I was looking at my analytics and noticed traffic was down on all my websites. I went to login to see what was broken and I get stuck in a loop and can’t login because your Turnstile product thinks I’m a bot.
Why was this enabled without my consent???
Thanks for breaking my all my websites and literally taking revenue from me
Tonight I have been trying to login for 30 minutes and I get some spinning graphics that this is taking longer than expected, then a verify you’re a human checkbox pops up, i click it, and then it starts the loop all over again. I haven’t logged into Cloudflare in months.
If I was able to log in to my websites last week, and I haven’t logged into Cloudflare in months and, now I can’t log into my websites and I’m stuck looping on a Cloudflare page who do you think broke my websites…
I can see my IP being blocked, it says “Security Level”, “Managed Challenge” and Rule ID “badscore”. The managed challenge is the part that breaks the site, it spins and loads, says “this is taking longer than expected”, eventually asks me to check a box, then it goes back to “this is taking longer than expected” and creates an infinite loop. It never did this before this is something new that Cloudflare changed, because today I have started getting it on other sites I visit.
I tried creating a firewall rule to allow my IP Cloudflare ignores that and I get stuck in the managed challenge loop again. I want to completely disable the managed challenge, because now Cloudflare is getting in the way of me doing my work.
I use a VPN, and have very aggressive privacy filters and ad blockers which is probably preventing whatever ridiculous thing Cloudflare is checking in the managed challenge phase. Obviously Cloudflare didn’t do enough testing because I’m obviously human, but they can’t figure that out. This should never have been turned on for my site without my permission. I get that Cloudflare thought they were “helping” but in reality they are wasting my time and pissing me off.
Multiple duplicate posts are combined so as to not distract other community members.
I suspect it truly is your problem as I am unable to recreate an issue. Sorry for the frustration you’re experiencing, but the IP you are using here has a poor reputation. That may be why your rules are challenging you.
Understood, it will be difficult for the community to assist you. The best bet is to try and troubleshoot using the information in your audit log. Check to see what rule changes were made around the time that you started being challenged.
I see daily logins for the past two months, if that is not you logging in and making the changes, then this is probably the answer:
The moderators and community have tried to figure out what’s wrong, you have been in denial since your first message. Your thread wasn’t closed, it was marked as solved because there has been no progress despite multiple members stepping in to try and see what’s wrong.
On your first message; you claimed that turnstile was broken and that you had never used it. After some messages exchanged; the blame shifted from turnstile to managed challenges.
VPNs and “aggressive privacy filters” typically end up spoofing and making your traffic seem odd, different from what normal visitors usually do. It is reasonable to expect any security solution to act accordingly and deliver challenges to verify whether the visitor is a bot or not.
You are most likely not a bot; however, your fingerprint might say otherwise and thus, the system has to double check with challenges.
If you want help; you will need to provide us with the following:
HARs of sessions that were miss-labeled, entered in loops or had unsolvable challenges.
If you don’t want to provide these, that’s fine but we won’t be able to raise any internal ticket nor guess what might be wrong.
FWIW, turnstile is rarely used on managed challenges, instead, hCaptcha is used but since we have no relevant information from your side, it is impossible to tell what’s wrong. “Security doesn’t work” “Security degraded” “Service getting worse”
Since you marked my topic “solved” do you actually think it’s solved?
Do you think someone who says they care about privacy and use a VPN and has very aggressive blockers might also not want to share their domain publicly?
Do you have even the slightest understanding of the concept of privacy, because it doesn’t seem like you do.
My question is how do I turn off the security challenges on my website?
Or are you telling me that Cloudflare has decided what’s best for me, and I have no choice over the security setting on my own website, and if I want ever login to my website again I have to stop using a VPN, allow anyone to set whatever cookies they want, and should just shut up be thankful for Cloudflare “helping me”
Alternatively you might stop using the service if it goes against your ethics. Cloudflare (and most competitors) have a similar approach to websites security.
Cookies are needed to verify who solved a challenge and VPNs are prone to having bad ip reputation because the IPs are shared with thousands of customers, some of which use the service in nefarious ways.
You seem to be taking this personal while it’s not; if the service isn’t good, simply stop using it .
The whole account being hacked was an option because you mistakenly pointed the blame to a service that requires custom implementation and can’t be easily toggled on and off.
Accepting cookies from hcaptcha was not a requirement when I signed up.
Additionally if youy don’t accept hcaptcha cookies large parts of the web are now inaccessible to you, so you have to agree to be tracked everywhere yoiu go with an hcaptcha cookie or Cloudflare won’t serve you content.
If you block cookies from google analytics you can still visit any site using it.
If you block cookies from hcaptcha Cloudflare completely prohibits you from viewing anything on the site.
I never thought I’d say this but Cloudflare is worse than Google when it comes to respecting your privacy on the internet.