Security Pro Problem with reCAPTCHA v3

  • Resolved Storyman

    (@storyman)


    7 years, 3 months ago

    Just recently built several fresh WordPress Sites (3/10/19). Along with Akismet the only other plugins are iThemes plugins (Backup Buddy, Sync, iThemes Captcha, and SECURITY PRO–all of them up to date).

    ALL of the sites use Google’s reCAPTCHA v3 with dismal results. The sites all generate this error: “Bots will not be blocked until the reCAPTCHA settings are set properly.” Despite repeatedly generating new site/secret keys the problem persist.

    According to Google an email notice that there is a problem with their reCAPTCHA is suppose to be sent, but not one has been received. This makes me think that iTheme’s Security Pro doesn’t play well with reCAPTCHA.

    The problem has been reported to iThemes, but they will only deal with the problem if, and only if, I purchase their Golden Maintenance Support Plan. It’s something that I would agree to if they would refund their fee if the problem turns out to be a problem with the plugin. They flatly refused that offer. To me, charging a customer to fix a broken plugin is nothing less than extortion.

    One way or another it is a problem that needs to be resolved.

    Can someone at iThemes please share why they feel that the problem is not with their plugin and what can be done in order to eliminate Security Pro as the culprit causing the problem.

Viewing 13 replies - 1 through 13 (of 13 total)
  • nlpro

    (@nlpro)

    7 years, 3 months ago

    What version of the iTSec Pro plugin are you using ?
    What type (role) of user are you logging in with ?

    When reporting issues like these the exact details of the error are very important. What EXACT error msg do you get and where and when EXACTLY do you get it ?
    (“Bots will not be blocked until the reCAPTCHA settings are set properly.” is only a part of the complete error msg).
    A simple screenshot often says more than a thousand words …

    To prevent any confusion, I’m not iThemes.

    • This reply was modified 7 years, 3 months ago by nlpro.
    • This reply was modified 7 years, 3 months ago by nlpro.
    Thread Starter Storyman

    (@storyman)

    7 years, 3 months ago

    Security Pro version 5.9.3.

    I’ve tested it with themes Twenty-Nineteen and Twenty-Sixteen, both with the same results. Here is the full error message:

    “The reCAPTCHA settings for iThemes Security are invalid. The Site Key may be invalid or unrecognized. Verify that you input the Site Key and Private Key correctly. Bots will not be blocked until the reCAPTCHA settings are set properly.”

    Settings are the default unless otherwise noted.

    Include Script: Only Required Pages
    Use on Login: Use reCAPTCHA for user login.
    Use on New User Registration: Use reCAPTCHA for user registration.
    Use on Comments: Use reCAPTCHA for new comments.
    Language: English (US)

    The sites are on a shared Bluehost account. There is always a remote possibility that the issue is with Bluehost, so it would be greatly appreciated if there is anyone out there with a shared Bluehost account and Security Pro, to test if they get the same error. It may take up to a day for the error to appear.

    The cache was cleared before generating new site/secret keys.

    nlpro, any guidance you can offer would be greatly appreciated. BTW if you have a suggestion for a reCAPTCHA 3 plugin to help verify if iThemes Security Pro is where the problem lies would be appreciated.

    nlpro

    (@nlpro)

    7 years, 3 months ago

    Ok. Still 1 thing missing. Where and when is the error occurring ?
    On the login page ? Or are you able to login but the error is displayed after login within the WordPress Dashboard ?

    Thread Starter Storyman

    (@storyman)

    7 years, 3 months ago

    In the admin area, I’ve clicked through the navigation on the left and it is there at the top of every page. At the top of the page is the black menu bar, just below that is the title of the section, and just below that is the reCAPTCHA warning. Warning appears only in admin area.

    After viewing the sites without being logged in, I found that the reCAPTCHA v3 badge appears on the designated pages. It would seem that the site/secret keys are correctly assigned, but the plugin isn’t working as it should when it comes to detecting bots.

    Again, thank you for your assistance.

    • This reply was modified 7 years, 3 months ago by Storyman.
    • This reply was modified 7 years, 3 months ago by Storyman.
    nlpro

    (@nlpro)

    7 years, 3 months ago

    Yes, I think your keys are fine.

    The ‘The Site Key may be invalid or unrecognized. Verify that you input the Site Key and Private Key correctly.’ part of the error msg is probably not pointing us in the right direction.

    This is what you can do. Login and navigate to the Security/Logs page.
    Click on the white Screen Options button on the right upper corner of the screen. Make sure the Show Debug entries. checkbox is enabled. If not, tick it and click on the Apply button.

    In the Logs page click on the All Events (?) view. Then underneath, select the reCAPTCHA module and click on the Filter button.

    Anything logged related to reCAPTCHA will now be displayed on your screen.
    Normally you should see multiple Debug Type entries with a validate-response Description. There may be 1 (or more) Notice Type entries with a Failed Validation Description.

    It would be interesting to see a screenshot of what you’ve got.

    Thread Starter Storyman

    (@storyman)

    7 years, 3 months ago

    1) Reset reCAPTCHA by removing keys and generating new ones.

    2) Ticked the ‘Show Debug entries’ and saved.

    3) In the logs page the ‘All Events’ filter has these options:

    All Modules
    Brute Force
    Trusted Devices
    404 Detection
    Lockout
    Malware Scan
    Notification Center
    User Logging
    Version Management

    There isn’t a ‘reCAPTCHA’ option. Should there have been? Do you think it will appear now that the ‘Show Debug entries’ is ticked?

    AFTER REVIEWING LOGS

    There aren’t any errors that I can see that relate to reCAPTCHA when searching back through since the last time I reset the keys. Nothing.

    • This reply was modified 7 years, 3 months ago by Storyman.
    nlpro

    (@nlpro)

    7 years, 3 months ago

    Ok, so there are no reCAPTCHA log entries. There should be.

    So far I’ve been focusing on login. Is there any reCAPTCHA log entry added when posting a comment ?
    It could be it’s only login (and perhaps also registering since it also makes use of the wp-login.php script) that is failing to work properly with reCAPTCHA.

    Let me put it differently. Whether you login, register a user or post a comment any such attempt should normally trigger a reCAPTCHA log (Debug type) entry.

    I’ve been doing some tests in a local env. So far reCAPTCHA v3 seems to be working fine. Logging also works fine. So I’m starting to think it may be a specific issue for your env.

    • This reply was modified 7 years, 3 months ago by nlpro.
    Thread Starter Storyman

    (@storyman)

    7 years, 3 months ago

    After logging out, then back in there is a reCAPTCHA log entry.

    module => recaptcha
    type => debug
    code => validate-response

    That part of the captcha works. The problem is that after a day or two the error previously mentioned appears. Specifically, it references bots.

    My understanding is that v3 prevents bots from running malicious scripts. You may need to wait a couple of days before you see the error; it doesn’t appear right away.

    • This reply was modified 7 years, 3 months ago by Storyman.
    nlpro

    (@nlpro)

    7 years, 3 months ago

    Ok, that is very good news. Because it means your reCAPTCHA setup is correct. Keys are valid.

    Now click on the View Details link in the Details column of the reCAPTCHA Debug entry in the Logs page. Then click on the Show Raw Details link.

    What’s specified for url and action ?

    Thread Starter Storyman

    (@storyman)

    7 years, 3 months ago

    Big thanks to @nlpro.

    With your assistance, I was able to figure out what the problem is. I’ve written iThemes to advise them that, yes indeed, they have a problem with the plugin. There is definitely a bug that needs to be addressed. Hopefully they’ll fix it soon.

    • This reply was modified 7 years, 3 months ago by Storyman.
    magnetiknyc

    (@magnetiknyc)

    7 years, 2 months ago

    Interesting – i have been having this same failure with v2 ion most of my sites as of the past release. V2 just says not installed correctly. V3 just didnt let me log in even… Hope this gets sorted soon…

    Thread Starter Storyman

    (@storyman)

    7 years, 2 months ago

    Michael Moore at iThemes would love to hear from you. He claims it just ain’t so…

    Daniel J. Lewis

    (@djosephdesign)

    7 years, 1 month ago

    What’s the update on this? And what was the bug you figured out, @storyman?

Viewing 13 replies - 1 through 13 (of 13 total)

The topic ‘Security Pro Problem with reCAPTCHA v3’ is closed to new replies.