HivePress login is causing a security risk

Short: The Hivepress login modal / login block != Wordpress login. It does not integrate with other limit login atempts plugins, and more importantly, it does not integrate with CDN brute-force prevention.

Background: For a long time now I’ve been trying to implement a limit login function to the hivepress login form, because I don’t really like that reCAPTCHA solution at all. However, I diddn’t manage to integrate popular login attempts plugins, nor did I manage to write my own logic.

Fast forward, I found out that quic.CLOUD and Cloudflare offers this protection at the CDN level, whitch is great. However, when activating these features, nothing happens, no matter the configuration. When trying the original wordpress login form login.php / wp-admin, these security measures indeed works.

What I think the issue is, is that the Hivepress login form does not utilize the errorhandling from wordpress, and instead handles it on the client with Javascript (I might be wrong). This results in users getting unlimited login-attempts, making this a high security risk.

Having a secure original WP-login means nothing if users can access the Hivepress login form.

I think this needs to be addressed asap. If Hivepress utilize already working functionalities that wordpress offers, it wouldn’t need to implement these custom reCAPTCHA settings

Thank you for the details and for reporting this issue. We will research this issue as soon as possible

2 Likes

yes this is important

1 Like

this would be a great non bloat non spyware solution for all of us:

WordPress

  • Login Form
  • Registration Form
  • Password Reset Form
  • Comments Form

WooCommerce

  • Checkout
  • Pay For Order
  • Login Form
  • Registration Form
  • Password Reset Form

Form Plugins

  • WPForms
  • Fluent Forms
  • Contact Form 7
  • Gravity Forms
  • Formidable Forms
  • Forminator Forms

Other Integrations

  • Elementor Pro Forms
  • Mailchimp for WordPress Forms
  • BuddyPress Registration Form
  • bbPress Create Topic & Reply Forms
  • Ultimate Member Forms
  • wpDiscuz Custom Comments Form

GeneratePress also use it and more and more plugins and websites, since its simply in every way better.
https://generatepress.com/wp-login.php

Official Link:

can you please add this as a feauture? This would be amazing.

can you please help me with this?
It looks simple to change it in hive?

it also relates to my other post:

i did try to test it but it does not work i did change in the class-form.php these lines but with no success:

please help

            // Enqueue ReCAPTCHA.
            if ( $this->is_captcha_enabled() ) {
                wp_enqueue_script(
                    'recaptcha',
                    'https://challenges.cloudflare.com/turnstile/v0/api.js',
                    [],
                    null,
                    false
                );
            // Get ReCAPTCHA response.
            $response = json_decode(
                wp_remote_retrieve_body(
                    wp_remote_get(
                        'https://challenges.cloudflare.com/turnstile/v0/siteverify?' . http_build_query(
                            [
                                'secret'   => get_option( 'hp_recaptcha_secret_key' ),
                                'response' => sanitize_text_field( hp\get_array_value( $_POST, 'g-recaptcha-response' ) ),
                            ]
                        )
                    )
                ),
                true
            );

This is also a reason:

  • Google’s reCAPTCHA is a performance killer. I’ve seen it drop mobile scores by over 30 points by itself. It loads 12 scripts at a total size of 480 KB, which is huge. The important thing is not to use it sitewide. At most, make sure this is only loading on your contact page. However, most contact form plugins have anti-spam and honeypot measures already built-in. If yours doesn’t, you can use a free plugin like WP Armour or Simple Cloudflare Turnstile. Therefore, I recommend not using Google’s reCAPTCHA.

Thank you for reporting this issue. This feature is already in development stage, and it will be released as soon as possible. Unfortunately, no simple solution exists to change HivePress login with WordPress login entirely. It requires advanced customization

1 Like

cloudflare captcha is in active development?
or you mean wordpress login change?

just want to make sure i understand :slight_smile:

i think cloudflare captcha will be implemented right? this would be great and would make a lot of people happy

On the current development stage we work on improving HivePress login functionality integration with WordPress login as there were issues that deserve attention, such as restrictions on failed login attempts that work correctly in WordPress login. We are open for suggestions about how to improve HivePress login and thank you for your previous feedback about this issue

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.