Giter VIP home page Giter VIP logo

recaptcha-for-wp's Introduction

recaptcha-for-wp

Invisible reCAPTCHA integration for the WordPress login.

Requirements

WordPress 4.7 or later, PHP 5.4 or later and Composer.

Installation

$ composer require ssnepenthe/recaptcha-for-wp

OR

$ cd /path/to/project/wp-content/plugins
$ git clone [email protected]:ssnepenthe/recaptcha-for-wp.git
$ cd recaptcha-for-wp
$ composer install

Usage

To use this plugin you must provide API keys from reCAPTCHA.

First sign up for reCAPTCHA, register your site for Invisible reCAPTCHA and get your keys.

Then activate the plugin and provide your keys under settings > reCAPTCHA.

That's it! Invisible reCAPTCHA is automatically enabled for the login, lost password and registration forms.

Configuration

Plugin settings can be overridden via the following constants:

RFW_LOGIN: whether to integrate reCAPTCHA with the login form. Must be a string, "1" (for enabled) or "0" (for disabled).

RFW_LOSTPASSWORD: whether to integrate reCAPTCHA with the lost password form. Must be a string, "1" (for enabled) or "0" (for disabled).

RFW_REGISTRATION: whether to integrate reCAPTCHA with the registration form. Must be a string, "1" (for enabled) or "0" (for disabled).

RFW_SECRET_KEY: the "secret" API key provided by reCAPTCHA. Must be a string.

RFW_SITE_KEY: the "site" API key provided by reCAPTCHA. Must be a string.

Considerations

If you have any browser extensions installed for privacy (such as Privacy Badger) you may want to whitelist your domain.

If you enter either of your API keys incorrectly, it is possible to get locked out of your site. You should be able to work around this by setting the corresponding constant.

Compatibility

The plugin is tested with the Google Authenticator plugin and the GA Per-User Prompt plugin.

It should work, but is not tested with any other plugins that modify wp-login.php.

recaptcha-for-wp's People

Contributors

ssnepenthe avatar

Stargazers

avatar

Watchers

avatar avatar avatar

Forkers

micahjon

recaptcha-for-wp's Issues

Support WordPress multisite

It'd be great if there was a single multisite settings page instead of individual settings pages (one on each blog) when this plugin was network activated.

You should be able to re-use all the code for the blog-specific settings page and register the multisite settings page using the network_admin_menu action instead of the admin_menu action.

I'd be happy to submit a pull request if you'd like.

Unnecessary async/defer for footer script?

Shouldn't be any real performance benefit since the script is inserted at the end of body...

The logic that adds the async and defer attributes is already clunky - for example it will definitely fail if anyone adds and 'after' inline script.

May be best to just drop it altogether?

Action not properly validated

In inc/recaptcha.php in function enqueue_scripts.

Action is checked before enqueuing script but fails to take WP default into account.

E.g. when visiting wp-login.php?action=fake, plugin sees the action as fake but WordPress sees it as login.

retrievepassword as alias for lostpassword

On wp-login it looks like retrievepassword action is effectively the same as lostpassword but retrievepassword isn't handled by this plugin.

If you visit wp-login.php?action=retrievepassword the captcha will not be shown. If you submit the form it will always fail because $_POST['g-recaptcha-response'] is not set.

Consider scenarios where recaptcha should not be required

I hate recaptcha... It is awful.

I originally wrote this plugin to be an easy but effective tool against low-effort registration and brute-force login attempts.

But google seem hell-bent on proving how little they think of their users...

These days a simple login can easily become a two+ minute affair while using firefox with basic privacy settings enabled.

For this plugin to remain a viable option going forward it should implement at least one, if not many, configurable scenarios in which a known good user is allowed to bypass the recaptcha requirement.

The two most obvious options that come to mind:

  • Bypass based on IP
  • Bypass based on whether the user has already successfully completed a captcha in a given period (e.g. 24hrs)

Or maybe it would just be better to move away from recaptcha entirely to something like a simple honeypot.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.