[ Securiy Issue ]

  • Resolved lensam69

    (@lensam69)


    7 years, 6 months ago

    A malicious attacker can send a login request without the g-recaptcha-response parameter.

    While they won’t be able to login, they will still hit the authentication routines. For example this can be abused to automate a brute force enumeration attack to discover valid user names.

    (eg: The error response from wordpress is different based on whether the username exists or not).

    The ideal result should be that if the above parameter is missing, authentication should not even be attempted.

Viewing 1 replies (of 1 total)
  • Plugin Author Robert Peake

    (@robertpeake)

    7 years, 6 months ago

    Thanks for your suggestion.

    This plugin does not alter the default behaviour of WordPress in relation to response messages (e.g. whether a username exists or not), it simply requires a valid reCaptcha to log in. If the g-recaptcha-response parameter is missing and the plugin is configured correctly, login will not be possible.

    For defence against brute-force enumeration attacks and other types of automated attacks, I recommend a defence-in-depth strategy incorporating other plugins such as limit-login-attempts, wordfence, etc.

    The sole purpose of this plugin is to prevent login attempts without a valid reCaptcha.

Viewing 1 replies (of 1 total)

The topic ‘[ Securiy Issue ]’ is closed to new replies.