Continuing the discussion from URL of website:
We get a lot of bot registration spam to greenfins.net so have a Firewall rule to protect our Wordpress registration with JS Challenge.
(http.request.uri contains "/wp-login.php?action=register") or (http.request.uri.path contains "/xmlrpc.php")
This has worked well but recently the JS Challenge has been falling back to hCaptcha more frequently – when this happens the data from the form is lost and the user receives a cryptic error from Wordpress complaining about the lack of data. (see screenshots below)
Has anyone else come across this issue? @mdemoura mentioned that this was fixed back in Dec 19 so wondering if this is an issue with my rule rather than something wider?
Also if anyone can explain to me why we are now seeing more hCaptcha than before that would really help! JS Challenge worked so well before!
May I ask have you configured a
Firewall Rule for the action
JS Challenge strictly on the
uri.path) to protect your WordPress admin area, or?
As far as it could have query parameters for lost password, reset password, reigstration, etc.
Furthermore, there is also an
You can also change the registration URL to a different one, even with a custom redirect page if needed.
/wp-login.php?action=register&redirect_to=' . get_permalink()
Maybe using some WordPress Forms like:
I assume multiple factors could be included here like:
- Are you using a VPS connection or a Tor network?
- Are you running Firefox/Chrome Web browser in Privacy mode?
- Have you got Privacy Pass option enabled at Cloudflare Firewall → Settings?
- Any custom Page Rules set on Cloudflare?
- Could be IP reputation?
- Anti-virus program like BitDefender?
- Challenge Passage set to low?
Our registration form posts to https://greenfins.net/wp-login.php?action=register and this isn’t something that can be changed.
I included the complete firewall rule in the original post - have edited to make this clearer.
Are there any Cloudflare engineers here that can explain why the post data is stripped by the Captcha process when a standard JS Challenge is able to pass on the post data successfully?
Out of curiosity, I see mention of Registration confirmation email. Does that mean if a user doesn’t confirm, then their account won’t be activated? What does that look in wp-admin for their user data?
I know you said that you can’t change the registration URL, but that’s one of the reasons I don’t have a login widget/popup on a regular page, as awesome and convenient as it is. I like to protect wp-login.php right off the bat.
If you want a Cloudflare engineering response, you’re really going to have to open a ticket.
I think the double-challenge is the reason the POST data is lost. As much of a hassle as it is, you could try changing your Firewall Rule to be CAPTCHA so it doesn’t double-challenge people. And see if POST data is retained. This should be easy to test right away.
@sdayman To ease the user experience, login is allowed immediately but we do send a simple confirmation by email (so that if the address has been used fraudulently, the inbox owner is notified and can contact us).
The user is allowed to login immediately:
Our online courses are for the general public – we have a real mix of user technical literacy and any barriers to access potentially will cause people to miss out on the marine conservation knowledge that we are trying to pass on. We tread a fine line between security and ease of access and is why we prefer the JS Challenge rather than forcing users to solve a puzzle.
This makes a lot of sense – I followed your advice and switched the rule to ‘Challenge (Captcha)’ and now the post data is retained. Thank you for this suggestion!
My preference would be to move back to JS Challenge as soon as possible. I don’t seem to be able to open a ticket with Cloudflare to see if they are working on preserving post data when the JS Challenge falls back to hCaptcha. I guess this is because we are on a free account. I’m still hoping that @mdemoura sees this thread…!
Now that I understand the issue better, it looks like this is the same as POST body lost when JS challenge falls back to CAPTCHA?
@jmorahan did you make any progress with this?
Nope. I ended up just disabling the JS challenge entirely. I’m also on a free account and can’t open a ticket either, sorry.
Indeed, there appears to be an issue on this very specific scenario, thanks for the detailed report. We’re currently tracking this and will push out a fix.
@mdemoura Glad to hear you can reproduce this and a fix is planned. Many thanks!
p.s. How will we know when a fix is pushed out? Is there a way to receive updates from the firewall team after this thread closes (scheduled for three days from now!).
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.
@it1255 This has been fixed, thanks again!