Site Registration Recapcha Bypassed

  • Resolved snowme

    (@snowme)


    1 year, 11 months ago

    It looks like bots are able to bypass Google recapcha thats enabled via the Wordfence plugin to register new accounts on my site. When I check the Users page within the WordPress Dashboard, none of the recently created accounts have a “Last Capcha” score listed.

    I saw another forum post that mentioned they used Cloudflare, but their capcha problem seems to have magically fixed itself. I also use Cloudflare to mask the real IP address of my web server. I’m wondering if this may be causing some sort of issue with Wordfence’s Google recapcha feature or if there’s something else happening.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @snowme, thanks for reaching out to us!

    The most likely scenario if reCAPTCHA wasn’t working would be to produce errors rather than be entirely bypassed. I have seen rogue users and comments potentially coming through XML-RPC, which can be disabled.

    Disable XML-RPC authentication” appears in Wordfence > Login Security > Settings. You can also block this route entirely using .htaccess , provided you don’t use the WordPress app or a plugin that requires it such as Jetpack:

    # Block WordPress xmlrpc.php requests
    <Files xmlrpc.php>
    order deny,allow
    deny from all
    </Files>

    Let me know how you get on!
    Peter.

    Thread Starter snowme

    (@snowme)

    Hi,

    Thanks for the quick reply. I’m blocking xml-rpc via my NGINX config so I don’t believe they are using that to do user registrations. I’m really unsure how these people/bots are able to register accounts without a Google Recapcha score showing. When I go to my login and registration page, I do see the Google Recapcha logo at the bottom right hand of the page so it appears to be working.

    Plugin Support wfpeter

    (@wfpeter)

    Hi @snowme,

    There was an update at plugin version 7.5.11 that fixed the potential for reCAPTCHA scores to not be recorded, but I’m working on the assumption that you have the latest version of Wordfence and other plugins so that’s probably not a factor?

    In terms of the score itself, we aren’t privy to why Google rate some humans as bots (or vice versa), but if you’re not seeing specific messages or errors during your own testing, it’s worth trying to log in with Wordfence as the only enabled plugin with a default theme such as Twenty Twenty-Two. If there’s a plugin conflict or a problem with custom code in your theme that’s preventing code from running properly at the time of submission, this should make it clear. Of course, seeing the reCAPTCHA logo on the pages hints that the scripts on initial page load are likely to be fine.

    If you’re able to always get valid reCAPTCHA scores now, reenable your plugins and theme one-by-one to see if the problem returns.

    A “reCAPTCHA human/bot threshold score” setting in Wordfence > Login Security > Settings of at least 0.7 should allow most humans visiting your site through as intended so it could be worth adjusting this number too, to see if anything changes in successful login/registrations.

    Thanks again,
    Peter.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Site Registration Recapcha Bypassed’ is closed to new replies.

Tags