Very, very low solve rates with Turnstile

We are seeing 20% user solve rate and 3.5% API solve rate from turnstile.

Needless to say, this is unacceptable and abort 25% of the user solve rate if not less we get with reCAPTCHA amd hCaptcha.

Is there a known issue about this already?

Sooo… I don’t think this is as much of an issue as you are making it out to be.

Consider the fact that 20% user solve rate means that 80% of your users are bots. If you’re only getting a 3.5% API solve rate, then 96.5% of users are invalid.

This doesn’t mean that the service isn’t working: on the contrary, it’s working well (and better than ReCAPTCHA or hCAPTCHA, it sounds like).

If you have verifiable reports of users getting blocked then that’s different. But just the raw numbers won’t be able to tell you if those users are incorrectly getting blocked (which they probably aren’t, actually, and it’s just bots).

4 Likes

We have DOZENS of users complaining downloads and logins aren’t working. I tested myself, I had others on our team test. I couldn’t pass about 90% of the times i tried

Turnstile is NOT working. Stop acting like it is. 95% of our users aren’t bots, by our own numbers and cloudflares bot fight mode it’s tops of 30% (which is not unreasonable)

First. The people on this community are volunteers and only trying to help. Don’t get aggressive with us please.

Secondly. If you click 4 times on the Cloudflare logo it will give you a QR code. Can you please share that QR code with us here or open a support ticket on the Cloudflare dashboard so that we can try to see what’s going wrong?

Finally, a 3.5% API solve rate could mean that you’re not properly validating the result with the server (if it’s not properly sent server-side to /siteverify then that number won’t increase and you’ll see an error).

2 Likes

We use packages for both (Simple Cloudflare Turnstile for our wordpress site, GitHub - romanzipp/Laravel-Turnstile: 🔥 Cloudflare Turnstile CAPTCHA package for Laravel for our laravel API) so that rules out bad implementation.

Second, 1631/47950 served captchas being “solved” is not normal. Especially when ~69% of hcaptcha captchas served in the last 7 days of data (217,637/317,416) were solved.

Third, I don’t know which logo you’re talking about.

Fourth, this is having a very real impact on revenue and conversions, so you’ll pardon me if I seem a bit sharp, and I do apologize.

Sorry, I should have been more specific :slightly_smiling_face:

If you click 4 times on the Cloudflare logo on this widget (assuming you’re using Interactive mode, not sure how to do it on Invisible mode) it will give you a QR code.

Screenshot 2022-11-02 at 20.09.30

Can you share a HAR file?

That logo seems to be a link so I cannot do that

I did a bad configuration one of my sites first. But now it’s been running a couple of days in production.

And I’m sad to report I have the same problem. It does take the bots, but it also takes a lot of real users. Attaching image.

There was 5 form submissions made by humans. Of those 3 were identified as bots and only 2 went through. You can see one of them is one person trying 3 times (two fails and then one going through).

This is a very low-traffic site I put it on, which as you can see has a big spam-problem.

Interestingly, I did find something quite interesting in this data. I stored their turnstile_token solution. And actually only the actual users seem to bother to solve the challenges at all. In other words, I could just not verify with Turnstile, or do so but only use it as a weak signal on whether to allow it through or not.

So at least for this super not-valuable mini-site, I might do that. Unless there is also another thing I can do? I’m using the visible, managed widget with a possible checkbox on this site. I’m also sending the IP-address to Turnstile (I verified they are correct). Is there anything else I could/should do/try?

I’m only using Turnstile on this site, not any other Cloudflare services if that’s relevant.

1 Like

No bueno. I will try to see if we can get the attention of the devs and diagnose what might have gone wrong.

1 Like