Turnstile Broke My Websites And Now I Can't Login

I was looking at my analytics and noticed traffic was down on all my websites. I went to login to see what was broken and I get stuck in a loop and can’t login because your Turnstile product thinks I’m a bot.

Why was this enabled without my consent???

Thanks for breaking my all my websites and literally taking revenue from me

How do I disable this useless product

Even though Turnstile is being implemented rapidly by many websites, it still needs to have the ability to spread itself. Either you or one of your system administrators enabled it.

Alternatively, one of your website plugins may have enabled it. Your site may be compromised, and a virus is impersonating Cloudflare. Who knows?

You will need to be more detailed with your issues if you want anybody to give a proper response.

I want to permanently disable whatever new bot detection protocol was implemented without my permission and prevents people from visiting my website.

No I don’t want to adjust the settings, or create a firewall rule that lets me in, I want to turn it off completely forever.

I can tell from my analytics it’s blocking people and negatively affects the revenue my sites generate.

I am the only one with admin access, I hate captcha and never would have implemented or turned on Cloudflare’s version of it.

We can go back and forth arguing all day; if you did not enable it and no other person has access to your website, your setup is most likely compromised.

Turnstile doesn’t add to any website; unlike the rest of CF’s security stack, you can’t easily toggle it off and on; it needs implementation within your code.

1 Like

I was able to login to my websites last week.

Tonight I have been trying to login for 30 minutes and I get some spinning graphics that this is taking longer than expected, then a verify you’re a human checkbox pops up, i click it, and then it starts the loop all over again. I haven’t logged into Cloudflare in months.

If I was able to log in to my websites last week, and I haven’t logged into Cloudflare in months and, now I can’t log into my websites and I’m stuck looping on a Cloudflare page who do you think broke my websites…

I’ve turned the security level to essentially off, and still can’t login

The firewall says “Security level” Rule ID “Badscore”

Does Cloudflare decide everyone using a VPN is a bad?

Whatever security changes were made without my permission prevent me from logging into my websites.

I have turned the security settings to essentially off, and created a firewall rule allowing my IP and I still get stuck on the looping hcaptcha screen.

I want to completely disable this but since it was turned on without my permission I don’t know where the switch is to turn it off.

Whatever security changes were made without my permission prevent me from logging into my websites.

I have turned the security settings to essentially off, and created a firewall rule allowing my IP and I still get stuck on the looping hcaptcha screen.

I want to completely disable this but since it was turned on without my permission I don’t know where the switch is to turn it off.

Stop closing my posts and marking them as solved.


Cloudflare does not make changes to your dash.

What is the name of the site that is having issues? Have you reviewed the audit log (under manage account) to see what changes were made just before you started having issues?

I don’t share my sites publicly.

I can see my IP being blocked, it says “Security Level”, “Managed Challenge” and Rule ID “badscore”. The managed challenge is the part that breaks the site, it spins and loads, says “this is taking longer than expected”, eventually asks me to check a box, then it goes back to “this is taking longer than expected” and creates an infinite loop. It never did this before this is something new that Cloudflare changed, because today I have started getting it on other sites I visit.

I tried creating a firewall rule to allow my IP Cloudflare ignores that and I get stuck in the managed challenge loop again. I want to completely disable the managed challenge, because now Cloudflare is getting in the way of me doing my work.

I use a VPN, and have very aggressive privacy filters and ad blockers which is probably preventing whatever ridiculous thing Cloudflare is checking in the managed challenge phase. Obviously Cloudflare didn’t do enough testing because I’m obviously human, but they can’t figure that out. This should never have been turned on for my site without my permission. I get that Cloudflare thought they were “helping” but in reality they are wasting my time and pissing me off.

This is from your dash, turnstile is not enabled.
Screen Shot 2022-11-16 at 11.46.09 AM

I am able to access all of the zones (sites) in your account without being challenged. Nor am I seeing turnstile.


I dislike them as well. But, Turnstile is not captcha.

Multiple duplicate posts are combined so as to not distract other community members.

I suspect it truly is your problem as I am unable to recreate an issue. Sorry for the frustration you’re experiencing, but the IP you are using here has a poor reputation. That may be why your rules are challenging you.

Understood, it will be difficult for the community to assist you. The best bet is to try and troubleshoot using the information in your audit log. Check to see what rule changes were made around the time that you started being challenged.

I see daily logins for the past two months, if that is not you logging in and making the changes, then this is probably the answer:

1 Like

What’s the point of telling me I have a badscore if you don’t give me the ability to change the settings.

Because I care about Privacy and use a VPN and take other steps to prevent tracking Cloudflare gives me a low score and won’t let me log into my own websites.

I never asked for these setting Cloudflare just decided to “help me” by locking me out of my own sites.

Honestly Cloudflare’s service is degradfing quickly, with the way they gave in to the angry mob over kiwifarms and now deciding everyone who doesn’t want to be tracked has nefarious intent.

And the moderators here keep closing topics when you point out how Cloudflare’s products are getting worse.

The moderators and community have tried to figure out what’s wrong, you have been in denial since your first message. Your thread wasn’t closed, it was marked as solved because there has been no progress despite multiple members stepping in to try and see what’s wrong.

On your first message; you claimed that turnstile was broken and that you had never used it. After some messages exchanged; the blame shifted from turnstile to managed challenges.

VPNs and “aggressive privacy filters” typically end up spoofing and making your traffic seem odd, different from what normal visitors usually do. It is reasonable to expect any security solution to act accordingly and deliver challenges to verify whether the visitor is a bot or not.
You are most likely not a bot; however, your fingerprint might say otherwise and thus, the system has to double check with challenges.

If you want help; you will need to provide us with the following:

  1. Affected website.
  2. HARs of sessions that were miss-labeled, entered in loops or had unsolvable challenges.

If you don’t want to provide these, that’s fine :man_shrugging: but we won’t be able to raise any internal ticket nor guess what might be wrong.

FWIW, turnstile is rarely used on managed challenges, instead, hCaptcha is used but since we have no relevant information from your side, it is impossible to tell what’s wrong. “Security doesn’t work” “Security degraded” “Service getting worse” :person_shrugging:


Since you marked my topic “solved” do you actually think it’s solved?

Do you think someone who says they care about privacy and use a VPN and has very aggressive blockers might also not want to share their domain publicly?

Do you have even the slightest understanding of the concept of privacy, because it doesn’t seem like you do.

My question is how do I turn off the security challenges on my website?

Or are you telling me that Cloudflare has decided what’s best for me, and I have no choice over the security setting on my own website, and if I want ever login to my website again I have to stop using a VPN, allow anyone to set whatever cookies they want, and should just shut up be thankful for Cloudflare “helping me”

Now you’re saying my Cloudflare account is compromised, please explain how they are getting past the 2FA…

You claimed something was factual, now go ahead and prove it…

I use Proton VPN who is a legitimate privacy focused provider, with a lot of customers, just because I’m the only person complaining doesn’t mean I’m the only one it’s happening to.

You are in no way helping in fact you’re pissing me off trying to blame my account being hacked instead of Cloudflare’s overzealous privacy invasive security policies

Alternatively you might stop using the service if it goes against your ethics. Cloudflare (and most competitors) have a similar approach to websites security.

Cookies are needed to verify who solved a challenge and VPNs are prone to having bad ip reputation because the IPs are shared with thousands of customers, some of which use the service in nefarious ways.

You seem to be taking this personal while it’s not; if the service isn’t good, simply stop using it :person_shrugging:.

The whole account being hacked was an option because you mistakenly pointed the blame to a service that requires custom implementation and can’t be easily toggled on and off.

Accepting cookies from hcaptcha was not a requirement when I signed up.

Additionally if youy don’t accept hcaptcha cookies large parts of the web are now inaccessible to you, so you have to agree to be tracked everywhere yoiu go with an hcaptcha cookie or Cloudflare won’t serve you content.

If you block cookies from google analytics you can still visit any site using it.

If you block cookies from hcaptcha Cloudflare completely prohibits you from viewing anything on the site.

I never thought I’d say this but Cloudflare is worse than Google when it comes to respecting your privacy on the internet.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.