Plugin Not Compatible with Cloudflare WARP

Thanks for this @generosus, I escalated your thoughts since the update, and experience with WARP to the development/QA teams to look into as something appears to have changed for you. We will likely try to reproduce what you’re seeing so that we can get a better understanding of the situation.

The verification emails have been a part of the reCAPTCHA process since day 1 as far as I know as a fallback, so it seems that you weren’t really experiencing these at all before whereas now they’ve very much caught your attention.

Many thanks,
Peter.

Hello, may I suggest you to try Cloudflare Turnstile instead of Google reCAPTCHA? IMHO it works faster and better.
I agree with you that Wordfence should not add another verification though ??

Hi @wfpeter,

Thanks for the clarification (i.e., “verification emails have been a part of the reCAPTCHA process since day 1”). With WF 7.11.4 and Cloudflare WARP installed, something triggered this issue.

In any case, it appears we can now sign using reCaptcha without gettting the pesky email verification request, so something must have changed for the better in the backend (we haven’t touched anything).

We’ll continue to monitor this topic and report back if the issue surfaces again.

Hi @webby1973,

Thanks for you input. Yes, we’re aware of Cloudflare Turnstile. It’s still buggy for some sites (like ours), so we’re waiting for it to mature and/or Wordfence to offer that option in the plugin’s built-in setttings section.

Thanks, y’all! ??

Hi @generosus, we have a bit of information that may be of assistance.

In summary, the verification emails have always been in the Wordfence plugin since the captcha was implemented. Google reCAPTCHA v3 only provides a score and nothing else. reCAPTCHA v3 doesn’t fall back to picking bicycles/traffic lights/etc., it only gives a score for the user so any fallback is left to the implementer.

Wordfence 7.11.4 made a necessary change to captcha handling. As a side-effect of requesting captcha scores twice, some users got lower scores. Scores may become lower further if you log in and out excessively. Google may consider you to be more like a bot when logging in repeatedly.

In 7.11.5, we revised the reCAPTCHA verification to avoid sending verification requests too frequently, which was artificially lowering scores and causing more “Verification Required” emails than usual to be sent out. They now use Google’s token expiration time before sending another score request. This should be the same process as 7.11.3.

We have seen some behavior where Google may see an increasing number of bots on certain hosts, or services like Cloudflare Warp, which could contribute to lower scores for real users using it. VPNs that we test with often cause lower scores than using our own ISPs, likely for the same reason. Google does not share any details of how scores are calculated, so this is an observation from doing hundreds of logins on various sites.

A possible solution if you’re stuck with low scores: You can go to https://www.google.com/recaptcha/admin and generate a new set of reCAPTCHA v3 keys and replace the existing keys in Wordfence’s settings. This resets any history the site had accumulated that could result in constantly low scores, but not reset the score history chart in the Wordfence plugin.

I hope that helps you out!
Peter.

Thank you, Peter. Again, excellent reply.

As stated before, we no longer get the email verification request as frequently as we used to. Perhaps because Google has been “trained” at our end, Cloudflare updated their code, and/or your code changes kicked in after we “flushed” our DNS cache, etc.

Your information is extremely valuable, so kindly consider amending your documentation to reflect it by adding a “Troubleshooting” section to it.

Again, thank you!