Storyman

Michael Moore at iThemes would love to hear from you. He claims it just ain’t so…

In mid-February the same problem occurred on two sites that both were close to a decade old. Oddly, the problem did not appear sites that were recently created.

First, establish if your site is sending any emails, such as when you create a new user and an alert is sent to the new user.

Second, check to see if an email is sent when you are on the login page and need to create a new password, which should also trigger an email.

Third, check the Security logs. See if you can figure out what’s not working.

Chances are that for whatever reason mail() isn’t working when it comes to the iThemes plugin. If that is the case have iThemes take a look, or better yet contact your hosting company and see if they’ll have a look.

Big thanks to @nlpro.

With your assistance, I was able to figure out what the problem is. I’ve written iThemes to advise them that, yes indeed, they have a problem with the plugin. There is definitely a bug that needs to be addressed. Hopefully they’ll fix it soon.

• This reply was modified 5 years, 11 months ago by Storyman.

After logging out, then back in there is a reCAPTCHA log entry.

module => recaptcha
type => debug
code => validate-response

That part of the captcha works. The problem is that after a day or two the error previously mentioned appears. Specifically, it references bots.

My understanding is that v3 prevents bots from running malicious scripts. You may need to wait a couple of days before you see the error; it doesn’t appear right away.

• This reply was modified 5 years, 11 months ago by Storyman.

1) Reset reCAPTCHA by removing keys and generating new ones.

2) Ticked the ‘Show Debug entries’ and saved.

3) In the logs page the ‘All Events’ filter has these options:

All Modules
Brute Force
Trusted Devices
404 Detection
Lockout
Malware Scan
Notification Center
User Logging
Version Management

There isn’t a ‘reCAPTCHA’ option. Should there have been? Do you think it will appear now that the ‘Show Debug entries’ is ticked?

AFTER REVIEWING LOGS

There aren’t any errors that I can see that relate to reCAPTCHA when searching back through since the last time I reset the keys. Nothing.

• This reply was modified 5 years, 11 months ago by Storyman.

In the admin area, I’ve clicked through the navigation on the left and it is there at the top of every page. At the top of the page is the black menu bar, just below that is the title of the section, and just below that is the reCAPTCHA warning. Warning appears only in admin area.

After viewing the sites without being logged in, I found that the reCAPTCHA v3 badge appears on the designated pages. It would seem that the site/secret keys are correctly assigned, but the plugin isn’t working as it should when it comes to detecting bots.

Again, thank you for your assistance.

• This reply was modified 5 years, 11 months ago by Storyman.
• This reply was modified 5 years, 11 months ago by Storyman.

Security Pro version 5.9.3.

I’ve tested it with themes Twenty-Nineteen and Twenty-Sixteen, both with the same results. Here is the full error message:

“The reCAPTCHA settings for iThemes Security are invalid. The Site Key may be invalid or unrecognized. Verify that you input the Site Key and Private Key correctly. Bots will not be blocked until the reCAPTCHA settings are set properly.”

Settings are the default unless otherwise noted.

Include Script: Only Required Pages
Use on Login: Use reCAPTCHA for user login.
Use on New User Registration: Use reCAPTCHA for user registration.
Use on Comments: Use reCAPTCHA for new comments.
Language: English (US)

The sites are on a shared Bluehost account. There is always a remote possibility that the issue is with Bluehost, so it would be greatly appreciated if there is anyone out there with a shared Bluehost account and Security Pro, to test if they get the same error. It may take up to a day for the error to appear.

The cache was cleared before generating new site/secret keys.

nlpro, any guidance you can offer would be greatly appreciated. BTW if you have a suggestion for a reCAPTCHA 3 plugin to help verify if iThemes Security Pro is where the problem lies would be appreciated.

Sorry, wrong post.

• This reply was modified 5 years, 12 months ago by Storyman.

For whatever reason this isn’t working. I’ve turned off site caching, cleared browser caching, and yet the video continues to play.

WordPress version is 4.9.5, Twenty-Seventeen version is 1.5.

Don’t know how relevant it is, but this is a fresh/clean install of WordPress.

@jan

Maybe I’m missing something here, but thought the point of a forum is to comment on post. I find stbedesantafe’s comment completely appropriate in response to my original post.

If we follow your advice, then all we would essentially be doing is creating hundreds of disjointed nano-blogs. Don’t see much value in that.

Making progress, but still need help.

In the sample that Bluehost shows the free SSL certificate using relative URLs, not absolute ones–https://box###.BlueHost.com/~username/contact

The result works…sort of. When the link (https://box###/.BlueHost.com/~username/add-on-domain/) is used it primarily shows only the links on the site because of the 100 Kb restriction Bluehost puts on the free SSL. The link (https://box###/.BlueHost.com/~username/add-on-domain/contact) results in a 404 error.

Has anyone been able to use the free Bluehost SSL certificate successfully on a domain added on?

I’ll check that out. Thanks for the feedback. Most helpful.

Got it.

On most of the sites, I’m the only one who logs into the backend, which is why it’s been easier to restrict IPs than use a captcha form. Not so sure that it prevents anyone from posting comments when not required to register (do require a captcha, however).

Thanks for the quick response.

Could you explain the reason you feel that restricting access to a login page is the wrong way to go? Why is it irritating stupid?

*bump&