Infinite captcha loop

I have 3 sites on the free Cloudflare plan. I have the same security rules on all 3 pages. The one rule is to apply the ReCaptcha if the URL contains wp-login.php or wp-admin.

Everything’s been working great for about a month, until one of the sites started going into an infinite loop as soon as I go to the /wp-admin/ part of the site. Nothing changed, and I’ve checked the other 2 sites do not have the loop bug. I’ve triple-checked the rules, they are EXACTLY the same across all 3 sites.

I’ve also cleared the cache on the site, browser, and Cloudflare, but the problem remains. Tried different browsers and also changing my IP on VPN but no go.

1 Like

What is the domain that is causing the issues @user9219? Is this ongoing? and yes, its ongoing…

1 Like

You wouldn’t happen to have any ad blockers that you use on all your browsers, would you?

Have you tried incognito mode? I believe that runs without any plugins unless you overrode that setting.

p.s. I didn’t get the loop on that link. Just the captcha followed by a 1020 Access Denied.


are you hitting a 1020 after the captcha challenge?

I have a rule that only allows my country to log in. As you are outside you would hit the 1020 after the capture.

I have add blockers but it’s turned off for my own sites. Incognito is also stuck in an infinite loop. When I add my own IP and ISP ASN with an allow rule, it works. So I guess Cloudflare somehow flagged my IP as a bot or attack. But nothing in the logs anywhere, and no idea why it works on the other two sites with exact same settings. It’s very frustrating…

1 Like

I don’t hit the 1020 after the captcha challenge, as my country is allowed to log in. However, I don’t get past the captcha either. Tried connecting on the wife’s laptop from a different network, and I can get through after the captcha challenge. So, somehow Cloudflare has flagged me as a threat or bot I guess… no idea how that works… Cannot allow my IP, as it is changed every 2 hours by my ISP…

Update: So after a 24 hour period the infinite loop is resolved. I can log in again. Did not change anything to cause it, and did not do anything to resolve it either. Stumped as to why it was caused in the first place, and a bit frustrating that it happened with finding the root cause so that it can be resolved permanently.

Spoke to soon, problem is back… seems to be intermittent…

can you capture an .har of the infinite loop and open a support ticket?

2208235 @MoreHelp

I presume you attached the .har file to the ticket?


Ticket 2208235, and I have added the .har file to the ticket as requested.

Thank you so much!

1 Like

@matteo yes I did :slight_smile:

1 Like

2208235 @MoreHelp
I still have the problem and the har was uploaded to the ticket 6 days ago.

I have escalated this again, it might not get a reply until Monday morning in the APAC region, due to shifts, but it might be pretty soon.

1 Like

I am sorry, I cannot even test it as I just tried to figure out if the ReCaptcha is on the login form as a part of Google ReCaptcha (WordPress plugin), or a “Captcha” from Cloudflare?, as far as I get “Access denied” due to Firewall rules.

One rule, okay.
Is this the first rule?
Are there more rules with the “block” or “challenge” action?

Does it mean that each request under /wp-admin/ is being challenged by the captcha, or just the ones that goes to the /wp-admin/ (not being logged in) and it redirects to wp-login.php?

Even a basic visitor to your Website, if your theme uses /wp-admin/admin-ajax.php for some requests like posts loading, cart or checkout page, WooCommerce, Jetpack, etc?
Meaning, each visitor is being challenged?

Could that be the reason why you are in a loop, if so? (not sure if it works when user oncely passes the captcha, is it being challenged again if it goes to dashboard, edit posts … where are hundreds of the requests made to /wp-admin/ for CSS, JS, Ajax, etc.)

If you are using Cloudflare Captcha, may I ask what do you get in Firewall events for the users trying to access /wp-admin/ from your allowed country?

1 Like

Bless you @matteo

@fritex I have a rule to block all logins outside my country. I’ve disabled this for now, so you can check.

Also, the problem does not start straight away. Sometimes it’s ok for half a day and then it begins.

@user9219 Just tried via NameCheap VPN South Africa (, working without captcha.

I was not challenged on /wp-login.php, neither trying directly to /wp-admin/.

See my VPN IP here:

For one resource, I got returned “Too many redirects” - 302 redirect and 10-20 requests made:

Cause: is going to is redirecting to

Some HTTP headers for wp-login.php or /wp-admin/ like wp-cf-super-cache is indicating you are using WP Cloudflare Super Page Cache plugin, which is not an official Cloudflare plguin:

x-permitted-cross-domain-policies: none

x-wp-cf-super-cache: no-cache
x-wp-cf-super-cache-cache-control: no-store, no-cache, must-revalidate, max-age=0

pragma: no-cache
cf-cache-status: DYNAMIC
cache-control: no-store, no-cache, must-revalidate, max-age=0

But have you cleared the plugin cache “just in case”?

Will check through the day via VPN and write back if I got this behaviour as you are experiencing.

1 Like