Verification code should be required if you didn't pass ReCaptcha - Githubissues

wp-digital / wp-recaptcha

Helps to protect website with Google reCAPTCHA v3 or Cloudflare Turnstile.

1 stars 1 forks source link

Verification code should be required if you didn't pass ReCaptcha #2

Closed MaksVeter closed 4 years ago

MaksVeter commented 5 years ago

After redirecting to "Verification code" screen, you can go to /wp-login.php and try one more time. So if you are on the fringe of threshold you can try several times to pass login without Verification code. So probably Verification code should be required for user who didn't pass ReCaptcha for verification code lifetime.

kuliebiakin commented 5 years ago

Google will not increase user score in current session, so if it's a bot then it still will not be able to login, but the real user in that time could open login page from anywhere else, so we do not need to block him.

But maybe it's an idea to block only by IP address + lifetime, need to thinking about that.

MaksVeter commented 4 years ago

done on branch feature/ip_blocking @kuliebiakin pls check

kuliebiakin commented 4 years ago

Merged.