Captcha loop after one successful solve

Hi, I’m afraid I have to bug you again with a question,
I currently have a problem with the Captcha Challenge.

I have a captcha challenge in front of my login page to be on the safe side, everything works fine, on the first call I am asked to solve the captcha and then I am redirected to the protected page. But now it is so that after 30min again a captcha is requested (which is configurable in CloudFlare itself - the time span 30min etc.).

But now I can’t get past the captcha - no matter how many times I solve it, the captcha keeps reloading and I can’t get to my page.

Have I configured something wrong here or how do I have to proceed here?

Small information on the side:

I have already deleted my cookies, deactivated all browser extensions and tried the whole thing in incognito mode - unfortunately without success.

Thanks in advance!

What is the link (domain)?

Can you try to catch it and post a screenshot of this captcha?

Is it actually the Cloudflare captcha or rather some other like Google ReCaptcha on that login form?

You are refering to the Firewall → Settings, right?:

May I ask what have you tried so far?

  1. Have you checked if the I am under an attack! option is being disabled or suddenly enabled at Cloudflare dashboard for your domain?
  2. Furthermore, may I ask what Security Level ( Low, Medium, High … ) have you got selected under the Firewall->Settings tab at Cloudflare dashboard?
  3. Do you have some custom-made Firewall Rules at the Firewall tab or does something show up at Firewall events log?
  4. Either not related so much, but may I also ask is the Bot Fight Mode option being enabled at Firewall tab->Bots and so on how about Browser Security Check option (Firewall->Settings-> scroll down to see the section?
  5. Have you tried to Purge the Cache at the Caching tab → Configuration from Cloudflare dashboard?

Do you use some kind of an anti-virus program like BitDefender?

How about clearing your Web browser cache? Have you tried that too?

Have you tried using some other Web browser, or a private window, or different device connected to some other network (like cellular / Edge / LTE, mobile data)? - even you stated different countries/browsers, etc.

If using TOR browser:

1 Like

For sure!

This is the hCaptcha which becomes active as soon as I set the challenge in a firewall rule.


I can confirm that the “I am under attack” mode is disabled.

The selected security level is Medium.

Attached is a screenshot of the logs - these recurring attempts from Austria are the loop referred to.

Yes, attached is a screenshot of those rules that cause the problem.

The Bot Fight mode is activated.

I have cleared the complete cache several times.

Only the regular Windows Defender, which is integrated in Windows 10.

Several times.

The problem occurs in Google Chrome, Edge (Chromium) and Firefox.

However, the problem disappears for a short time when I restart the PC and router - I suspect this has to do with my IP?

After that I can solve the captcha once, but after that it always ends up in the loop again.

I hope the information is useful.

Best regards!

Are you using non-www (naked) or www (prefix) domain for your WordPress and wp-login? (due to possible issue with cookies)

Nevertheless, is your WordPress Administration dashboard configured to work over the SSL?

Just in case due to HTTP(S) and non-www/www issues, may I also ask what SSL option have you got selected under the SSL/TLS tab at Cloudflare dashboard for your domain ( Flexible, Full, Full Strict … )?

Before moving to Cloudflare, was your Website working over HTTPS connection?
If so, did you had an valid SSL certificate installed at your origin host / server which covers both your naked (root) domain any any other needed sub-domain like www, mail, etc.?

Following that Firewall Rule, each request comming to wp-login should be challenged.
Therefore, regarding the Captcha/Challenge passage time defined, I think it’s normal to expect Cloudflare to ask you again after 30min - if you again make the same request - or that happens if your WordPress session somehow ends?

I think deleting cookies actually triggers the Cloudflare to challenge you over again.

Not sure, but are cookies “by default” enabled in this mode (in terms of privacy and tracking options)?

Furthermore, due to my curiosity, may I ask is there a way to challenge/block everyone else except yourself (adding your IP, or maybe country, or some other workaround)? - a better way as an example, if possible.

I use for wordpress the domain without www prefix. The site worked fine with https before I linked it to Cloudflare.

I have enabled Full Strict and installed the Origin certificate on my server.

yes, all this is covered by a wildcard certificate.

That makes perfect sense that I’m asked after the 30 minutes are up or as soon as the session ends somehow. I just don’t understand how it can be that the whole thing runs in a loop.

Let’s assume the following scenario: I start my PC and would like to access the login page, so far so good, I am challenged and have to solve the captcha - that works and I can continue. So and now for some reason the session is deleted, for example because I log out or close the browser, or the time limit expires. So I want to log in again after that and I get to the said captcha again, but this time it can’t be solved, but is shown to me over and over again.

This would of course be a nicer solution than blocking the URLs specifically.

Or, you could try to setup Cloudflare Access/Teams for your WordPress login.
But okay, we are getting some otherway possible work-around as ideas got into my head while I think a bit. Just, sharing ideas :slight_smile:

Thank you for your tips regarding Cloudflare Access! That is definitely an interesting approach.

I would still be very interested in how it can be that these captchas repeat themselves in a continuous loop, currently I have applied your above solution that only requests from my country come to the said pages.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.