2023年4月17日 19:20:39go评论61阅读模式

英文:

How can I execute CAPTCHA function before check username password in WordPress login form?

问题

我使用此插件来进行登录和评论表单的验证码。这个插件在评论表单中工作得很好，但在登录表单中，首先会检查用户名和密码(1)是否正确，然后再检查验证码(2)，如下所示。

![检查用户名前的验证码图像](https://i.stack.imgur.com/dnPD1.png "检查用户名前的验证码图像")

这对我来说不是很有用(暴力攻击)。我该如何修改下面的函数，使其首先检查验证码是否正确，然后再检查用户名和密码是否正确。

这个插件非常简单，所有函数都在 wpCaptcha.php 文件中。登录函数如下。


/* 用于在登录表单中包括验证码的函数 */
function include_ctl_captcha_for_login()
{
	echo '<p class="login-form-captcha">
			<label><b>'. __('Captcha', 'captcha-code-authentication').' </b> <span class="required">*</span></label>
			<div style="clear:both;"></div><div style="clear:both;"></div>';
	ctl_captcha_generate_code();
			
	/* 如果存在$_GET变量并且$_GET['captcha']等于'confirm_error'，则从url中检索get变量并打印出消息，如果验证码错误 */
	if(isset($_GET['captcha']) && $_GET['captcha'] == 'confirm_error' ) {
		echo '<label style="color:#FF0000;" id="capt_err">'.esc_html($_SESSION['captcha_error']).'</label><div style="clear:both;"></div>';
		$_SESSION['captcha_error'] = '';
	}
	
	echo '<label>'.__('Type the text displayed above', 'captcha-code-authentication').':</label>
			<input id="captcha_code" name="captcha_code" size="15" type="text" tabindex="30" />';
	return true;
}

/* 钩子用于查找登录时的错误 */
function include_ctl_captcha_login_errors($errors)
{
	if( isset( $_REQUEST['action'] ) && 'register' == $_REQUEST['action'] )
		return($errors);
	
	if(esc_html($_SESSION['captcha_code']) != $_REQUEST['captcha_code']){
		return $errors.'<label id="capt_err" for="captcha_code_error">'.__('Captcha confirmation error!', 'captcha-code-authentication').'</label>';
	}
	return $errors;
}

/* 钩子用于在验证码确认后重定向 */
function include_ctl_captcha_login_redirect($url)
{
	
	/* 验证码不匹配 */
	if(isset($_SESSION['captcha_code']) && isset($_REQUEST['captcha_code']) && esc_html($_SESSION['captcha_code']) != $_REQUEST['captcha_code']){
		$_SESSION['captcha_error'] = __('Incorrect captcha confirmation!', 'captcha-code-authentication');
		wp_clear_auth_cookie();
		return $_SERVER["REQUEST_URI"]."/?captcha='confirm_error'";
	}
	/* 验证码匹配：进入管理面板 */
	else{
		return home_url('/wp-admin/');	
	}
}

/* <!-- 登录验证的验证码到此结束 --> */

英文:

I use this plugin captcha for login and comment forms. This plugin work perfect in comment forms, But the plugin in login form first check username password(1) is correct or no, then check captcha(2) as shown as below.

![image for check username before captcha](https://i.stack.imgur.com/dnPD1.png "image for check username before captcha")

This is not useful for me(brute-force attack) . How can I change below function first check captcha if is correct then check username password login.

This plugin is very simple and all functions in wpCaptcha.php file. The loin function there is below.


/* Function to include captcha for login form */
function include_ctl_captcha_for_login()
{
	echo &#39;&lt;p class=&quot;login-form-captcha&quot;&gt;
			&lt;label&gt;&lt;b&gt;&#39;. __(&#39;Captcha&#39;, &#39;captcha-code-authentication&#39;).&#39; &lt;/b&gt; &lt;span class=&quot;required&quot;&gt;*&lt;/span&gt;&lt;/label&gt;
			&lt;div style=&quot;clear:both;&quot;&gt;&lt;/div&gt;&lt;div style=&quot;clear:both;&quot;&gt;&lt;/div&gt;&#39;;
	ctl_captcha_generate_code();
			
	/* Will retrieve the get varibale and prints a message from url if the captcha is wrong */
	if(isset($_GET[&#39;captcha&#39;]) &amp;&amp; $_GET[&#39;captcha&#39;] == &#39;confirm_error&#39; ) {
		echo &#39;&lt;label style=&quot;color:#FF0000;&quot; id=&quot;capt_err&quot;&gt;&#39;.esc_html($_SESSION[&#39;captcha_error&#39;]).&#39;&lt;/label&gt;&lt;div style=&quot;clear:both;&quot;&gt;&lt;/div&gt;&#39;;;
		$_SESSION[&#39;captcha_error&#39;] = &#39;&#39;;
	}
	
	echo &#39;&lt;label&gt;&#39;.__(&#39;Type the text displayed above&#39;, &#39;captcha-code-authentication&#39;).&#39;:&lt;/label&gt;
			&lt;input id=&quot;captcha_code&quot; name=&quot;captcha_code&quot; size=&quot;15&quot; type=&quot;text&quot; tabindex=&quot;30&quot; /&gt;
			&lt;/p&gt;&#39;;
	return true;
}

/* Hook to find out the errors while logging in */
function include_ctl_captcha_login_errors($errors)
{
	if( isset( $_REQUEST[&#39;action&#39;] ) &amp;&amp; &#39;register&#39; == $_REQUEST[&#39;action&#39;] )
		return($errors);
	
	if(esc_html($_SESSION[&#39;captcha_code&#39;]) != $_REQUEST[&#39;captcha_code&#39;]){
		return $errors.&#39;&lt;label id=&quot;capt_err&quot; for=&quot;captcha_code_error&quot;&gt;&#39;.__(&#39;Captcha confirmation error!&#39;, &#39;captcha-code-authentication&#39;).&#39;&lt;/label&gt;&#39;;
	}
	return $errors;
}

/* Hook to redirect after captcha confirmation */
function include_ctl_captcha_login_redirect($url)
{
	
	/* Captcha mismatch */
	if(isset($_SESSION[&#39;captcha_code&#39;]) &amp;&amp; isset($_REQUEST[&#39;captcha_code&#39;]) &amp;&amp; esc_html($_SESSION[&#39;captcha_code&#39;]) != $_REQUEST[&#39;captcha_code&#39;]){
		$_SESSION[&#39;captcha_error&#39;] = __(&#39;Incorrect captcha confirmation!&#39;, &#39;captcha-code-authentication&#39;);
		wp_clear_auth_cookie();
		return $_SERVER[&quot;REQUEST_URI&quot;].&quot;/?captcha=&#39;confirm_error&#39;&quot;;
	}
	/* Captcha match: take to the admin panel */
	else{
		return home_url(&#39;/wp-admin/&#39;);	
	}
}

/* &lt;!-- Captcha for login authentication ends here --&gt; */

Please don't suggest me to install google re-captcha plugins.

答案1

得分: 0

我使用 wp_die 函数（WordPress 函数）来响应错误的验证码，然后关闭并清除所有会话。

我替换了：
return $_SERVER["REQUEST_URI"]."/?captcha='confirm_error'";

为
wp_die( __('错误：验证码不正确。请按浏览器的返回按钮并重试。', 'captcha-code-authentication',['back_link'=>1,'response'=>403]));

最终的函数：

function include_ctl_captcha_login_redirect($url)
{
    /* 验证码不匹配 */
    if(isset($_SESSION[&#39;captcha_code&#39;]) &amp;&amp; isset($_REQUEST[&#39;captcha_code&#39;]) &amp;&amp; esc_html($_SESSION[&#39;captcha_code&#39;]) != $_REQUEST[&#39;captcha_code&#39;]){
        $_SESSION[&#39;captcha_error&#39;] = __(&#39;验证码确认不正确！&#39;, &#39;captcha-code-authentication&#39;);
        wp_clear_auth_cookie();
        wp_logout(); 
        wp_die( __(&#39;错误：验证码不正确。请按浏览器的返回按钮并重试。&#39;, &#39;captcha-code-authentication&#39;),&quot;wrong captcha&quot;,[&#39;back_link&#39;=&gt;1,&#39;response&#39;=&gt;403]);
    }
    /* 验证码匹配：进入管理面板 */
    else{
        return home_url(&#39;/wp-admin/&#39;);  
    }
}

以上函数会重定向到带有消息 验证码错误 的页面，并清除所有会话。

英文:

I use wp_die function(WordPress functions) for response wrong captcha then close and clear all session.

I replace :
return $_SERVER["REQUEST_URI"]."/?captcha='confirm_error'";

To
wp_die( __('Error: Incorrect CAPTCHA. Press your browser\'s back button and try again.', 'captcha-code-authentication',['back_link'=>1,'response'=>403]));

Finally function :

function include_ctl_captcha_login_redirect($url)
{
    
    /* Captcha mismatch */
    if(isset($_SESSION[&#39;captcha_code&#39;]) &amp;&amp; isset($_REQUEST[&#39;captcha_code&#39;]) &amp;&amp; esc_html($_SESSION[&#39;captcha_code&#39;]) != $_REQUEST[&#39;captcha_code&#39;]){
        $_SESSION[&#39;captcha_error&#39;] = __(&#39;Incorrect captcha confirmation!&#39;, &#39;captcha-code-authentication&#39;);
        wp_clear_auth_cookie();
        wp_logout(); 
        wp_die( __(&#39;Error: Incorrect CAPTCHA. Press your browser\&#39;s back button and try again.&#39;, &#39;captcha-code-authentication&#39;),&quot;wrong captcha&quot;,[&#39;back_link&#39;=&gt;1,&#39;response&#39;=&gt;403]);
    }
    /* Captcha match: take to the admin panel */
    else{
        return home_url(&#39;/wp-admin/&#39;);  
    }
}

The above function redirect to page with message captcha is wrong and clear all sessions.

final result

通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库，让每个人都能够通过互相帮助和分享经验来进步。