What is the name of the domain?
What is the error number?
N/A - Challenge Loop Issue
What is the error message?
Infinite Cloudflare Challenge Verification Loop
What is the issue you’re encountering
[URGENT] Users Stuck in Challenge Loop - Cannot Access Site (Related to Case #01875334)
What steps have you taken to resolve the issue?
I have one more question about the behavior of Cloudflare challenges on my site.
So far I have noticed that whenever a verification page (reCAPTCHA / “Verifying that you are not a robot…”) appears on my domain, it never redirects to the article or homepage after I complete the challenge. Instead, it keeps showing the same verification page again and again, entering a kind of infinite loop.
On most other websites, after I complete the Cloudflare/Google verification once, I am then allowed to access the content normally. But on my own site, if a challenge appears, I can never “escape” from that challenge page.
My observations so far:
This seems to happen mainly on my own devices (especially mobile Chrome), while normal readers apparently do not experience this issue frequently.
Clearing Cloudflare cache and local browser cache sometimes temporarily resolves the problem.
My concern is: if any of my readers ever do see this challenge page, they might also be unable to reach the content, which would be a very bad experience.
My questions:
Is there any Cloudflare setting that could cause this “infinite challenge loop” behavior after completing the verification?
Should I configure anything in Cloudflare (for example, Page Rules, WAF rules, Cookie settings, or challenge types) to ensure that, if a challenge is ever shown, users are correctly redirected to the requested page after they solve it?
Is there a recommended way to debug or log why a particular session gets stuck on the challenge page on my site?
I truly appreciate your continued assistance. Your support has helped my Chinese news website become much more accessible to global Chinese readers, especially those using VPNs from Mainland China.
I see Google’s reCAPTCHA on the site you provided, not a Cloudflare challenge.
But this reCAPTCHA interstitial has been cached by Cloudflare (cf-cache-status: HIT), which is what may be causing the issue you’re seeing.
I’ll recommend disabling the Google reCAPTCHA completely, and only use Cloudflare’s managed challenges for your site’s protection.
NB: If you didn’t explicitly add Google reCAPTCHA to your site, this may be coming from the LiteSpeed web server’s built-in implementation:
Hi @GeorgeAppiah,
Thank you so much for that crucial observation! Your insight was the breakthrough I needed to solve this problem.
You were absolutely correct - it was Google reCAPTCHA, not a Cloudflare challenge. That distinction completely changed my investigation direction.
ROOT CAUSE IDENTIFIED:
The issue originated from a fundamental misconfiguration between Wordfence (WordPress security plugin) and Cloudflare:
- When I migrated DNS to Cloudflare, I never configured Wordfence’s IP detection method
- Wordfence was using the default “most secure method” instead of “Use Cloudflare CF-Connecting-IP HTTP header”
- This caused Wordfence to misidentify all visitors as the same Cloudflare server IP
- When WebP Express bulk processed 6000+ images, Wordfence interpreted this as a DDoS attack
- Wordfence then served Google reCAPTCHA challenges to legitimate traffic
- Cloudflare cached these challenge pages, creating the infinite loop
SOLUTION IMPLEMENTED:
- Changed Wordfence IP detection to “Use Cloudflare CF-Connecting-IP HTTP header”
- Enabled “Delay IP and Country blocking until after WordPress loads”
- Purged all Cloudflare cache
- Problem completely resolved!
KEY LEARNING:
Your observation helped me understand that “clearing Cloudflare cache temporarily fixes it” was a symptom of cache poisoning, not a Cloudflare configuration issue. The reCAPTCHA was being generated at the WordPress level and incorrectly cached.
This was a basic configuration oversight from my DNS migration that I should have addressed from day one. Thank you for pointing me in the right direction - it saved me from continuing to troubleshoot the wrong system!
Best regards,
Tianxia
Hi @GeorgeAppiah,
Thank you again for your invaluable help in resolving the reCAPTCHA issue. I have one follow-up question about my current configuration.
SITUATION UPDATE:
About one month ago, when experiencing severe verification issues, I created a Cloudflare security rule with community assistance. At that time, we didn’t know the root cause was Wordfence misconfiguration.
Current Rule Status:
- Name: “全域語言驗證碼挑戰” (Global Challenge Rule)
- Traffic handled: 146.47k requests
- Created as workaround for what we thought was overly strict Cloudflare challenges
ROOT CAUSE NOW RESOLVED:
- Wordfence IP detection fixed to use “CF-Connecting-IP HTTP header”
- Infinite reCAPTCHA loops completely eliminated
- System now stable with proper IP identification
MY QUESTION:
Given that the root cause is fixed, should I:
- Keep the rule as additional protection for VPN users?
- Remove the rule to restore full Cloudflare security protection?
- Modify the rule to be more targeted?
CONTEXT:
guanview.com serves global Chinese readers, many using VPNs from Mainland China. I want to balance security with accessibility.
Your expert guidance on whether this “workaround rule” is still beneficial or potentially counterproductive would be greatly appreciated.
Best regards,
Tianxia
