Support » Plugins » reCAPTCHA Plugin 2.8 Preview

  • Hey guys! I’m developing the next version of the official reCAPTCHA plugin. As most of you know, reCAPTCHA is a clever CAPTCHA method in which words that industry level OCR scanners couldn’t read are used to construct the CAPTCHAs (Meaning that home-made spam bots who also use OCR libraries to try to read the CAPTCHAs will have a harder time if not impossible). There are many libraries and plugins available for reCAPTCHA and I’m working on the WordPress one.

    It is available here. If you want to install it to try it out (Like I said this isn’t the final release yet) and already have the old reCAPTCHA plugin (Version 2.7 or below), the folder is named differently so you can simply upload this one, disable the old one and then enable this one (They also use different options variables so there won’t be any conflicts as far as that goes).

    I have added a whole ton of new features to this new version so far and I would really like to know what you guys think: suggestions, criticisms, whatever. You can find more information about the plugin here. Aside from having the ability to show reCAPTCHA for comment spam protection and for registration spam protection, there is also the ability to hide emails from spammers using MailHide, a spam protection method also by reCAPTCHA.

    This is NOT the final version of the plugin but I would like you guys to try it out if you don’t mind to tell me what you think.

    Included Stylesheet
    Among the few things that I have yet to work out are whether or not I should include a separate stylesheet for this plugin. I believe that having a separate stylesheet for this plugin (The one included in the plugin folder, recaptcha.css) is more intuitive since users will be able to easily edit it, after all it’s not that big or complicated. Ben Maurer, the software architect for reCAPTCHA that contacted me to write this plugin, thinks that it will just create more overhead and a performance impact. I know it will, but I believe that considering the trade-off between intuitiveness and the small overhead (Again it’s a small stylesheet), it will be negligible.

    Among the things included in the stylesheet are the styling of the classes which are (1) applied to hidden emails (If MailHide is enabled), (2) incorrect CAPTCHA notification, (3) styling of the registration form for when reCAPTCHA is to be shown there, and finally (4) the administration options. I believe 3 and 4 can be inlined (Like he wants) without any or little implications on user freedom (To style it how they want) but the reason I didn’t inline them was because some XHTML Standards-knowing people advised me against it. For 1 and 2 I can simply apply the class and explain somewhere which classes can style what so that they can edit their own theme’s stylesheet. I’m already doing this for the hidden email styling class emailrecaptcha, I’m stating it in the administration options.

    What do you guys think I should do: Not include the separate stylesheet for styling anything reCAPTCHA related all in one spot or not include it to remove any overhead that might occur (On my blog there seems to be none at all).

    Cross Site Scripting (XSS)
    For the MailHide sections I use regular expressions to scan for emails and hide them accordingly. Ben Maurer states:

    Apostrophes are allowed in email matching regex for MailHide, can it be used to escape out of Javascript?

    Unfortunately (And embarrassingly) I’m no expert in XSS and so I’d like to ask for your help. The regular expressions start at line 134 in function mh_insert_email. I did change the regular expressions after he told me this but I don’t know if they’re still vulnerable. I ran a vulnerability scanner on it by Acunetix and it didn’t find any risks, but I don’t know how reliable that is.

    Thanks again and sorry for the long post. Please tell me what you think!

Viewing 15 replies - 1 through 15 (of 28 total)
  • Nobody has anything to say?

    Nice! This is exactly what I was looking for (primarily to have some protection at the user registration stage) so I’ve just upgraded to it. One or two issues from my perspective both appear to relate to the user registration integration:

    1. Changing the theme doesn’t appear to make any difference on this page (although it does at the add comments integration). You only ever get the red reCAPTCHA window on the user reg page.

    [EDIT for screen shot links]

    2. Using OSX with Firefox ( when you view the registration page the reCAPTCHA window is being pushed out of line. In Safari there is a more significant issue – it’s a blackout 🙁


    Great work though – apart from these cosmetic issues it appears to be working great!

    Someone at the mailing list [ ] has asked me to implement an option to make it so that the reCAPTCHA form ONLY shows up on the registration page, I’ll work on that next.

    1. I know, the reason is that I’m making the login div wide enough to accommodate the recaptcha otherwise it wouldn’t fit (Like the problem you’re having in number two, which has been fixed for the red recaptcha by the way). Every recaptcha theme is a different width meaning it’d be difficult to change the widths automatically. I can probably allow the theme switching and put in preset widths in a comment in the stylesheet for different themes until I figure out how to do it automatically. Besides, not all of the recaptcha forms look good on that registration page anyways, but if you want I’ll do it.

    2. Yeah they were path problems, sorry about that, I’ve fixed it and I will release a new version once I fix these bugs.

    Thanks for the feedback I appreciate it!

    Sweet. I look forward to the next release with some fixes and new bits in…

    Hey CrisBloomfield, I’ve fixed the problems you had and implemented the features you wanted. You can get the new version and read about the changes here. Let me know what you think please! Thanks and I hope you like it!

    Uploaded RC2. It’s fixed the issues in Firefox and Safari, but I’m still getting spammed. I couldn’t work out why that was happening, so I ran some tests and it turns out that you can complete the registration for the blog without actually completing the reCAPTCHA fields!

    Actually, I’ve found another little thing. It’s doingsome weird stuff in the HTML header:

    <link rel="stylesheet" type="text/css" href="">      <style>
             #login {
                width: 358px !important;
             #login a {
                text-align: center;
          </style><style type="text/css" media="screen">.gmnoscreen{display:none}</style><style type="text/css" media="print">.gmnoprint{display:none}</style></head><body>;

    It’s adding in that extra ; at the end of the body tag for some reason…

    Wow that’s a huge problem. So this is when you have comment spam protection turned on (You can actually see it on the comments page) and you’re logged out or you’re logged in but without the ‘Admins don’t have do to captcha‘ option set? Please take a screenshot of your configuration or tell me it so I can debug it. That’s a really serious problem though, I’m surprised no one else has told me about it.

    For the styling, that’s correct, it actually should do that (It’s for the registration form). The problem that I do recognize though is that it should only appear on the registration form, I will fix this shortly.

    Please give me more information on your first problem so I can quickly fix it! Thanks for the feedback Cris!

    Yeah I’ve just tried it myself and it didn’t work (That is, I tried to post a comment without filling in the captcha fields) I would have to know what configuration you’re using to properly debug this. So I would really appreciate it if you could please tell me what options you have on/off etc.

    Hey Cris. I’ve released a new version which fixes the semicolon in the styling (As well as an SSL problem but that shouldn’t apply to you). Anyways, please install it and clear your cache both in WP if you have one and your browser, then set it up and see if the problem that you had with comments being able to be posted without fulfilling the captcha is still there. If it is, please tell me what your entire options are or take a screenshot of them (If you can, blank out the keys, I don’t need those, just make sure you really did fill them in of course) and give me a link. I would very much appreciate it. Thanks!

    Heh, I forgot to give you the download link. You can download Release Candidate 3 here.

    Installed the latest release. The semicolon issue is fixed.

    The latest release has screwed up the styling for both the admin page – shifting everything to the right (see screenshot in link below) and has undone the work achieve in RC2 in terms of the integration of the different reCAPTCHA windows into the registration page.

    You can still register for the site without completing the reCAPTCHA window. I haven’t tested whether you can post comments without filling that in but then I’m not that interested in that functionality.

    Configuration screenshot:

    The fact that it shifts everything to the right is how it is supposed to be (If you had a wider screen/resolution you would actually see that it’s centered. It should be centered no matter what, don’t know why it’s not). I fixed the integration of different windows thing (Should be forms not windows). You meant that it would overflow out of the login form right? I fixed that.

    As for registering without completing the recaptcha window, I’m really intrigued, I don’t know how or why. I’ve tried it on my site and that doesn’t happen.

    EDIT: Here, I’ve updated it you can get RC4 here. I’ve fixed some things relating to the registration form, hopefully you don’t get that bug of being able to bypass it anymore. I honestly have no idea how that’s happening, go ahead and try it though. You’re running 2.5+ right?

    WordPress 2.5.1
    OSX 10.5.2

    Will test RC4 this evening and post the results here.

    RC4 installed. All the stylesheet/appearance issues are ironed out. Problem, quite fundametally – it still don’t work 🙁

    You can sign up for an account on the blog without completing the reCATCHA form. You can just leave the reCAPTCHA text box blank and complete the registration or you can type in any old words. No errors or checks, it just signs people up. This happens in all the web browsers I’ve tested.

    However I tried it in IE for the first time today. You do get something different in IE in comparison to Firefox. Links to the screenshots below. The whole having to copy and paste a block of text between text boxes was rather exciting 😉

    Interestingly, despite being set to display the clean theme, it’s showing the red theme in IE.

Viewing 15 replies - 1 through 15 (of 28 total)
  • The topic ‘reCAPTCHA Plugin 2.8 Preview’ is closed to new replies.