Recaptcha and rest api

Hello @zeriffan and thanks for reaching out to us!

I see this sometimes when another plugin is causing a conflict with our 2FA.

Can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

Thanks!

HI @wfadam
Thanks for your prompt reply. I have sent the diagnostic report via plugin email.

thanks!

Thanks for sending that!

I don’t see any known plugin conflicts in your diagnostic, but that doesn’t necessarily mean that isn’t the case here.

What is strange is that it’s giving you a 403 error which is typically a firewall blocking the request. If you navigate to your Wordfence > Tools > Live Traffic and monitor this, then attempt to log in via another tab with 2FA and Recaptcha enabled, are you seeing the block in the Live Traffic?

Thanks!

Yes, with recaptcha enabled ( there is no 2FA), i can see a type: failed login in the live traffic which shows my user and the service host where its originating

I looked at this issue a little more in-depth as I am curious how it’s showing a 403 error.

I was getting a 404 randomly when visiting your home page. It looks like you may be using a captcha on the front end for something else. There’s a chance Google is seeing those bad requests and considering the users suspicious, but I’m not sure.

Could you try disabling the “Invisible Recaptcha” plugin that you’re using to see if that might be causing it. If you know where else you’re using a captcha (if it’s integrated into even a third plugin).

Thanks!

The invisible captcha plugin is not active. I will delete it and test again. But, I do have an active plugin for jwt (JWT Authentication for WP REST API)

I read an issue on their github page about that interfering with a recaptcha plugin. I wonder if that may be affecting the rest call

After deleting the inactive plugin, the test resulted in this error:
{
“code”: “[jwt_auth] wfls_captcha_verify”,
“message”: “VERIFICATION REQUIRED: Additional verification is required for login. Please check the email address associated with the account for a verification link.”,
“data”: {
“status”: 403
}
}
Notice the jwt-auth code before the wfls error.

• This reply was modified 3 years, 9 months ago by zeriffan.

Have you tried this with the JWT Authentication for WP REST API plugin disabled? Since the error is referencing it, I wonder if that is what is causing the conflict then.

Let me know!

Thanks!

Yes, using the WP basic auth works with the jwt plugin disabled. I wonder why this error pops up with this very popular plugin. There must be sites being accessed with rest api using this jwt plugin + wordfence(with recaptcha). Any thoughts?

I wonder if something else is blocking the REST API request because Wordfence will not block REST API, since Wordfence uses the REST API and needs it to be accessible.

I often see themes causing issues similar to yours. Try switching to a default theme like twenty-twenty and test again.

Let me know what you find!

Thanks!

I tried disabling plugins to see which one(s) might be interfering. I disabled caching as well. No luck.
I noticed that Yeost SEO was loading recaptcha js for some reason. I got rid of that as well. Still no luck.
I will try themes next:)
thanks!!!

I have it working now. I used the wordfence_ls_require_captcha filter documented at: https://www.wordfence.com/help/login-security/

@wfadam, do you think this is the right usage for this filter?

thanks

Thats great that you got it working!

The documentation mentions:
The filter “wordfence_ls_require_captcha” can be used to disable the CAPTCHA in circumstances of your choice. This may be useful for plugins that contain REST endpoints with authentication that should not require a CAPTCHA. Your filter should return false to bypass the CAPTCHA requirement when necessary, or otherwise true when the CAPTCHA should be required.

This should be correct in resolving your issue as the REST endpoints are where you were seeing the problem.

Test it out and let me know if you have any issues with it.

Thanks again for your patience and information!

Hello @zeriffan
I also have the same problem. My call to rest api asks me to validate request through email link verification. Could you post here how you use this filter, in order to disable the recaptcha, for such calls like this?

ok nevermind.. I finally got it!
If someone else wants to know:

I Have wrote inside my functions.php file of my child theme the below code:

add_filter( 'wordfence_ls_require_captcha', '__return_false' );

Thus, the wordfence does not send validation auth user via mail anymore!