WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#26760 closed enhancement (invalid)

Allow checking login form fields before username/password

Reported by: crysman Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords:
Focuses: Cc:
PR Number:

Description

According to the WP BSW CAPTCHA plugin developers (see here), it is impossible now to check CAPTCHA input BEFORE entering the rest of the fields at the WP admin login screen.

This leads to the security vulnerability and lowers significantly the benefit of using any CAPTCHA.

Here are the details - there is also a short explaining video in the comment just below this one.

Change History (4)

#1 @rmccue
6 years ago

  • Summary changed from Allow corect CAPTCHA behavior at login to Allow checking login form fields before username/password

This isn't just CAPTCHA-specific, so renaming.

#2 @SergeyBiryukov
6 years ago

  • Keywords close added

"Unfortunately, WordPress DOES NOT have an opportunity to check captcha input BEFORE entering the rest of the fields."

This is just plain wrong.

The BestWebSoft's Captcha plugin uses login_errors and login_redirect filters to check the captcha:
http://plugins.trac.wordpress.org/browser/captcha/tags/3.9.3/captcha.php#L156

Core checks for correct username/password earlier, by hooking into the authenticate filter:
https://core.trac.wordpress.org/browser/tags/3.8/src/wp-includes/user.php#L68

The plugin should just hook into the same filter with an earlier priority.

SI CAPTCHA Anti-Spam plugin does that correctly and works the way you want:
http://plugins.trac.wordpress.org/browser/si-captcha-for-wordpress/tags/2.7.7.1/si-captcha.php#L1249

#3 @crysman
6 years ago

Thank you very much, Sergey! I will contact the developers and tell them.

#4 @SergeyBiryukov
6 years ago

  • Component changed from Security to Login and Registration
  • Keywords close removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed
  • Type changed from feature request to enhancement
Note: See TracTickets for help on using tickets.