reCaptcha not workgin

Hi @coadr93, thanks for reaching out to us.

We actually don’t recommend using plugins to hide your login page as it can cause issues on your site for other plugins that require this path. With certain “security through obscurity” methods such as this, we feel this only serves to slightly slow down somebody with malicious intent rather than stop them: https://www.wordfence.com/blog/2017/10/should-you-hide-wordpress-login-page/

If disabling Change Admin URL, but keeping WP Rocket and Wordfence still causes issues when 2FA and/or reCAPTCHA is enabled in Wordfence, what do you see in terms of on-screen errors when you visit one of the pages affected? Also, do you see any errors in the browser console? You can screenshot any results using a service like Snipboard.

Thanks,

Peter.

Hi, thanks for your reply.

Yes I have seen the video and I know it doesn’t protect too much but it is an extra layer and I would prefer to have it. Some of my clients write down their passwords which makes them vulnerable and a different login URL might help.

Disabling the replace login URL seems to fix the issue so far.

The problem is that it is not consistent.

Sometimes it works, sometimes it doesn’t.

On some websites it works, on others it doesn’t.

But mostly… it seems to be related to the user rather than the website.

Users with 2FA enabled which have already logged in once on a device seem to not have the issue anymore, but new devices or other users without 2FA got that error from what I can recall.

And yes, I do get some errors.

Something with CORS and an AJAX error

site.com/:1 Access to XMLHttpRequest at ‘https://www.site.com/wp-admin/admin-ajax.php’ from origin ‘https://site.com’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

jquery.min.js?ver=3.6.0:2 POST https://www.site.com/wp-admin/admin-ajax.php net::ERR_FAILED 200

Why would changing the login URL cause issues with ajax? Is there

Hi @coadr93,

If you’re able to find a consistent case with users who’ve logged in on a device before, or other specific user-roles or anything like that then it would assist. It is possible that the location of the login URL does stop a script or some other resource that is required from loading correctly, which is why we generally are unable to guarantee 2FA/reCAPTCHA support with it, especially when achieved with another plugin we have no control over.

I have seen CORS errors with legacy versions of 2FA, or .htaccess files with a misconfigured CORS policy but these may not be intermittent in these cases as you describe.

Let me know if you find out any further information.

Thanks,

Peter.

Thank you for your response.

So far, it seems that the issue is only when using a change wp-admin URL plugin.

I’ve deactivated it on one of the sites and haven’t had issues with it since, it seems.

I’m not really sure why changing the admin URL affects ajax thingy or what it has to do with CORS… or how those plugins work, but they probably do some rewriting in htaccess as well.

I will check my .htaccess file as well. It could have something to do with WP Rocket and caching as well.

Maybe once you’ve logged in at least 1 time, some sort of script gets properly loaded or cached …

I’ll try to find some time to properly test this in multiple scenarios and once I’ve figured out the issue better, I’ll reply to this ticket.

Thanks once again!

No worries @coadr93, thank you for the extra information and amount of testing you’ve done. Topics tend to get resolved after 7 days of inactivity so I’ll keep this alive for now in case you have further input over the next week.

Thanks,

Peter.