We get a lot of bot registration spam to greenfins.net so have a Firewall rule to protect our Wordpress registration with JS Challenge.
Firewall rule: (http.request.uri contains "/wp-login.php?action=register") or (http.request.uri.path contains "/xmlrpc.php")
This has worked well but recently the JS Challenge has been falling back to hCaptcha more frequently – when this happens the data from the form is lost and the user receives a cryptic error from Wordpress complaining about the lack of data. (see screenshots below)
Has anyone else come across this issue? @mdemoura mentioned that this was fixed back in Dec 19 so wondering if this is an issue with my rule rather than something wider?
Also if anyone can explain to me why we are now seeing more hCaptcha than before that would really help! JS Challenge worked so well before!
May I ask have you configured a Firewall Rule for the action JS Challenge strictly on the wp-login.php (uri.path) to protect your WordPress admin area, or?
As far as it could have query parameters for lost password, reset password, reigstration, etc.
/wp-login.php?action=register
Furthermore, there is also an wp-signup.php.
You can also change the registration URL to a different one, even with a custom redirect page if needed.
I included the complete firewall rule in the original post - have edited to make this clearer.
Are there any Cloudflare engineers here that can explain why the post data is stripped by the Captcha process when a standard JS Challenge is able to pass on the post data successfully?
Out of curiosity, I see mention of Registration confirmation email. Does that mean if a user doesn’t confirm, then their account won’t be activated? What does that look in wp-admin for their user data?
I know you said that you can’t change the registration URL, but that’s one of the reasons I don’t have a login widget/popup on a regular page, as awesome and convenient as it is. I like to protect wp-login.php right off the bat.
If you want a Cloudflare engineering response, you’re really going to have to open a ticket.
I think the double-challenge is the reason the POST data is lost. As much of a hassle as it is, you could try changing your Firewall Rule to be CAPTCHA so it doesn’t double-challenge people. And see if POST data is retained. This should be easy to test right away.
@sdayman To ease the user experience, login is allowed immediately but we do send a simple confirmation by email (so that if the address has been used fraudulently, the inbox owner is notified and can contact us).
Our online courses are for the general public – we have a real mix of user technical literacy and any barriers to access potentially will cause people to miss out on the marine conservation knowledge that we are trying to pass on. We tread a fine line between security and ease of access and is why we prefer the JS Challenge rather than forcing users to solve a puzzle.
This makes a lot of sense – I followed your advice and switched the rule to ‘Challenge (Captcha)’ and now the post data is retained. Thank you for this suggestion!
My preference would be to move back to JS Challenge as soon as possible. I don’t seem to be able to open a ticket with Cloudflare to see if they are working on preserving post data when the JS Challenge falls back to hCaptcha. I guess this is because we are on a free account. I’m still hoping that @mdemoura sees this thread…!
Indeed, there appears to be an issue on this very specific scenario, thanks for the detailed report. We’re currently tracking this and will push out a fix.
@mdemoura Glad to hear you can reproduce this and a fix is planned. Many thanks!
p.s. How will we know when a fix is pushed out? Is there a way to receive updates from the firewall team after this thread closes (scheduled for three days from now!).
