Not receiving VERIFCATION REQUIRED emails

  • Do you know how I might go about troubleshooting this? Is there a known issue perhaps? I didn’t even know that this was a feature:

    “If any valid users get a low score from Google reCAPTCHA and are blocked while logging in, they will see a message saying “Additional verification is required for login”, and asking them to check their email. They should receive an email with a link that will allow them to log in.”

    That is, I didn’t know until a user having login issues sent me a screenshot: https://i.imgur.com/HFEffa2.png

    That account didn’t receive the email, however (not to Spam, either). Thinking that it was a fluke, I tested with another account until I got to the above screen, but again no email.

    To be clear, these same accounts get a lot of Wordfence alert emails (logins, lockouts, etc), so this was quite surprising.

    WordPress 6.6.2

    Wordfence Version 7.11.7

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @bjf2000, thanks for reaching out about this!

    The verification emails are sent to verify a failed reCAPTCHA score. Google reCAPTCHA v3?only?provides a score and nothing else, it doesn’t fall back to picking bicycles/traffic lights/etc., so any fallback is left to the implementer. It’s not a known issue or generally seen that these aren’t sent/received unless your site is having trouble sending emails – which doesn’t sound like the case here as you’re receiving other types of emails.

    Emails come from your site and not our servers so as you’ve already checked spam folders and possibly marked your domain as a safe source, take a look at the following:

    • This isn’t like regular emails you send and receive, but rather server alert messages. Usually, a restart of postfix or sendmail (whichever is installed) can fix it. Your hosting provider may need to help with this.
    • If you have a third party plugin for sending emails with another service, like Gmail, it could be stopping these alerts from going out. Reaching out to the plugin author for support can help.

    In terms of reCAPTCHA generally, we don’t receive information from Google about?why?a human may sometimes receive a low enough score to always require verification. Generally, a “reCAPTCHA human/bot threshold score” setting in?Wordfence > Login Security > Settings?of at least?0.7?should allow?most?humans through on your site without having to verify every time. You could try altering this a few times to see if any setting helps.

    A possible solution if you’re stuck with low scores no matter what you try is visiting your?https://www.google.com/recaptcha/?admin and generate a new set of reCAPTCHA v3 keys. Replace the existing keys in Wordfence’s settings. This resets any history the site had accumulated that could result in constantly low scores, but?not?reset the score history chart in the Wordfence plugin.

    Many thanks,
    Peter.

    Thread Starter bjf2000

    (@bjf2000)

    @wfpeter

    Hi, OK, so to take this from another angle, is there a Wordfence setting that you’re aware of which would preclude the sending of just the verification mails as opposed to others relating to Wordfence? Because if so, I should probably check that, since the others do come in and have been reliable for years.

    While I understand that all “Wordence” emails come from us and not you, these particular emails do involve an outside party (Google), as opposed to the normal variety of Wordfence emails. So I assume the Wordfence plugin is dealing with Google in some way before sending the email. Given that I wonder what would happen if there was a problem between the plugin and Google. It might prevent those emails from sending. Is there a log of this sort of thing buried somewhere?

    The site has no plugin related to sending of emails, so it’s just the normal method that the host uses for sending on the back end. I guess it’s possible that they’re filtering out just these, though that would be pretty wild and I wasn’t aware that was even a possibility. I’ll try to check though. I do know, at least, that the ones that do come in from Wordfence/Wordpress are perfect in terms of SPF/DKIM/DMARC, so the problem shouldn’t be in that direction.

    As for the scoring, I think that’s working well, as I really have to botch a login repeatedly before Google steps in. That’s good. We’re on the default of 0.5.

    Thanks

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.

Tags