Elementor Pro Login – JTC Anti-Spam

[Petrus]

We have created beautiful wordpress login pages using elementor pro.

How can we add the JTC Anti Spam block code so it shows up on the elementor login pages as well?

[AITpro Admin]

We received your email and are checking the frontend of your websites now for any issues or problems. I will post a forum reply once I have checked all of your websites.  Do you have a Network|Multisite Subdomain installation of WordPress?

[Petrus]

We have WordPress installed on subdomains only… It’s our test environment….

No Multisite installations. Not sure what a Network site is but pretty sure ours is not that. We run standalone sites.

[AITpro Admin]

Your Elementor Custom Login page does not appear to contain the standard WordPress Login Hooks (wp_authenticate_user and/or authenticate) that BPS Pro JTC requires in order to hook into and load BPS Pro JTC. BPS Pro JTC loads the JTC form text box on the standard WordPress Login page by hooking into the standard WordPress Login page hooks. Unfortunately, the means that JTC cannot load on your Custom Elementor Login page since Elementor does not include the standard WordPress Login page Hooks. Elementor does offer Google ReCaptcha for contact form pages, but it appears that Elementor does not offer a Captcha for Login pages yet. Please contact Elementor to get a status update and see when they will be adding a Captcha feature for their Custom Login pages.

Additional issues/problems not related to BPS Pro:
####################################
You are caching your Custom Login page and minifying HTML, js and CSS scripts on your Custom Login page.
Login pages have Forms. Any website pages that have Forms on them should NEVER be cached or minified.
Most if not all plugins and themes that use caching and minification have option settings to exclude pages that should not be cached or minified.
You will need to find the option setting in Elementor for excluding your Custom Login page URI: /twk-login/ from being cached and minified.

There are 3 folders shown below that are related to Elementor that are generating the javascript errors below. The most likely cause of these errors is that you are minifying/compressing/combining js scripts. js minification/compression/combining is known to break js scripts.
Recommendation: Do not minify/compress/combine js scripts. You would find the option setting in either your Elementor plugin or other plugin that is minifying/compressing/combining js scripts.

/wk-apps/
/wk-data/
/wk-media/

Uncaught (in promise) SyntaxError: Unexpected end of JSON input
at JSON.parse (<anonymous>)
at s (content.js:17)
at o (content.js:17)
at b (content.js:17)
at Array.forEach (<anonymous>)
at u (content.js:89)
at content.js:89
at content.js:89
db0a5387_5ee9a58aa28180e853cf2ffc5287df2c.js:64 -1
3biblecollege.pkvstagingserver.com/:1

Uncaught SyntaxError: Unexpected end of JSON input
at JSON.parse (<anonymous>)
at Function.n.parseJSON (db0a5387_5ee9a58aa28180e853cf2ffc5287df2c.js:5)
at cffCreateComments (db0a5387_aaa4cdcef80f719ae3f269aba0875e6c.js:1789)
at Object.success (db0a5387_aaa4cdcef80f719ae3f269aba0875e6c.js:1638)
at i (db0a5387_5ee9a58aa28180e853cf2ffc5287df2c.js:3)
at Object.fireWith [as resolveWith] (db0a5387_5ee9a58aa28180e853cf2ffc5287df2c.js:3)
at x (db0a5387_5ee9a58aa28180e853cf2ffc5287df2c.js:5)
at XMLHttpRequest.c (db0a5387_5ee9a58aa28180e853cf2ffc5287df2c.js:5)

[AITpro Admin]

I just noticed on your other 2 sites (and maybe the biblecollege subdomain site too – cannot be sure due to js minification) that you are using the Theme My Login page plugin, which does include a Captcha feature, but the same problem may occur with the TML plugin if it also requires the standard WordPress Login page Hooks in order to load a Captcha Form Field.

[Petrus]

ISSUE 1
Sorry if this sounds like a silly question, but do you perhaps know how to add WordPress Login Hooks to elementor? We’re definitely not expert developers but we’re prepared to try if you can tell us how please?

ISSUE 2
We use WP Hide & Security Enhancer PRO to hide and protect our WordPress installation. But we do not need to use this anymore as Bulletproof Security Pro is better right? I can then disable it? Less plugins means faster system and all that lol
WP Hide was used for the folders below:
/wk-apps/
/wk-data/
/wk-media/

We use WP Rocket, and yes it does minify but it is turned off. I suspect that WP Hide did some minification as well, but now it is turned off.

Issue 3
We’re pretty new to WP security, and this is our first day using BPS. Is there a way we can test (maybe with a online tool) that we’ve done everything right and that the site is secure?

Question
If we clone the site (due to migration to a new domain), can we just activate BPS with a new key or do we have to remove the plugin, install, activate and configure again?

Thanks for the awesome support!!!

[Petrus]

Yes, we use Theme My Login to force the site to use our Elementor login page we created.
Can give you admin access if you want to take a peek?

We have 3 sites
church.pkvstagingserver.com
biblecollege.pkvstagingserver.com
schooltest.pkvstagingserver.com

church.pkvstagingserver.com has the most plugins/software, so if we can make everything work there, and I know what goes where, I can reproduce to all other sites.

[Petrus]

FYI
WP Hide & Security Enhancer PRO was minifying, its disabled on all 3 sites now

[AITpro Admin]

Adding WordPress Hooks to the Elementor code is something that the Elementor plugin creators would have to do. It would be very complex and extensive to do that coding work. Another possibility, assuming that Elementor has chosen to create their own Login Form/page hooks instead of using the standard WordPress Login page hooks, would be to create additional code in BPS Pro JTC that uses the Elementor custom Login page hooks. We did that for WooCommerce and the Devs would most likely due that for Elementor since Elementor is a very popular plugin used by many people.  We would need to know what the Elementor custom Login page hooks are in order to add them into BPS Pro JTC code.  I have created a work ticket for the Devs to look into that possibility.

Hiding WordPress is actually not really possible to do.  You can obfuscate that you have a WordPress website, but that will only fool humans and not bots. 99% of all hacking and spamming is done using automated bots. 😉

The general rules for caching and js minification are these:
Never cache any website pages that have Forms on them. Most if not all caching plugins include option settings to exclude individual website pages.
Never use js minification for any reason since there is a 90% chance that js minification is going to break something in one or more of your plugins. 😉

BPS Pro is designed using a “no news is good news” concept. If BPS Pro detects a problem you will either see an error message displayed in your WordPress Dashboard or you will receive an email alert. If you are not seeing any BPS Pro alerts then everything is setup and working fine. Note: If BPS Pro is blocking something it should not be blocking then that problem will be logged in the BPS Pro Security Log. If you would like for us to check any/all of your websites to make sure everything is working fine then you can send us a WordPress Administrator login to that website and we will login and check everything. Email:  info at ait-pro dot com.

Migrating/moving/cloning websites > https://forum.ait-pro.com/forums/topic/migrating-moving-or-cloning-websites/#post-20407
Yes, you would just request a new BPS Pro Activation Key after you have migrated/moved/cloned your site. Website migration requires some BPS Pro prep work in order to avoid any issues or problems. See the link above.

[AITpro Admin]

Yes, send a WordPress Administrator login for this website: church.pkvstagingserver.com. I am curious to see if the Theme My Login plugin Captcha feature will work with an Elementor Custom login page.

[Petrus]

Would appreciate if you could check my bps settings to make sure everything is bolted down as tight as possible.

Quick Q
On schooltest we have to disable JTC permanently, because we have a student app that connects to the site to log in, and it’s incapable of showing the JTC part. This will not affect the site too much right? I mean, we would still be save and secure?

[AITpro Admin]

Yikes, you posted the login info in the forum, which I deleted immediately. Posting login info is not safe to do publicly. In the future only send login info to us directly via email.  Email: info at ait-pro dot com.

[Petrus]

haha sorry will remember for next time.

[AITpro Admin]

Theme My Login no longer offers a Captcha in the free version of the TML plugin. You have to buy extensions to get either a Captcha extension or a 2FA – 2 Factor Authentication extension for your TML/Elementor Custom Login page. So you would either need to buy one of these TML extensions to secure your login page or contact Elementor to see if they now offer a security/captcha feature or we would need to know the custom login page hooks that Elementor has created instead of using the standard WordPress Login page hooks so that we can create a custom coding solution just for Elementor (this would take at least 1 month to create in BPS Pro).

I logged into the church.pkvstagingserver.com site and and did all of these things below and everything is working fine. I personally recommend that you use WP Rocket for your caching plugin. It is a great caching plugin. The BPS Pro Setup Wizard includes AutoSetup for the WP Rocket plugin. So after you enable and setup the WP Rocket plugin rerun the BPS Pro Pre-Installation Wizard and Setup Wizard so that BPS Pro can do the AutoSetup for WP Rocket.

After deactivating the WP Hide & Security Enhancer PRO plugin on your sites you need to rerun the BPS Pro Pre-Installation and Setup Wizards again.
Next go to the BPS Pro > B-Core > htaccess File Editor tab page and click the Lock htaccess File and Turn On AutoLock buttons.

Next clear all plugin cache (wp-admin Tool Bar cache menus). Note: You should only use 1 caching plugin on a website. Currently you are using WP-Optimize Premium – Clean, Compress, Cache.
If you want to use WP Rocket instead then you would need to either deactivate WP-Optimize or only use the features in WP-Optimize that do not do anything with caching. If you use more than 1 plugin to handle caching your are guaranteed to run into problems.

Next go to the BPS Pro > Plugin Firewall > click the Test Mode button > visit all of the main pages of your websites.
Wait 5 minutes and then go back to the BPS Pro Plugin Firewall page/section.
Click the Plugin Firewall AutoPilot accordion tab.
Change the AutoPilot Mode Cron Check Frequency to 10 minutes.
Click the Save AutoPilot Options button and then click the Plugin Firewall Activate button.
Note: Since you were previously using the WP Hide plugin then BPS Pro Plugin Firewall AutoPilot Mode was not able to automatically create Plugin Firewall whitelist rules.
So it is necessary to force this process by using the Plugin Firewall Test Mode feature.

To fix the Jetpack Uptime Monitor problem do the steps below:
1. Copy the code below into this BPS Root Custom Code text box: 9. CUSTOM CODE REQUEST METHODS FILTERED
2. Click the Encrypt htaccess Code button. Your host server has ModSecurity installed which blocks saving BPS Custom Code unless it is encrypted before saving it.
3. Click the Save Root Custom Code button.
4. Go to the Security Modes tab page and click the Root Folder BulletProof Mode Activate button.

# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
#RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
#RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

Procedural Recommendations:
You can turn off Security Log alerts. Typically you only need to have Security Log alerts turned on during first time installations of BPS Pro.
To turn off Security Log alerts go to the BPS Pro > S-Monitor page > Security Log: New Log Entry Has Been Logged Alerts option > change to Turn Off Displayed Alerts > click the Save Options button.

[Petrus]

Thank you for the outstanding support.

I will do everything you said on the other two sites.

For info, yes I have WP-Optimize but use it for database only, no chaching.

Very happy customer, I will be telling everyone about the awesome support and great customer experience. Some of the best I have ever had!

[Author]

Posts