This plugin logs failed login attempts and requires users to go through a CAPTCHA verification process when the number of failed attempts go too high. It provides protection against automated attacks.
Failed attempts are logged by IP and stored in a database table. IPs are also released after a certain expire amount of time.
Since 2024-01-01 the default config is set to always activate CAPTCHA verification by
$config['failed_attempts'] = 0;
Add this plugin pbiering/rcguard to the require section of your Roundcube
composer.json, run composer update and enable rcguard in the main Roundcube
configuration file.
OR just run:
composer require pbiering/rcguard
Place the contents of this directory under plugins/rcguard.
until provided by Fedora or EPEL: available via Copr: https://copr.fedorainfracloud.org/coprs/pbiering/InternetServerExtensions/packages/
yum install roundcubemail-plugin-rcguard
Enable rcguard in the main Roundcube configuration file (e.g. /etc/roundcubemail/config.inc.php)
by extension of the plugin config array:
array_push($config['plugins'], 'rcguard');
Copy config.inc.php.dist to config.inc.php and modify as necessary.
Use the files under SQL/ to create the database schema required for
rcguard. The table should be created in the database used by Roundcube.
NOTE: If you use the Roundcube db_prefix config option, you must rename
the table rcguard accordingly.
Example for SQLite:
cd /usr/share/roundcubemail/plugins/rcguard
cat SQL/sqlite.initial.sql | sqlite3 /var/lib/roundcubemail/db/sqlite.db
IMPORTANT: This plugin requires CAPTCHA API keys to work properly.
These can be obtained from:
- Google's reCAPTCHA: https://www.google.com/recaptcha
- hCaptcha: https://dashboard.hcaptcha.com/
- Friendly Captcha: https://friendlycaptcha.com/
- Cloudflare's Turnstile: https://www.cloudflare.com/products/turnstile/
You may customize the following in the config.inc.php file:
-
the API version:
v3,v2invisible,v2,v2hcaptchaorv2friendlycaptchaorv2cfturnstile; by$config['recaptcha_api_version']- also configure per selected service required
$config['recaptcha_api_url'],$config['recaptcha_publickey'],$config['recaptcha_privatekey']
- also configure per selected service required
-
the v2 widget theme:
lightordark(where supported); by `$config['recaptcha_theme']' -
the v2 widget size:
normalorcompact(where supported). by$config['recaptcha_size']
For more information about the widget please check:
- documentation about Google's reCAPTCHA
- documentation about hCaptcha.
- documentation about Friendly Captcha
- documentation about Cloudflare's Turnstile
The plugin configuration file has several other options you may configure, please take at look.
Since May 2018, you can define a proxy (anonymous or authenticated) to request the CAPTCHA widget.
Since April 2022, support for hCaptcha and Friendly Captcha was added
Since March 2023, support for Cloudflare's Turnstile was added
- MySQL
- PostgreSQL
- SQLite
The original author of this plugin was Denny Lin.
Diana Soares forked it some years ago to 1) use reCAPTCHA v2.0, 2) add the larry skin and 3) because the project issues were taking too long to be answered. Also, the original project was not updated since 2015 and many things have changed in the meantime in Roundcube's API.
Peter Bieringer forked it 2022 from Diana Soares to add additional Captcha services.
Because of the former fork went also stale in 2021 (dsoares#50), Peter Bieringer will maintain this project now.
Comments and suggestions are welcome via "issues".
This plugin is distributed under the GPL-3.0+ license.
This plugin also contains PHP libraries for
- reCAPTCHA
- hCaptcha
- FriendlyCaptcha
- Cloudflare Turnstile
that are distributed under its own licenses. See the library files for the exact details.