Commit 19134115 authored by lechuck's avatar lechuck Committed by lucha

Added new version or wp recaptcha tha tdoes not break BP

parent 87987b67
Copyright (c) 2008 reCAPTCHA --
Mike Crawford
Ben Maurer
Jorge Peña
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
This just takes wp-recaptcha and adds a few callbacks to make it work with
You only need this plugin if you use Buddypress with wordpress and want a
recaptcha at the registration page.
The patch to do this on top of wp-recaptcha is **VERY simple**.
As google is the owner of wp-recaptcha, it is expected to be always up to date.
And as the patch to add Buddypress is very simple, updating the wp-recaptcha
plugin version this is based on is expected to be very simple.
With some luck, this plugin won't be needed in the future. A bug has been opened
to Buddypress here [#]_ to fix it. And they plan to do something in the future, as
that bug says. Also, a bug to meanwhile make wp-recaptcha work with BuddyPress
has been openeded here [#]_ too.
.. [#]
.. [#]
Version of wp-recaptcha it is based
Currently is based on wp-recaptcha 4.1.
See it live!
You can see this plugin in a site using buddypress here [#]_. If you go to "join",
you will see the recaptcha there.
.. [#]
Bugs and patches
Please submit bugs and patches via github, on
=== Plugin Name ===
Contributors: elrata_
Tags: comments, registration, recaptcha, antispam, captcha, buddypress
Requires at least: 2.7
Tested up to: 4.3.0
Stable tag: 4.1
Integrates reCAPTCHA anti-spam methods with WordPress sites using BuddyPress plugin, including comment and registration spam protection.
== Description ==
This is a small modification of the wp-recaptcha plugin to make it work with
BuddyPress. Currently uses recaptcha v2 (the last one).
You only need this plugin if you use Buddypress with wordpress and want a
recaptcha at the registration page.
It is always rebased on top of wp-recaptcha. See for more info
What is reCAPTCHA?
reCAPTCHA is a free CAPTCHA service that protects your site against spam, malicious registrations and other forms of attacks where computers try to disguise themselves as a human; a CAPTCHA is a Completely Automated Public Turing test to tell Computers and Human Apart. reCAPTCHA comes in the form of a widget that you can easily add to your blog, forum, registration form, etc.
In addition to protecting your site, reCAPTCHA also helps us digitize old books and newspapers, transcribe street numbers and solve hard AI problems. [Learn how reCAPTCHA works]( and join our [forum](!forum/recaptcha).
== Installation ==
To install in regular WordPress and [WordPress MultiSite](
1. Upload the `wp-recaptcha` folder to the `/wp-content/plugins/` directory
2. Activate the plugin through the `Plugins` menu in WordPress
3. Get the reCAPTCHA keys [here](
== Requirements ==
* You need the reCAPTCHA keys [here](
* Your theme must have a `do_action('comment_form', $post->ID);` call right before the end of your form (*Right before the closing form tag*). Most themes do.
== ChangeLog ==
= Version 4.0
* Upgrade to reCAPTCHA V2.
* Increase supported languages to 40+.
= Version 3.2
* Transferred ownership back to Google
= Version 3.1.6 =
* WordPress MS fixes. Should now work out of the box at the individual blog level. Thanks to [huyz](
* NOTICE: If anyone is interested in taking up development of this plugin, please contact me at
= Version 3.1.5 =
* Thanks to [Ken Newman]( for these changes
* Update author website
* Stop generating javascript errors on unnecessary pages
* Better SSL support
= Version 3.1.4 =
* Fixed an XSS vulnerability
= Version 3.1.3 =
* Added a collision aversion prefix to the Plugin class. bbouton from github alerted me to a collision between WP-reCAPTCHA's plugin class and the JW Player Plugin's Plugin class.
= Version 3.1.2 =
* Fixed option migration. The plugin was actually written to be made to import the old options, but the hook that functionality was registered to does not fire when the wordpress interface updates a plugin, only when a plugin is updated manually. Now the plugin will import or register default options as long as the options don't already exist.
* Fixed a case where recaptcha theme would not change. This happened because of the above problem, creating a situation in which the tab index field could be empty, and being empty this then caused a problem with the recaptcha options when they were output to the page. If you're running version 3.0 of the plugin, go ahead and add a number to the tab index (e.g. 5 for comments, 30 for registration), if not, this plugin should automatically fix it next time you change save the settings.
* Modified the options page submit buttons to more explicitly show that they are specific to their own respective sections, that is, one button ONLY saves the changes for one reCAPTCHA, and the other ONLY saves the changes for MailHide.
= Version 3.0 =
* Rewrote the entire plugin in an object-oriented manner with separation of concerns in mind to increase maintainability and extensibility
* Implemented the ability to import the options from the option set of older versions of the plugin, such as and less
* Redesigned the options page for the plugin, now using newer wordpress options/form functionality with support for input-validation
* Options for recaptcha and mailhide are independent of each other
* Added support for localization, using gettext
* Fixed the issue where comments would not be saved if the reCAPTCHA was entered incorrectly (or not entered at all). requires javascript
* Fixed an issue where saved comments (from bad reCAPTCHA response) would replace double quotes with backslashes
* Fixed an issue in wordpress 3 and above in which mailhide would not work due to interference with a new filter, make_clickable, which auto-links emails and URLs
* Fixed a role-check issue in wordpress 3 and above. level_10 (and all levels for that matter) have been deprecated. now using activate_plugins instead.
= Version =
* Fixed a bug with WordPress 3.0 Multi-Site
= Version 2.9.8 =
* Added support for WordPress 3.0 Multi-Site thanks to Tom Lynch
= Version 2.9.7 =
* Fixed a relatively new [critical bug]( which marked new comments as spam regardless of reCAPTCHA response
= Version 2.9.6 =
* Fixed a careless bug affecting custom hidden emails
* Fixed broken links in readme.txt
= Version 2.9.5 =
* Added flexibility to the enabling of MailHide. Can now separately choose to enable/disable MailHide for posts/pages, comments, RSS feed of posts/pages, and RSS feed of comments
* Fixed an ['endless redirection' bug]( "endless redirection in wp-reCAPTCHA options form") thanks to Edilton Siqueira
* Fixed a bug in WPMU where wp-admin/user-new.php kept trying to validate the user registration with reCAPTCHA information despite not having shown the reCAPTCHA form, thanks to [Daniel Collis-Puro]( "Weblogs at Harvard Law School") for letting me know
* Added a line break after the reCAPTCHA form to add some padding space between it and the submit button. Due to [popular demand]( "Adding space between reCAPTCHA and the comment Submit Button on WordPress")
* Fixed a validation problem where a style attribute was missing. Thanks to [nv1962]( "nv1962's profile")
* Public and Private keys are now trimmed since they are usually pasted from the recaptcha site, to avoid any careless errors
* Fixed the regular expressions for matching the emails, type emails now work
= Version 2.9.4 =
* Fixed a bug where the comment would not be saved if the CAPTCHA wasn't entered correctly. Thanks to Justin Heideman.
= Version 2.9.3 =
* Fixed the `recaptcha_wp_saved_comment` function. Thanks to Tomi M.
= Version 2.9.2 =
* 'Beautified' the options page.
* Added two options to allow users to enter their own custom error messages. Also good for foreign language support.
* Fixed a conflict bug with the OpenID plugin where the reCAPTCHA form would show under the OpenID section in the registration form.
* Added two new options which allow one to choose the text to be shown for all hidden Emails and/or the title of the link.
* Fixed a 'Could not open socket' error in recaptchalib.php. [Bug ID 26]( "recaptchalib.php: Could not open socket (Fix included)")
* Fixed a WPMU issue where blog registrations weren't possible due to a redirection to the first step in the registration process. Thanks to [Edward]( "Edward").
= Version 2.9.1 =
* Forgot that if you can see emails in their true form, then you shouldn't have to see the [nohide][/nohide] tags either. Fixed.
= Version 2.8.6 =
* Administration interface is now integrated with 2.5's look and feel. Thanks to [Jeremy Clarke]( "Jeremy Clarke").
* Users can now have more control over who sees the reCAPTCHA form and who can see emails in their true form (If MailHide is enabled). Thanks to [Jeremy Clarke]( "Jeremy Clarke").
* Fixed a very stupid (**One character deal**) fatal error on most Windows Servers which don't support short tags (short_open_tag). I'm speaking of the so called 'Unexpected $end' error.
* Accommodated for the fact that in +2.6 the wp-content folder can be anywhere.
== Frequently Asked Questions ==
= HELP, I'm still getting spam! =
There are four common issues that make reCAPTCHA appear to be broken:
1. **Moderation Emails**: reCAPTCHA marks comments as spam, so even though the comments don't actually get posted, you will be notified of what is supposedly new spam. It is recommended to turn off moderation emails with reCAPTCHA.
1. **Akismet Spam Queue**: Again, because reCAPTCHA marks comments with a wrongly entered CAPTCHA as spam, they are added to the spam queue. These comments however weren't posted to the blog so reCAPTCHA is still doing it's job. It is recommended to either ignore the Spam Queue and clear it regularly or disable Akismet completely. reCAPTCHA takes care of all of the spam created by bots, which is the usual type of spam. The only other type of spam that would get through is human spam, where humans are hired to manually solve CAPTCHAs. If you still get spam while only having reCAPTCHA enabled, you could be a victim of the latter practice. If this is the case, then turning on Akismet will most likely solve your problem. Again, just because it shows up in the Spam Queue does NOT mean that spam is being posted to your blog, it's more of a 'comments that have been caught as spam by reCAPTCHA' queue.
1. **Trackbacks and Pingbacks**: reCAPTCHA can't do anything about pingbacks and trackbacks. You can disable pingbacks and trackbacks in Options > Discussion > Allow notifications from other Weblogs (Pingbacks and trackbacks).
1. **Human Spammers**: Believe it or not, there are people who are paid (or maybe slave labor?) to solve CAPTCHAs all over the internet and spam. This is the last and rarest reason for which it might appear that reCAPTCHA is not working, but it does happen. On this plugin's [page]( "WP-reCAPTCHA - Blaenk Denum"), these people sometimes attempt to post spam to try and make it seem as if reCAPTCHA is not working. A combination of reCAPTCHA and Akismet might help to solve this problem, and if spam still gets through for this reason, it would be very minimal and easy to manually take care of.
= Why am I getting Warning: pack() [function.pack]: Type H: illegal hex digit?
You have the keys in the wrong place. Remember, the reCAPTCHA keys are different from the MailHide keys. And the Public keys are different from the Private keys as well. You can't mix them around. Go through your keys and make sure you have them each in the correct box.
= Aren't you increasing the time users spend solving CAPTCHAs by requiring them to type two words instead of one? =
Actually, no. Most CAPTCHAs on the Web ask users to enter strings of random characters, which are slower to type than English words. reCAPTCHA requires no more time to solve than most other CAPTCHAs.
= Are reCAPTCHAs less secure than other CAPTCHAs that use random characters instead of words? =
Because we ask users to enter two words instead of one, we can increase the security of reCAPTCHA against programs that attempt to guess the words using a dictionary. Whenever an IP address fails one reCAPTCHA, we can show them more distorted words, and give them challenges for which we know both words. The probability of randomly guessing both words correctly would be less than one in ten million.
= Are CAPTCHAs secure? I heard spammers are using porn sites to solve them: the CAPTCHAs are sent to a porn site, and the porn site users are asked to solve the CAPTCHA before being able to see a pornographic image. =
CAPTCHAs offer great protection against abuse from automated programs. While it might be the case that some spammers have started using porn sites to attack CAPTCHAs (although there is no recorded evidence of this), the amount of damage this can inflict is tiny (so tiny that we haven't even seen this happen!). Whereas it is trivial to write a bot that abuses an unprotected site millions of times a day, redirecting CAPTCHAs to be solved by humans viewing pornography would only allow spammers to abuse systems a few thousand times per day. The economics of this attack just don't add up: every time a porn site shows a CAPTCHA before a porn image, they risk losing a customer to another site that doesn't do this.
== Screenshots ==
1. The reCAPTCHA Settings
2. Comments page with reCAPTCHA
* This is a PHP library that handles calling reCAPTCHA.
* - Documentation and latest version
* - Get a reCAPTCHA API Key
* - Discussion group
* @link
if (class_exists('ReCAPTCHAPlugin'))
class ReCAPTCHAPlugin extends WPPlugin
private $_saved_error;
private $_reCaptchaLib;
* Php 4 Constructor.
* @param string $options_name
function ReCAPTCHAPlugin($options_name) {
$args = func_get_args();
call_user_func_array(array(&$this, "__construct"), $args);
* Php 5 Constructor.
* @param string $options_name
function __construct($options_name) {
// require the recaptcha library
// register the hooks
function register_actions() {
// load the plugin's textdomain for localization
add_action('init', array(&$this, 'load_textdomain'));
// options
register_activation_hook(WPPlugin::path_to_plugin_directory() .
array(&$this, 'register_default_options'));
add_action('admin_init', array(&$this, 'register_settings_group'));
if ($this->is_multi_blog()) {
add_action('signup_extra_fields', array(&$this,
} else {
add_action('register_form', array(&$this,
add_action('bp_before_registration_submit_buttons', array(&$this,
add_action('bp_signup_validate', array(&$this,
'check_recaptcha_generic'), 0);
add_action('lostpassword_form', array(&$this,
add_action('lostpassword_post', array(&$this,
'check_recaptcha_generic'), 0);
add_action('comment_form', array(&$this, 'show_recaptcha_in_comments'));
// recaptcha comment processing
add_action('wp_head', array(&$this, 'saved_comment'), 0);
add_action('preprocess_comment', array(&$this, 'check_comment'), 0);
add_action('comment_post_redirect', array(&$this, 'relative_redirect'),
0, 2);
// administration (menus, pages, notifications, etc.)
add_filter("plugin_action_links", array(&$this, 'show_settings_link'),
10, 2);
add_action('admin_menu', array(&$this, 'add_settings_page'));
// admin notices
add_action('admin_notices', array(&$this, 'missing_keys_notice'));
function register_filters() {
if ($this->is_multi_blog()) {
array(&$this, 'validate_recaptcha_response_wpmu'));
} else {
add_filter('registration_errors', array(&$this,
function load_textdomain() {
load_plugin_textdomain('recaptcha', false, 'languages');
// set the default options
function register_default_options() {
if ($this->options)
$option_defaults = array();
$old_options = WPPlugin::retrieve_options("recaptcha");
if ($old_options) {
$option_defaults['site_key'] = $old_options['pubkey'];
$option_defaults['secret'] = $old_options['privkey'];
// styling
$option_defaults['recaptcha_language'] = $old_options['re_lang'];
// error handling
$option_defaults['no_response_error'] = $old_options['error_blank'];
} else {
$old_options = WPPlugin::retrieve_options($this->options_name);
if ($old_options) {
$option_defaults['site_key'] = $old_options['public_key'];
$option_defaults['secret'] = $old_options['private_key'];
$option_defaults['comments_theme'] = 'standard';
$option_defaults['recaptcha_language'] = $old_options['recaptcha_language'];
$option_defaults['no_response_error'] = $old_options['no_response_error'];
} else {
$option_defaults['site_key'] = '';
$option_defaults['secret'] = '';
$option_defaults['comments_theme'] = 'standard';
$option_defaults['recaptcha_language'] = 'en';
$option_defaults['no_response_error'] =
'<strong>ERROR</strong>: Please fill in the reCAPTCHA form.';
// add the option based on what environment we're in
WPPlugin::add_options($this->options_name, $option_defaults);
// require the recaptcha library
private function _require_library() {
require_once($this->path_to_plugin_directory() . '/recaptchalib.php');
// register the settings
function register_settings_group() {
register_setting("recaptcha_options_group", 'recaptcha_options',
array(&$this, 'validate_options'));
function keys_missing() {
return (empty($this->options['site_key']) ||
function create_error_notice($message, $anchor = '') {
$options_url = admin_url(
'options-general.php?page=wp-recaptcha-bp/recaptcha.php') . $anchor;
$error_message = sprintf(__($message .
' <a href="%s" title="WP-reCAPTCHA-bp Options">Fix this</a>',
'recaptcha'), $options_url);
echo '<div class="error"><p><strong>' . $error_message .
function missing_keys_notice() {
if ($this->keys_missing()) {
$this->create_error_notice('reCAPTCHA API Keys are missing.');
function validate_dropdown($array, $key, $value) {
if (in_array($value, $array)) {
return $value;
} else { // if not, load the old value
return $this->options[$key];
function validate_options($input) {
// trim the spaces out of the key
$validated['site_key'] = trim($input['site_key']);
$validated['secret'] = trim($input['secret']);
$themes = array ('standard', 'light', 'dark');
$validated['comments_theme'] = $this->validate_dropdown($themes,
'comments_theme', $input['comments_theme']);
$validated['recaptcha_language'] = $input['recaptcha_language'];
$validated['no_response_error'] = $input['no_response_error'];
return $validated;
// display recaptcha
function show_recaptcha_in_registration($errors) {
$escaped_error = htmlentities($_GET['rerror'], ENT_QUOTES);
// if it's for wordpress mu, show the errors
if ($this->is_multi_blog()) {
$error = $errors->get_error_message('captcha');
echo '<label for="verification">Verification:</label>';
echo ($error ? '<p class="error">' . $error . '</p>' : '');
echo $this->get_recaptcha_html();
} else { // for regular wordpress
echo $this->get_recaptcha_html();
function validate_recaptcha_response($errors) {
if (empty($_POST['g-recaptcha-response']) ||
$_POST['g-recaptcha-response'] == '') {
$errors->add('blank_captcha', $this->options['no_response_error']);
return $errors;
if ($this->_reCaptchaLib == null) {
$this->_reCaptchaLib = new ReCaptcha($this->options['secret']);
$response = $this->_reCaptchaLib->verifyResponse(
// response is bad, add incorrect response error
if (!$response->success)
$errors->add('captcha_wrong', $response->error);
return $errors;
function validate_recaptcha_response_wpmu($result) {
if (!$this->is_authority()) {
// blogname in 2.6, blog_id prior to that
// todo: why is this done?
if (isset($_POST['blog_id']) || isset($_POST['blogname']))
return $result;
// no text entered
if (empty($_POST['g-recaptcha-response']) ||
$_POST['g-recaptcha-response'] == '') {
return $result['errors'];
if ($this->_reCaptchaLib == null) {
$this->_reCaptchaLib = new ReCaptcha($this->options['secret']);
$response = $this->_reCaptchaLib->verifyResponse(
// response is bad, add incorrect response error
if (!$response->success) {
$result['errors']->add('captcha_wrong', $response->error);
echo '<div class="error">' . $response->error . '</div>';
return $result;
// utility methods
function hash_comment($id) {
define ("RECAPTCHA_WP_HASH_SALT", "b7e0638d85f5d7f3694f68e944136d62");
if (function_exists('wp_hash'))
return wp_hash(RECAPTCHA_WP_HASH_SALT . $id);
return md5(RECAPTCHA_WP_HASH_SALT . $this->options['secret'] . $id);
function get_recaptcha_html() {
return '<div class="g-recaptcha" data-sitekey="' .
$this->options['site_key'] .
'" data-theme="' . $this->options['comments_theme'] .
'"></div><script type="text/javascript"' .
'src="' .
$this->options['recaptcha_language'] .
function show_recaptcha_in_comments() {
global $user_ID;
//modify the comment form for the reCAPTCHA widget
add_action('wp_footer', array(&$this, 'save_comment_script'));
$comment_string = <<<COMMENT_FORM
<div id="recaptcha-submit-btn-area">&nbsp;</div>
<style type='text/css'>#submit {display:none;}</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6"
value="Submit Comment"/>
$use_ssl = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on");
$escaped_error = htmlentities($_GET['rerror'], ENT_QUOTES);
echo $this->get_recaptcha_html() . $comment_string;
// this is what does the submit-button re-ordering
function save_comment_script() {
$javascript = <<<JS
<script type="text/javascript">
var sub = document.getElementById('submit');
document.getElementById('recaptcha-submit-btn-area').appendChild (sub);
document.getElementById('submit').tabIndex = 6;
if ( typeof _recaptcha_wordpress_savedcomment != 'undefined') {
document.getElementById('comment').value =
echo $javascript;
function check_comment($comment_data) {
global $user_ID;
// do not check trackbacks/pingbacks
if ($comment_data['comment_type'] == '') {
if ($this->_reCaptchaLib == null) {
$this->_reCaptchaLib = new ReCaptcha($this->options['secret']);
$response = $this->_reCaptchaLib->verifyResponse(
if (!$response->success) {
$this->_saved_error = $response->error;
create_function('$a', 'return \'spam\';'));
return $comment_data;
function check_recaptcha_generic() {
global $user_ID;
if ($this->_reCaptchaLib == null) {
$this->_reCaptchaLib = new ReCaptcha($this->options['secret']);
$response = $this->_reCaptchaLib->verifyResponse(
if (!$response->success) {
$this->_saved_error = $response->error;
$error = __('Please check the CAPTCHA code. It\'s not correct.', 'g-recaptcha');
return false;
return true;
function relative_redirect($location, $comment) {
if ($this->_saved_error != '') {
// replace #comment- at the end of $location with #commentform
$location = substr($location, 0, strpos($location, '#')) .
((strpos($location, "?") === false) ? "?" : "&") .
'rcommentid=' . $comment->comment_ID .
'&rerror=' . $this->_saved_error .
'&rchash=' . $this->hash_comment($comment->comment_ID) .
return $location;
function saved_comment() {
if (!is_single() && !is_page())
$comment_id = $_REQUEST['rcommentid'];
$comment_hash = $_REQUEST['rchash'];
if (empty($comment_id) || empty($comment_hash))
if ($comment_hash == $this->hash_comment($comment_id)) {
$comment = get_comment($comment_id);
// todo: removed double quote from list of 'dangerous characters'
$com = preg_replace('/([\\/\(\)\+\;\'])/e',
'\'%\' . dechex(ord(\'$1\'))',
$com = preg_replace('/\\r\\n/m', '\\\n', $com);
echo "
<script type='text/javascript'>
var _recaptcha_wordpress_savedcomment = '" . $com ."';
_recaptcha_wordpress_savedcomment =
// add a settings link to the plugin in the plugin list
function show_settings_link($links, $file) {
if ($file == plugin_basename($this->path_to_plugin_directory() .
'/wp-recaptcha.php')) {
$settings_title = __('Settings for this Plugin', 'recaptcha');
$settings = __('Settings', 'recaptcha');
$settings_link =