Comment on Google ReCaptcha For Secure WordPress Login and To Block Comment SPAM by Daniel Howard.
I think there’s an important bug with the implementation of recaptacha on logins (in version 5.1.0)
If you submit the wrong password and ignore the recaptcha, the error message returned is ‘The password you entered for the username X is incorrect. ‘
If you submit the right password and ignore the recaptcha, the error message returned is ‘Whoops. Google reCAPTCHA was not submitted.’
This means the recaptcha is completely useless. An attacker can ignore the recaptcha while brute forcing, and detect they have discovered the right password from the error message.
The recaptcha value must be checked before the password is considered for this to be any use.
Daniel Howard Also Commented
Google ReCaptcha For Secure WordPress Login and To Block Comment SPAM
Thanks for the reply Paul. I would suggest that the error message is changed to say the same thing in all cases. ‘Login failed’ or something equally generic. Then the attacker doesn’t know if the captcha was wrong, the username was wrong or the password was wrong.
