I’m trying to set up a managed challenge to replace a CAPTCHA for a contact form on my website.
I’ve set up a WAF Rule as follows:
URI path contains “/contact” and
Threat Score greater than or Equal to “0”
This works for both my contact form at https://example.com/contact, but it seems some bots already have stores the form submit URL of https://example.com/wp-json/contact… and sending new POST requests to that address to submit the form.
Do WAF Rules/managed challenges work for POST pages? If not, what would be the best option for protecting: