Recaptcha fails to load and exposes key
-
I just updated Wordfence and happily turned on the Recaptcha feature + whitelisted my IP.
A. It fails to load the recpatcha js. (Verified by Inspect mode of the Chrome Browser)
B. You are calling https://www.google.com/recaptcha/api.js?render= and appending my key after that. Like, publicly exposed! That doesn’t seem right… ?? Other implementations of recaptcha only call: https://www.google.com/recaptcha/api.js
C. Then the system also flags me as needing email verification. I go through all that and it doesn’t work. Still won’t let me in (presumably because the recaptcha part fails).
I’m now locked out of my own site.
In case it matters, my site uses the free tier of Cloudfare CDN.
(Not posting my site link publicly due to the key exposure)
-
That’s fine and I was kinda expecting that that was the case.
However, the fact that the attempt to load the api js fails, is of greater concern to me than the exposed key. For one, I can no longer log in to my admin. And I DO have domain validation enabled, etc. My key is working fine with the recaptcha on my Contact Page. (It’s v2 reCaptcha… does WF only work with v3?)
These are the JS errors reported by the browser’s console:
Failed to load resource: the server responded with a status of 400 ()
https://www.google.com/recaptcha/api.js?render=MY_KEY_NORMALLY_IS_HERE_BUT_REMOVED_IN_THIS_POST
login.1557854560.js:5 Uncaught ReferenceError: grecaptcha is not defined
at wfls_init_captcha (login.1557854560.js:5)
at login.1557854560.js:237
at login.1557854560.js:239
tag_assistant_compiled.js:117 GET https://www.google.com/recaptcha/api.js?render=MY_KEY_NORMALLY_IS_HERE_BUT_REMOVED_IN_THIS_POST 400I’ve followed instructions on how to get back in to a site when locked out, and then I disabled the reCaptcha option. I am hoping official support can follow up on this anyways. I’d like to use the feature.
- The topic ‘Recaptcha fails to load and exposes key’ is closed to new replies.
