[BetoPho] reCaptcha v3 Login Integration
 

There are several requests to make this around the forum, so I guess I would contribute one.

Product Information
Provide reCaptcha intergration for vBulletin 4's login process that can check for bots or unsafe traffics using Google's famous reCaptcha engine.

Main Features

• Ultilizing reCaptcha v3 advantages: invisible checks that can determine how safe a user/traffic is, from very likely human to very likely bot, using reCaptcha's 'score' system.
• Performing specific actions to unsafe users/traffics, reject the login or redirect to another URL.
• Bad traffic users captured by the product will just be displayed with an invalid login screen.
• Ability to exclude users that won't be checked by reCaptcha.
• Lightweight and easy to configure.
• Simple installation: Install - Get reCaptcha keys - Configure the action - Done.

Future Versions Planning

• Expanding integration with other forum sections, like thread/post posting, PM, album, etc.
• Expanding integration with other activities, like register, search, page viewing, etc.
• Combining suport with reCaptcha v2, adding additional layer of human verification, for example, only when reCaptcha v3 detected likely unsafe traffic, verification form from v2 will show for the user to verify.
• Admincp Dashboard to view all failed login attemps captured by reCaptcha.
• Support for vBulletin 3 & 5.
• You name it.

Details

• Files upload: none
• Plugins: 6
• Templates: 3 (2 templates, 1 CSS template)
• Phrases: 2

Instructions

1. (Preparation) Have your reCaptcha v3 keys ready first. reCaptcha homepage.
2. Import the product XML file using Product section.
3. Go to Options > [BetoPho] reCaptcha Integration.
4. Insert the keys first (this product won't work without the keys).
5. Configure and start using.

Additional Instructions

1. To check if automatic template works, after putting the keys and configuring everything, view the homepage source (with the login form) as a Guest user and search for this code:
   
   HTML Code:

   ---

   <input type="hidden" name="btp_rcaptcha_response" id="btp_rcaptcha_input">

   ---

   If found, it's good. If not found, it means you are using modified templates/style.
2. In case it's not found, modify the template with the login form (usually 'header' template, might be other one depends on your style), search for the login form:
   
   HTML Code:

   ---

   action="login.php?do=login"

   ---

   When found, insert the product code in the #1 section into anywhere inside of the form. For example, it will look like this:
   
   Code:

   ---

   <form id="navbar_loginform" action="login.php?do=login" method="post" (other codes...)>
...
<input type="hidden" name="btp_rcaptcha_response" id="btp_rcaptcha_input">
...
</form>

   ---

   Then it will work.

Let me know if you have any questions or suggestions.
Thank you :)

Changelog
1.0.0 - Jul 05 2019

• Initial Release

1.1.0 - Jul 07 2019

• Fix Admincp/Modcp locked out issue
• Cleaning up codes and preparation for additional features

Thanks! Been waiting for this!

D

Thanks!!

I am having an issue with this installed now.

My admincp login doesn't work anymore and I am locked out of my site.

Any idea how I can manually revert the plug-in?

D

You can edit config.php, add this line to globally disabling all plugins:

After that, login into your Admincp, please whitelist yourself by putting your user ID into the Excluded users field. Then remove that line again to re-enable the plugins.

Can you let me know on which steps you did that made you being locked out of the Admincp?

Thanks,

I was able to disable the plugins, disable, and got the site back to normal.

All I did was add the plug-in, then whenever I tried to log in to adminCP it wouldn't accept my password and it locked my account out from number of failed attempts.

No matter what I did, it wouldn't let me log in.

Question: What I am not understanding is how your implementation is intended to work. it doesn't add itself as a human verification for registration?

D

You can download the latest version, v1.1.0 and update the product, it will fix the issue.

The main concept of this product is to prevent brute force password attack and any kind of non-human automatically trying to login via the HTML form.

Currently, vBulletin's Human Verification system only supports these type of actions: Register, Post, Search, Contact Us, and Recover Lost Password. So there won't be a way to hook Login action using vBulletin hook system.

For your question, here is the full process of how this product works:

1. User logging in;
2. The product captures reCaptcha check value from the login form and send to Google server;
3. Google checks and return the 'score' value to the product;
4. If the score is less than the defined 'human' score, we assume this is either not human or an unsafe traffic;
5. Do the provided actions (eg. redirect them to another URL).

So when the user is treated like a bot, even if the username/password combination is correct, their login will be rejected and being sent to another URL (if you choose that), making the board a little bit safer.

Thanks for the explanation.

I like what you did.

I will try the updated version later this week when I can make sure I have time to test.

Much appreciated.

D

I just installed it this morning. Trying about everything I can. My forum has been running for well over 10 years and though I've had the occasional registration spam, it exploded about 2 3 days ago and I've had well over a thousand since them. Hope this helps.

I have this installed. I checked the code from the registration page and it is indeed present.

My question is how do I set the "Human Verification Settings" under Options in the control panel. I I select "ReCaptcha", it shows my KEYS but when I try to register, it says "Image not Selected Properly" or so something like that. Do I just turn off all verification under Options?

The product currently does not integrate with vBulletin native Human Verification system, as the system doesn't support Captcha check for login.

For now, the product is intended to prevent bot logins, which could partly solve the issues you're having, since it's no use for bots to just registered but unable to post. I will add integration support to vBulletin Human Verification system on another future version.

I understand. So should I turn off all the native Human Verification settings or does this not interfere with it?

You don't have to turn it off, this product will work safely together with vBulletin native verification system :)

Thanks. I have it installed but honestly don't know if it's doing anything or not. If it is supposed to stop spam registrations, it doesn't seem to help much. Will give it a few days.

One more question. Hopefully the last for now. How do I get rid of the Captcha banner? I deleted it hide it but it still shows up. It adds text to the footer but doesn't get rid of the blue graphics at the bottom right of the forum.

By default if you choose 'Yes' in the 'Hide reCaptcha badge', the badge will hide, but then the footer text will show due to Google policy on reCaptcha v3. Then you can manually remove the footer text by edit the 'btp_rcaptcha_notice' template.

The footer text is to ensure the site complies with Google policy as I've heard of them devalidating a site because of missing both the badge + footer text. You might hide both at your own risk.

I understand how it's supposed to work. What I'm saying though is that the captcha badge doesn't go away regardless of being checked to hide it or not. Hiding it DOES add the text to the footer, which I have no problem with. But the badge remains. That is what I want to get rid of.

This plugin does not prevent spam registration but only posting spambots.

Just installed by downloading from here. Got locked out :(

In the login_failure/login_verify_success hook, you should use these variables instead of hardcoded admincp/modcp:

$config['Misc']['admincpdir']
$config['Misc']['modcpdir']

Thank you. I actually modified that already and will be included in the upcoming release :)

The latest version 1.1.0 locked me out of my administration panel with the error Parse error: syntax error, unexpected T_BOOLEAN_AND, expecting ')' in public_html/forum/includes/functions_login.php(203) : eval()'d code on line 1
Unable to add cookies, header already sent.
File: public_html/forum/includes/functions_login.php(203) : eval()'d code
Line: 1

Can you modify this plugin and make it to verify Private Message action instead of login? I understand the new functionality will become available in future iterations but I desperately need a captcha method to counter Private Message Spam

I had to remove this. It created a problem where people couldn't login to the site except at the upper right corner, nabber. Anytime there was as login page such as somebody trying to reset their password or whatever, it gave a username/passeword not recognized error.

Hi Betopho,
- do you plan to release an upgrade version to get us replace the deprecated reCaptcha v1 of vbulletin4 ?
- if yes, will there be an option to just use it on, let say, register only, and not enable your native login protection feature ?

I get an error

'input is null'

in

<script>
grecaptcha.ready(function() {
grecaptcha.execute("6Len8bMUAAAAAHw9MGP3IRwSY5xeWq b76uxjAiTi", {action: "login"}).then(function(token) {
let input = document.getElementById("btp_rcaptcha_input");
input.value = token;
});
});
</script>

Very very interested in this being able to replace the now depreciated v1 across the board in VB.
Can you also add a protected user group option?

Is there an update to this plugin?

Been getting hammered with registrations of late. Went ahead and installed. Locked out of ACP. Had to disable plugins, and disable this... To nandthis had promise... Willing to pay someone to fully develop it to where it replaces the entire now defunct captchya system

Hello,

When you add "Expanding integration with other activities, like register, search, page viewing, etc" ? Because spammers use registration page and hundres mails send from servers many times. I'm using Verify Mail Before Register mod, spammers always use this section. We are waiting integration from you.

Regards

Hiding the badge didn't work for me but I solved it by adding this line:

.grecaptcha-badge { visibility: hidden; }

to the additional.css template

Please change "Supported" to "Not Supported"...

Just got this installed, any options that need to be set to default in the Human Verification Manager or does it just override whatever option is picked?

Human Verification Manager > enter Key and Secret Key

That's not where you put it first of all... secondly after installation, this recaptcha v3 doesn't show in the HVM. What you see below are from different addons.


https://i.imgur.com/KAlvwAS.png

Use fix version https://www.mediafire.com/file/wifs2..._eska.zip/file

I can`t upload attach in message. Forum have a bug in "newthread"

Thanks for that but what you uploaded appears to be a mod for vb3 & not vb4 and not at all related to this one. Aside from the vbulletin versions being vastly different, it appears to be from eska and not in english, which my forum is installed with. So I do appreciate the attempt for help, thank you for trying.