reCaptcha should be checked before username validation
-
Hello!
I tried using this plugin for my website, tested it on the login page, and I found out that the reCaptcha validation occurs after the username validation. This way anyone (even bots) can try guessing usernames without having to deal with the captcha – and if it hits a reCaptcha error, it means that it just found a valid username. I think it would make a site more secure to validate the captcha before all the user related validations. Maybe try using the “authenticate” filter instead of “wp_authenticate_user”.
-
Hi, thanks for the quick reply!
I think a solution could be to replace
add_filter( 'wp_authenticate_user', 'advanced_google_recaptcha_process_login_form', 10, 2 );with
add_filter( 'authenticate', 'advanced_google_recaptcha_process_login_form', 10, 3 );and the “advanced_google_recaptcha_process_login_form” function should be something like this:
function advanced_google_recaptcha_process_login_form( $user, $username, $password ) { if ( 'POST' === $_SERVER['REQUEST_METHOD'] && ( ! isset( $_POST['g-recaptcha-response'] ) || true !== advanced_google_recaptcha_validate_posted_captcha() ) ) { remove_all_filters( 'authenticate' ); //Remove any further authentication filters of WP, WordFence, etc. return new WP_Error( 'reCAPTCHA', '<strong>' . esc_html__( 'ERROR:', 'advanced-google-recaptcha' ) . '</strong> ' . esc_html__( 'Google reCAPTCHA verification failed.', 'advanced-google-recaptcha' ) ); } }——-
Also I think all these checks:
if ( 'POST' === $_SERVER['REQUEST_METHOD'] && isset( $_POST['g-recaptcha-response'] ) ) { if ( true !== advanced_google_recaptcha_validate_posted_captcha() ) { //Duplicated errors } } else { //Duplicated errors }can be simplified as
if ( 'POST' === $_SERVER['REQUEST_METHOD'] && ( ! isset( $_POST['g-recaptcha-response'] ) || true !== advanced_google_recaptcha_validate_posted_captcha() ) { //One error }
The topic ‘reCaptcha should be checked before username validation’ is closed to new replies.
