Support » Plugin: Simple Google reCAPTCHA » User, who newly setup the keys, will see (max for 10 days)

  • User, who newly setup the keys, will see (max for 10 days) emergency reCAPTCHA deactivate link – don’t need FTP access to disable Simple Google reCAPTCHA in case of emergency now.

    This means for those ten days my site is vulnerable. kind of defeats the purpose of having recaptcha in the first place. unless this plugin is not intended for new users.

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author Minor

    (@minor)

    Hi @tygalive,

    User, who newly setup the keys

    Only for this one user…

    Thread Starter Richard Muvirimi

    (@tygalive)

    i could still see the link even when logged out. besides that’s the only way you can see the link on login page

    i think it’s better to send a reset link to the admin via email. and not display on the front end. Have had a reduction of bots trying to login using recaptcha. but if they can easily disable the functionality from the front end then it’s of no use.

    Plugin Author Minor

    (@minor)

    You don’t have to be logged in to use that emergency link. Only user who newly setup the keys will see it and has ability to use it.

    Thread Starter Richard Muvirimi

    (@tygalive)

    i think you are not getting what i am saying. the link is accessible whilst logged out which translates to anyone can use that link as it’s visible on the login page. which in it self is a security risk as i can go about revoking said links and assigning a bot to that site. shouldn’t it at least be sent as an email, with some variable part to it that is unique to a site.

    Plugin Author Minor

    (@minor)

    You see the link, because you did setup the keys (site key and secret key). Nobody else, link is NOT public. I don’t want explain here how does it work exactly.

    Thread Starter Richard Muvirimi

    (@tygalive)

    anyways, thanks for the support. had already moved to another plugin. was trying to use version 3. but where the check box is usually shown it was showing the link to disable recaptcha and managed to click it whilst logged out.

    Thread Starter Richard Muvirimi

    (@tygalive)

    as an after thought. you might find this app useful to manage your plugins, if not (well then…)

    https://play.google.com/store/apps/details?id=com.tyganeutronics.wpconsole

    Plugin Author Minor

    (@minor)

    Looks like you use (maybe new Edge?) browser which try to preload site content when you copy url and because of this reCAPTCHA is deactivated.

    And sure, you can send me your link, but before send, try to refresh page and you will probably see, that reCAPTCHA is deactivated – no click is needed, only copy that emergency link is enough – I’ve tested this behaviour in new Edge.

Viewing 8 replies - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.