.htaccess vs. captcha

  • Resolved mike73

    (@mike73)


    9 years, 3 months ago

    Hallo,

    … ich habe einen Verzeichnisschutz auf das Verzeichnis “/wp-admin/” gelegt (Thema: Brute force, etc.)!

    Nun stelle ich fest, das cforms2 den “captcha image path” in das Verzeichnis “/wp-admin/” legt! ;(

    <img id="cf_captcha_img2" class="captcha" src="https://www.meinedomain.de/wp-admin/admin-ajax.php?action=cforms2_reset_captcha&_wpnonce=b101bc37b8&ts=2&rnd=692038" alt="">

    Jetzt erscheint natuerlich immer die Login-Abfrage der .htacces bzw. htpasswd / jede Seite mit einem cform2 Formular (inkl. Captcha) – fuer den User gesperrt!

    1. Wird wirklich die Datei “admin-ajax.php” aus dem Verzeichnis “/wp-admin/” benoetigt?!?

    2. Gibt es einen Ansatz fuer eine Loesung?

    Denn der Verzeichnisschutz per “.htacces bzw. htpasswd” ist der effektivste Schutz vor die ganzen (nicht nur Brute force)Attacken!

    Oder doch nicht?!?

    Vielen Dank fuer die schnelle Hilfe!

    ——-EN—————

    … I have set a directory protection to the directory “/ wp-admin /” (theme: brute force, etc.)!

    Now I realize, cforms2 puts the “captcha image path” in the directory “/ wp-admin /”! ; (

    <img id =" cf_captcha_img2 "class =" captcha "src="https://www.meinedomain.de/wp-admin/admin-ajax.php?action=cforms2_reset_captcha&_wpnonce=b101bc37b8&ts=2&rnd=692038" alt = "">

    Now appears of course, always the login query the .htaccess or .htpasswd / each side with a cform2 form (incl Captcha.) – blocked for the user!

    1. Is the file really “admin ajax.php” from the directory “/ wp-admin /” necessary?!?

    2. Is there an approach to a solution?

    Because the directory protection via “.htaccess or .htpasswd” is the most effective protection against the whole (not just brute force) attacks! Or not?!?

    Thanks for the quick help!

    https://www.ads-software.com/plugins/cforms2/

Viewing 6 replies - 1 through 6 (of 6 total)
  • Thread Starter mike73

    (@mike73)

    Hallo,

    … ok – ich habe die htacces folgend angepasst.

    Der Zugriffsschutz ist jetzt allein auf die /wp-admin/wp-login.php gesetzt! Jetzt funktioniert Captcha wieder und die Brute Force Attacken sind auch vorbei!

    Anleitungen fuer die Einrichtung der “.htacces bzw. .htpasswd” (der jeweiligen Provider) gibt es ja genug ??

    Allerdings bleibt die Frage:
    1. Wird wirklich der Zugriff auf die Datei “admin-ajax.php” aus dem Verzeichnis “/wp-admin/” benoetigt?!?

    Danke!

    ——-EN—————

    … Ok – I have adapted the .htaccess followed

    The access protection is now set solely on the /wp-admin/ wp-login.php! Now Captcha working again and the brute force attacks are also over!

    Instructions for setting up the “.htaccess and .htpasswd” (the respective providers) there are enough ??

    However, the question remains:
    1. Is the access to the file “admin ajax.php” from the directory “/wp-admin/” really needed?!?

    Thanks!

    Thread Starter mike73

    (@mike73)

    Hallo,

    … is there already a solution for this?

    Because I think now, it’s much more better/saver to protect the complete directory (/wp-admin) with .htaccess!

    But, than dont work the “Really Simple CAPTCHA”!
    Because now appears of course, always the login query the .htaccess each side with a cform2 form (incl. Captcha) – blocked for the user!
    For the reason, please see my first post.

    Here my question again:
    Is the access to the file “admin-ajax.php” (in /wp-admin) really necessary for running the plugin “Really Simple CAPTCHA”?!?

    Thanks for the quick answer/help!

    Plugin Author bgermann

    (@bgermann)

    Now that WordPress has a REST API built-in, it would be possible to port the plugin to that API. But until someone does that, you will still need access to /wp-admin/admin-ajax.php. You can have that file as an exception from a general htaccess blocking rule.

    • This reply was modified 7 years, 11 months ago by bgermann.
    Thread Starter mike73

    (@mike73)

    Wow, Danke fuer Deine schnelle Antwort!

    … you mean: “But until nobody does not that,…” – right?!?

    Yes – I know – I almost thought that! ;(

    I’ll tryed with the excluding rule in .htaccess.

    Ohje – how work it again? ??

    Cheers…

    • This reply was modified 7 years, 11 months ago by mike73.
    • This reply was modified 7 years, 11 months ago by mike73.
    • This reply was modified 7 years, 11 months ago by mike73.
    Plugin Author bgermann

    (@bgermann)

    Right, logic is hard sometimes :-).

    Thread Starter mike73

    (@mike73)

    Really, has anybody a idea how I create a file exception from the general htaccess blocking rule? In this case, the file “admin-ajax.php”

    Thanks…

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘.htaccess vs. captcha’ is closed to new replies.