laszlokatona

Many thanks for your help. I gave it a try but finally followed you with the plugin change.

Best regards,
Laszlo

Hi Martin,

Could you please share with us an example how did you use those [slb_group] shortcuts?
How did you figure it out? I’ve found nothing like this so far…

For me it seems you solved the issue (if I understood well).
By the way, awesome art and page, thanks for sharing!

Regards,
Laszlo

Welcome to the club ??
So far I could identify that in my case these requests were simple POSTs to the login.php.
I reproduced it manually and the captcha blocked the request, however this plugin logged it as Wrong Password action.
Therefore I asked here if anyone or the author knows the way how to distinguish these actions.
Probably it is hard to bypass google’s recaptcha v3 so I’m not nervous about it anymore.

Hope this information useful for you. I recommend to install re-captcha v3, it is invisible, so won’t annoy the users. I also suggest to disable xmlrpc and wp-json api (with plugin or custom code) as I mentioned above. xmlrpc can definitely bypass captcha while json api leaks user names (I have no idea why they are enabled by default).

Disclaimer: I’m not a wp expert but have some security related experience in various IT areas.

Hi, I figured out that these attempts used POST requests to wp-login.php.
I reproduced the POST request, without any correct captcha verification and got the same “Wrong Password” entry even if the password was correct.

I use
“Google Captcha (reCAPTCHA) by BestWebSoft” plugin with reCaptcha v3.

I understand it is not trivial to distinguish incorrect password and failed captcha verification.
Do you have any recommendation how to manage it?

Thanks,
Laszlo

Thank you for the information. I noticed this cookie in our dev environment where WP_DEBUG was set to true. After I changed it the cookie disappeared.

Thanks,
Laszlo

Hello,
This answer is helpful for me as well. However I don’t understand why this cookie is placed even if I open our page in an empty browser, without logging in.
Could you please help me? Is there any way to avoid it?

Thanks,
Laszlo

Thank you so much for your help, Nicola.
You are right, putting conditions into php code of pages can cause problems if we cache the them… that’s always tricky…
By the way, we are currently testing your plugin on our cached site. We are using varnish servers as well. I have no time to look into your code deeply, but as I see you have put some W3 Total cache compatibility in it.
So I hope we won’t have any issues. ??
If you have any know issue on this topic please let us know.

ps. I’ve found some partial answer for Redux cookie: https://www.ads-software.com/support/topic/redux_blast-cookie/

Regards,
Laszlo

Hi Nicola, EnFi,
Let me join to this discussion, because I am looking for the same thing.
I’ve tested so many plugins and found this one the best so far. However this feature seems missing to me too.
I’m using a theme that depends on Redux framework. Redux uses a cookie (“redux_blast”) even if I keep blocking cookies with your plugin.
I would be happy if I could put a condition into Redux’s code.
EU Cookie Law plugin – anyway it is weaker than yours – documents clearly this feature:
“You can lock cookies using [cookie] and [/cookie] shortcodes in every post, page and widget. You can use php functions too:
if ( !function_exists(‘cookie_accepted’) || cookie_accepted() ) {
// Your code
}”
Is there any working way to put a condition into a php code in another plugin?

Thanks,
Laszlo