I noticed the same. What I found out is that if a user or bot has not requested the full WordPress page before, a comment can be posted without any barrier. This is caused by the condition
if ( $frontendData ) {
...
}
in the validation logic in file visualcaptcha.php, line 52. $frontendData is taken from the user session and is null if the page hasn’t been requested before and therefore no validation is performed.
My question: Why can’t the plugin ‘die’ in the else clause? I guess this would solve the bot problem.
I’m sorry you missed our replies, joelogic.
In any case, if we die without the frontendData, forms that don’t support visualCaptcha won’t be able to submit.
This is a limitation within WordPress, but we’re open to solutions.
Thread Starter
Joe B
(@joelogic)
Hello
Thanks very much for both of your replies, it seems to be a bit of a catch 22 (or is that captcha 22?), I have used a different captcha for the moment anyway, it is a shame that it had this issue. Also, I have blocked all the IPs of the spambots via htaccess which has permanently stopped it.
Also the bots were accessing the post-new.php file directly (which is in the wp-admin folder), and they were able to post as any of the active admins, must be another loophole somewhere in my old version of WordPress (3.5.1), which I can’t update due to plugin issues. I will be rebuilding the site in a while….
I switched to Google Captcha (reCAPTCHA) by BestWebSoft which don’t allow spam bots to comments without captcha data.
I also tried Cookies for Comments which works fine with visualCaptcha. I only stopped using visualCaptcha because of the missing ability to show localized instructions, but that’s out of scope here.
