I agree it’s strange. I’m looking into the possibility that these automated attempts are leveraging the WordPress API Authentication features, which obviously are not / can not be protected by a captcha.
Hi Robert,
Thanks for checking that out.
I get hit daily, there will be a flood of rapid hits than about a 12-hour pause. Then it starts again this has been going on for about 5 days now. They are coming from all over the world, mostly from Vietnam.
Chris
Hi,
I tested this, and indeed WordFence intercepts invalid usernames “upstream” of the reCaptcha checking.
So, a bad actor submitting a login form without a valid reCaptcha and also with an invalid username will be intercepted by WordFence, sending back the “you are locked out” screen and generating an email alert to the (real) admin.
Of course, if WordFence were disabled, a bad actor submitting a login form without a valid reCaptcha and also with an invalid username would still be intercepted by this reCaptcha plugin and denied access. It is just that WordFence “gets there first”.
Hope this makes sense. It may be possible in a future release to put the reCaptcha checking “ahead” of WordFence, in which case the reCaptcha checking would handle this (silently) instead of WordFence generating the emails.
Best,
Robert
Hi Robert,
I thought that maybe the issue, thank you for checking into it.
Chris
Hi Chris,
With the release of 1.4 I have increased the priority of the CAPTCHA checking ahead of WordFence, so hopefully now you won’t keep getting these spurious alerts.
Best,
Robert
