JTC CAPTCHA value is not correct – Cache problem

Home Forums BulletProof Security Pro JTC CAPTCHA value is not correct – Cache problem

This topic contains 3 replies, has 2 voices, and was last updated by  private_team_A 12 hours, 37 minutes ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #36024

    private_team_A
    Participant

    Hi,

    We found a small issue with captcha. We changed it in the backend but thanks to cache, no one can login as the captcha shown in the front end is not matching the saved value in the database? Eg: on hover, old captcha value is shown.

    The cache is question is :

    1. Sucuri firewall cache

    2. Hosting’s varnish cache

    3. W3TC is not yet active. We will use redis for page, database and object cache.

    Naturally, we tried to purge varnish+ sucuri WAF but this is taking time to reflect instantly as there is a CDN involved.

    Hence our questions:

    1. Can you please help us identify where in the database we can switch off the captcha feature?

    2. Where in database we can find real captcha value so that we can enter the right one?

    3. Can you maybe update your setup-script to add strict no-cache directive to the captcha ?

    4. Anything else you might want to add to help us resolve this issue? We are not the professional tech guys 🙂

    5. In the future, do you plan to integrate google captcha or would you recommend we use another plugin to do that and we switch off your captcha? We won’t do it but just wanted to know for the sake of options.

    6. Can this conflict with your captcha system? :https://wordpress.org/plugins/mailster-recaptcha/

    We use mailster plugin.

    Thanks a lot for your kind advise and time.

    Best Regards,

    Team A

    #36025

    private_team_A
    Participant

    UPDATE: I managed to disable JTC using “https://forum.ait-pro.com/forums/topic/xternal-tools-xtf-guide/” . However, the issue remains for others who did not manage to bypass jtc by reading the link 😉  I can atleast keep working on the site until we resolve this 🙂

    Hence, the only thing that remains is to permanently resolve the issue by ensuring cache + CDN compatibility. It would be nice to hear your reply about the previous points anyway for our internal KB and future trouble shooting 🙂

    Have a nice Sunday.

    Best Regards,

    Team A

    #36026

    AITpro Admin
    Keymaster

    For now turn off JTC by unchecking the Form checkboxes until you fix the cache problem by excluding pages that should never be cached.  See explanation below.

    You should never cache your Login or Registration or Contact Form pages for any reason.  You should actually never cache any pages with Forms on them. You should also never cache your WordPress wp-admin backend area.  So you should correct the cache problem by excluding any pages that have Forms on them > Login page, Registration page, Contact Form page, Store pages, etc.  All caching plugins should have option settings to exclude individual websites pages/posts from being cached.

    JTC has been working perfectly for many years at blocking 100% of all spambots and hackerbots so we do not plan on changing anything or adding anything additional to JTC, such as Google ReCaptcha.

    All BPS features can be turned On or Off individually.  So if you choose to use another CAPTCHA plugin then turn JTC off.

    #36126

    private_team_A
    Participant

    Hi,

    A quick update to help anyone who might face similar issue.

    We identified the issue as nothing to do with cache. In the backend, there is a field where display value for the captcha can be entered. Whatever is input here is displayed in the frontend IRRESPECTIVE of the captcha value.

    On changing captcha value this field needs manual update which we missed as someone had thought that updating the captcha will automatically update the value to display.

    We do not want any change as this can be used to fool hackers by entering a wrong front end value while the secret value is known only to the real admins hence making this a 2nd password equivalent.

    We decided not to use google captcha since you have so much confidence and your past records are satisfactory to help stick to your solution.

    Cheers.

    Best Regards,

    Team A

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.