.2317 * So here was my solution.. The visualcaptcha is firing at priority 1000, so I changed it to before any of the other ones at priority 10. * visualcaptcha.php line 34 BEFORE: add_filter( $visualcaptcha_hook_data[ ‘filter’],‘ visualcaptcha_do_filter’,1000,3); * AFTER: add_filter( $visualcaptcha_hook_data[ ‘filter’ ], ‘visualcaptcha_do_filter’, 10,3); * Do you think that is too early to check the captcha or ? Maybe it should go after the WordPress username/password authentication ? I’m not sure.. There might be other spam blocking plugins and such that check pretty early so you have to get your captcha check in before them as well, it is a bit tricky indeed. * Muito Obrigado Irmão! Agradeço, valeu 🙂 * Plugin Contributor [jmigcosta](https://wordpress.org/support/users/jmigcosta/) * (@jmigcosta) * [13 years, 2 months ago](https://wordpress.org/support/topic/plugin-issues-and-suggestions/#post-3541465) * great! glad I could help 🙂 visualCaptcha is using a low priority [1000] because( in my point of view) it should be the last thing to be checked. First we should look if it is a valid user and pass and then we should check if the visualCcaptcha is correct or not 🙂 but this really depends on the way the developer wants to work. * In my opinion you should use 99 instead of 10 (has the priority) right before the “bp_core_boot_spammer”. This way visualCaptcha will only work if we are processing a valid user request. But you can also leave it before the “wp_authenticate_username_password” and protect the login from attacks. that is really up to you 🙂 * The problem were was the bp_** filters. They have some sort of redirection that is not present on my local test installations. Sorry for not spotting it, but I don’t have that problem on my local server :/ * primetimejas sincerely thank you for your feedback and for presenting us this problem, we will consider using a different priority level in the future. * Obrigadão! Sempre que achar que podemos ajudar, disponha. cheers * [Jason](https://wordpress.org/support/users/larceniii/) * (@larceniii) * [12 years, 10 months ago](https://wordpress.org/support/topic/plugin-issues-and-suggestions/#post-3541526) * > great! glad I could help 🙂 > visualCaptcha is using a low priority [1000] > because (in my point of view) it should be the last thing to be checked. First > we should look if it is a valid user and pass and then we should check if the > visualCcaptcha is correct or not 🙂 but this really depends on the way the > developer wants to work. * The real security issue with that is the attacker can fail the captcha forever while guessing passwords and get a different message when once they’ve guessed the right password. Then they can manually solve the captcha once they know the password. * Recently there was a massive attack on wordpress sites using weak passwords. Many with captchas should have been harder to crack because the captcha is supposed to slow down the bots. In this case it would allow an automated attack to discover the admin’s password. * And yes, I’m SURE of it. The priority should be increased. * Plugin Contributor [jmigcosta](https://wordpress.org/support/users/jmigcosta/) * (@jmigcosta) * [12 years, 10 months ago](https://wordpress.org/support/topic/plugin-issues-and-suggestions/#post-3541527) * hey Jason, Nice point there. I would never imagine that there could be an brute force attack on web. To be honest, in most of the cases there are easier ways to hack an site, and they don’t involve passwords. * By the way, brute force bots don’t go trough the normal login process: they just post passwords to the server and wait for the success redirection. If they used the form, they would blow out the server resources (due to the massive requests) and doing that they would kill the site. So I really sure that the bots don’t even read the error messages.. * I will increase the priority ASP. Thank you for your comment cheers * [Jason](https://wordpress.org/support/users/larceniii/) * (@larceniii) * [12 years, 10 months ago](https://wordpress.org/support/topic/plugin-issues-and-suggestions/#post-3541530) * > I would never imagine that there could be an brute force attack on web. > To > be honest, in most of the cases there are easier ways to hack an site, and > they don’t involve passwords. * Actually, a dictionary attack is the most popular attack on wordpress 🙁 * I have the log files to prove it! * Also, this: [http://www.forbes.com/sites/anthonykosner/2013/04/13/wordpress-under-attack-how-to-avoid-the-coming-botnet/](http://www.forbes.com/sites/anthonykosner/2013/04/13/wordpress-under-attack-how-to-avoid-the-coming-botnet/) * > Ditch The Admin Username: The attackers are in possession of 90,000 IP addresses > from which they are trying to crack the default “admin” accounts on WordPress > installations. So if you are still using “admin,” create a new user with admin > privileges (you will need to use a different email address than the one attached > to the current admin) and give it a strong password as defined above. Then > log back in as the new user and delete the old admin account and assign all > of the posts in that account to the new user. Five minutes, tops. > I would love the captcha to be ajaxed to prevent the form from even posting > IMO with a refresh button to manually grab a new captcha to solve. * [Jason](https://wordpress.org/support/users/larceniii/) * (@larceniii) * [12 years, 10 months ago](https://wordpress.org/support/topic/plugin-issues-and-suggestions/#post-3541531) * > By the way, brute force bots don’t go trough the normal login process: they > just post passwords to the server and wait for the success redirection. If > they used the form, they would blow out the server resources (due to the massive > requests) and doing that they would kill the site. > So I really sure that the > bots don’t even read the error messages.. * [http://ubotstudio.com/index2](http://ubotstudio.com/index2) * Is setting up the process, they actually outline how to read the messages to see the reply you desire. I could set one up to look for a screen that says “ captcha failed” without “wrong password” without any programming Viewing 9 replies - 1 through 9 (of 9 total) The topic ‘Plugin issues and suggestions’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/visualcaptcha.svg) * [visualCaptcha](https://wordpress.org/plugins/visualcaptcha/) * [Support Threads](https://wordpress.org/support/plugin/visualcaptcha/) * [Active Topics](https://wordpress.org/support/plugin/visualcaptcha/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/visualcaptcha/unresolved/) * [Reviews](https://wordpress.org/support/plugin/visualcaptcha/reviews/) * 9 replies * 3 participants * Last reply from: [Jason](https://wordpress.org/support/users/larceniii/) * Last activity: [12 years, 10 months ago](https://wordpress.org/support/topic/plugin-issues-and-suggestions/#post-3541531) * Status: not resolved