reCAPTCHA Plugin 2.8 Preview (29 posts)

  1. BlaenkDenum
    Posted 8 years ago #

    Hey guys! I'm developing the next version of the official reCAPTCHA plugin. As most of you know, reCAPTCHA is a clever CAPTCHA method in which words that industry level OCR scanners couldn't read are used to construct the CAPTCHAs (Meaning that home-made spam bots who also use OCR libraries to try to read the CAPTCHAs will have a harder time if not impossible). There are many libraries and plugins available for reCAPTCHA and I'm working on the WordPress one.

    It is available here. If you want to install it to try it out (Like I said this isn't the final release yet) and already have the old reCAPTCHA plugin (Version 2.7 or below), the folder is named differently so you can simply upload this one, disable the old one and then enable this one (They also use different options variables so there won't be any conflicts as far as that goes).

    I have added a whole ton of new features to this new version so far and I would really like to know what you guys think: suggestions, criticisms, whatever. You can find more information about the plugin here. Aside from having the ability to show reCAPTCHA for comment spam protection and for registration spam protection, there is also the ability to hide emails from spammers using MailHide, a spam protection method also by reCAPTCHA.

    This is NOT the final version of the plugin but I would like you guys to try it out if you don't mind to tell me what you think.

    Included Stylesheet
    Among the few things that I have yet to work out are whether or not I should include a separate stylesheet for this plugin. I believe that having a separate stylesheet for this plugin (The one included in the plugin folder, recaptcha.css) is more intuitive since users will be able to easily edit it, after all it's not that big or complicated. Ben Maurer, the software architect for reCAPTCHA that contacted me to write this plugin, thinks that it will just create more overhead and a performance impact. I know it will, but I believe that considering the trade-off between intuitiveness and the small overhead (Again it's a small stylesheet), it will be negligible.

    Among the things included in the stylesheet are the styling of the classes which are (1) applied to hidden emails (If MailHide is enabled), (2) incorrect CAPTCHA notification, (3) styling of the registration form for when reCAPTCHA is to be shown there, and finally (4) the administration options. I believe 3 and 4 can be inlined (Like he wants) without any or little implications on user freedom (To style it how they want) but the reason I didn't inline them was because some XHTML Standards-knowing people advised me against it. For 1 and 2 I can simply apply the class and explain somewhere which classes can style what so that they can edit their own theme's stylesheet. I'm already doing this for the hidden email styling class emailrecaptcha, I'm stating it in the administration options.

    What do you guys think I should do: Not include the separate stylesheet for styling anything reCAPTCHA related all in one spot or not include it to remove any overhead that might occur (On my blog there seems to be none at all).

    Cross Site Scripting (XSS)
    For the MailHide sections I use regular expressions to scan for emails and hide them accordingly. Ben Maurer states:

    Apostrophes are allowed in email matching regex for MailHide, can it be used to escape out of Javascript?

    Unfortunately (And embarrassingly) I'm no expert in XSS and so I'd like to ask for your help. The regular expressions start at line 134 in function mh_insert_email. I did change the regular expressions after he told me this but I don't know if they're still vulnerable. I ran a vulnerability scanner on it by Acunetix and it didn't find any risks, but I don't know how reliable that is.

    Thanks again and sorry for the long post. Please tell me what you think!

  2. BlaenkDenum
    Posted 8 years ago #

    Nobody has anything to say?

  3. CrisBloomfield
    Posted 8 years ago #

    Nice! This is exactly what I was looking for (primarily to have some protection at the user registration stage) so I've just upgraded to it. One or two issues from my perspective both appear to relate to the user registration integration:

    1. Changing the theme doesn't appear to make any difference on this page (although it does at the add comments integration). You only ever get the red reCAPTCHA window on the user reg page.

    [EDIT for screen shot links]

    2. Using OSX with Firefox ( when you view the registration page the reCAPTCHA window is being pushed out of line. In Safari there is a more significant issue - it's a blackout :(





    Great work though - apart from these cosmetic issues it appears to be working great!

  4. BlaenkDenum
    Posted 8 years ago #

    Someone at the mailing list [ http://groups.google.com/group/recaptcha/browse_thread/thread/dc9930c654b835cb ] has asked me to implement an option to make it so that the reCAPTCHA form ONLY shows up on the registration page, I'll work on that next.

    1. I know, the reason is that I'm making the login div wide enough to accommodate the recaptcha otherwise it wouldn't fit (Like the problem you're having in number two, which has been fixed for the red recaptcha by the way). Every recaptcha theme is a different width meaning it'd be difficult to change the widths automatically. I can probably allow the theme switching and put in preset widths in a comment in the stylesheet for different themes until I figure out how to do it automatically. Besides, not all of the recaptcha forms look good on that registration page anyways, but if you want I'll do it.

    2. Yeah they were path problems, sorry about that, I've fixed it and I will release a new version once I fix these bugs.

    Thanks for the feedback I appreciate it!

  5. CrisBloomfield
    Posted 8 years ago #

    Sweet. I look forward to the next release with some fixes and new bits in...

  6. BlaenkDenum
    Posted 8 years ago #

    Hey CrisBloomfield, I've fixed the problems you had and implemented the features you wanted. You can get the new version and read about the changes here. Let me know what you think please! Thanks and I hope you like it!

  7. CrisBloomfield
    Posted 8 years ago #

    Uploaded RC2. It's fixed the issues in Firefox and Safari, but I'm still getting spammed. I couldn't work out why that was happening, so I ran some tests and it turns out that you can complete the registration for the blog without actually completing the reCAPTCHA fields!

  8. CrisBloomfield
    Posted 8 years ago #

    Actually, I've found another little thing. It's doingsome weird stuff in the HTML header:

    <link rel="stylesheet" type="text/css" href="http://rothar.com/words/wp-content/plugins/recaptcha/recaptcha.css">      <style>
             #login {
                width: 358px !important;
             #login a {
                text-align: center;
          </style><style type="text/css" media="screen">.gmnoscreen{display:none}</style><style type="text/css" media="print">.gmnoprint{display:none}</style></head><body>;

    It's adding in that extra ; at the end of the body tag for some reason...

  9. BlaenkDenum
    Posted 8 years ago #

    Wow that's a huge problem. So this is when you have comment spam protection turned on (You can actually see it on the comments page) and you're logged out or you're logged in but without the 'Admins don't have do to captcha' option set? Please take a screenshot of your configuration or tell me it so I can debug it. That's a really serious problem though, I'm surprised no one else has told me about it.

    For the styling, that's correct, it actually should do that (It's for the registration form). The problem that I do recognize though is that it should only appear on the registration form, I will fix this shortly.

    Please give me more information on your first problem so I can quickly fix it! Thanks for the feedback Cris!

  10. BlaenkDenum
    Posted 8 years ago #

    Yeah I've just tried it myself and it didn't work (That is, I tried to post a comment without filling in the captcha fields) I would have to know what configuration you're using to properly debug this. So I would really appreciate it if you could please tell me what options you have on/off etc.

  11. BlaenkDenum
    Posted 8 years ago #

    Hey Cris. I've released a new version which fixes the semicolon in the styling (As well as an SSL problem but that shouldn't apply to you). Anyways, please install it and clear your cache both in WP if you have one and your browser, then set it up and see if the problem that you had with comments being able to be posted without fulfilling the captcha is still there. If it is, please tell me what your entire options are or take a screenshot of them (If you can, blank out the keys, I don't need those, just make sure you really did fill them in of course) and give me a link. I would very much appreciate it. Thanks!

  12. BlaenkDenum
    Posted 8 years ago #

    Heh, I forgot to give you the download link. You can download Release Candidate 3 here.

  13. CrisBloomfield
    Posted 8 years ago #

    Installed the latest release. The semicolon issue is fixed.

    The latest release has screwed up the styling for both the admin page - shifting everything to the right (see screenshot in link below) and has undone the work achieve in RC2 in terms of the integration of the different reCAPTCHA windows into the registration page.

    You can still register for the site without completing the reCAPTCHA window. I haven't tested whether you can post comments without filling that in but then I'm not that interested in that functionality.

    Configuration screenshot: http://rothar.com/images/content/recaptcha3.jpg

  14. BlaenkDenum
    Posted 8 years ago #

    The fact that it shifts everything to the right is how it is supposed to be (If you had a wider screen/resolution you would actually see that it's centered. It should be centered no matter what, don't know why it's not). I fixed the integration of different windows thing (Should be forms not windows). You meant that it would overflow out of the login form right? I fixed that.

    As for registering without completing the recaptcha window, I'm really intrigued, I don't know how or why. I've tried it on my site and that doesn't happen.

    EDIT: Here, I've updated it you can get RC4 here. I've fixed some things relating to the registration form, hopefully you don't get that bug of being able to bypass it anymore. I honestly have no idea how that's happening, go ahead and try it though. You're running 2.5+ right?

  15. CrisBloomfield
    Posted 8 years ago #

    WordPress 2.5.1
    OSX 10.5.2

    Will test RC4 this evening and post the results here.

  16. CrisBloomfield
    Posted 8 years ago #

    RC4 installed. All the stylesheet/appearance issues are ironed out. Problem, quite fundametally - it still don't work :(

    You can sign up for an account on the blog without completing the reCATCHA form. You can just leave the reCAPTCHA text box blank and complete the registration or you can type in any old words. No errors or checks, it just signs people up. This happens in all the web browsers I've tested.

    However I tried it in IE for the first time today. You do get something different in IE in comparison to Firefox. Links to the screenshots below. The whole having to copy and paste a block of text between text boxes was rather exciting ;-)



    Interestingly, despite being set to display the clean theme, it's showing the red theme in IE.

  17. BlaenkDenum
    Posted 8 years ago #

    This is really weird. Might proxies have anything to do with it? Is the server or you behind any type of proxy? And yeah I've already signed up at your blog with a different address and it did indeed work. I thought it might have something to do with plugin priorities. Do you mind, please, listing all the activated plugins you have running? I don't need an extensive description of each, just a text list of the names. I would like to see if any of them have any participation in the registration form. Also, that you know of, do any of them have anything to do with the registration form/process other than this plugin? Either way I would like to have the list. Thanks and sorry for the trouble! I am really confused seeing as how others are using it for exactly the same reason you are and they don't seem to be having any problems.

    Do you by any chance have abnormal settings in your browser? i.e. turned off javascript, etc. Sorry once again for the problem, I will continue to investigate.

  18. CrisBloomfield
    Posted 8 years ago #

    The webserver is hosted in a conventional manner. I don't believe it is proxied.


    Dean's Permalinks Migration 1.0
    dTabs 1.2.2
    Get Custom Field Values 2.1
    Inline Google Maps 5.10
    Nice Archive 1.4
    reCAPTCHA 2.8
    Spam Karma 2 - Reloaded 2.1 b4
    WP-Cron 1.4

    I don't believe any of these have an impact on registration.

    The problem (being able to register for the blog without completing the reCAPTCHA) is apparent in a range of Browsers (IE on Windows, Firefox/Safari on OSX). There are no special settings on any of them.

    When I tested it in IE it does work in the sense that you can complete a registration using the reCAPTCHA box, but also you can complete the registration just by leaving it blank too.

  19. BlaenkDenum
    Posted 8 years ago #

    Hey if you could respond a little quicker I would really appreciate it, maybe you can give me your email address? Mine is jorg...@gmail.com (Click the three dots to reveal it).

    I have updated it. First disable reCAPTCHA and remove the recaptcha folder in your plugins folder. This new version (RC5) is now wp-recaptcha so it'll be a different folder.

    Anyways, this time it should at least check for when the user leaves the field completely blank. It's working on my site try for yourself. If not, then the problem will be that it's not even hooking onto those actions or something, or something is conflicting with it. I will continue to investigate, let me know how it goes.

    You can get the new version, RC5, here.

  20. BlaenkDenum
    Posted 8 years ago #

    IGNORE THE ABOVE POST: Only the part about RC5. Do take into consideration everything else including the email. The installation process is the same as for RC5 though, meaning you have to disable recaptcha and delete it then upload this one (wp-recaptcha).

    Instead get RC6. If this doesn't fix it, I don't know what will. It should now check for both if you leave it empty and if it's wrong. It's always worked for me but this new way uses a different hook (registration_errors) hopefully this works fine, if not please let me know!

    Get RC6.

  21. CrisBloomfield
    Posted 8 years ago #

    Fixed :)

    Thanks for all the hard work!

  22. BlaenkDenum
    Posted 8 years ago #

    Awesome! Now I can go live! :D I was getting worried there haha. Alright cool, no problem man! The plugin's page is at http://www.blaenkdenum.com/wp-recaptcha/ and on WordPress.Org it will be available at: http://wordpress.org/extend/plugins/wp-recaptcha/

  23. KodeStar
    Posted 8 years ago #

    Hi, im using wordpress 2.5.1 and have installed recaptcha 2.8.1, i have input the keys, but the form doesnt show up in the comments area and you cant submit comments, any ideas? :(

  24. KodeStar
    Posted 8 years ago #

    Interesting, i changed to the wordpress default theme and it shows up, but not in the theme i use :(

  25. KodeStar
    Posted 8 years ago #

    ok the theme i use didnt have <?php do_action('comment_form', $post->ID); ?> before the end of the form </form> so i added it and recaptcha showed up, might be worth adding that to the documantation :)

  26. BlaenkDenum
    Posted 8 years ago #

    @KodeStart: Thanks, I didn't check this thread until now. I'm glad you were able to figure it out on your own and I will add it to the documentation since I figured that most if not all themes had that. I will though, thanks again for the heads up!

  27. Stephen Rider
    Posted 8 years ago #

    Thoughts on recaptcha plugin in general:

    Regarding making the CSS a separate stylesheet but avoiding the performance hit: I would suggest making it a separate file, but then using PHP to insert its contents directly into the <head> of the page. That's if you want to avoid the hit from the additional HTTP request.

    (I'm trying to figure out a similar issue with a plugin of mine that includes _two_ stylesheets!)

    Separately, I take issue with the fact that you think you can either be XHTML compliant _or_ require JavaScript. You can do both if the JavaScript degrades gracefully. (I assume the XHTML non-compliance involves a "target" attribute?)

    You can make it so that if there is no JavaScript, clicking the Submit actually takes you to a separate page with the Captcha. Yes, a popup is cleaner, but that's my point -- JS can make things neater, but is not required for basic function.

    Otherwise a great plugin!

    If I had the know-how I would make a Recaptcha plugin for Spam Karma :)

  28. BlaenkDenum
    Posted 8 years ago #

    The reason it's either no XHTML compliance or no support for non-Javascript users is not really in my hands as far as I know. I didn't write recaptchalib.php but I had to modify it to be XHTML compliant. Basically recaptchalib uses an iframe to display the form if Javascript is disabled, and according to the XHTML 1.0 Strict validator, iframe isn't a valid tag :( Take a look at recaptchalib.php starting on line 123 to see what I mean. If you know a way around this or something please let me know.

    As for the head idea, that's a possibility but I think that'd be too messy, I'd have to ask more people what they think about that first, thanks for the idea though.

  29. Anonymous
    Posted 8 years ago #

    I believe there is a way to get both XHTML (1.0 Transitional) compliance [the iframe does prevent validating XHTML 1.0 Strict] and save functionality for non-Javascript users. I've detailed it here:

    Making the reCAPTCHA WordPress Plugin Validate

    This solution is out of the plugin developer's hands, however: it requires changes to both the plugin itself and the WordPress comments template.

    Hope this helps somebody.

Topic Closed

This topic has been closed to new replies.

About this Topic