Hi @nasherx, thanks for getting in touch.
Thanks for the screenshots to explain the issue. Are you receiving any Javascript console errors when the “Captcha is invalid” message displays? If so, it’d be great to see a shot of that too.
This could either be a conflict, or could be that a script is being blocked.
Firstly, in order to rule Wordfence in/out as the sole culprit for the conflict, you can install a maintenance mode plugin and disable all plugins except Wordfence and hCaptcha. Does the issue still persist? If not, re-enable all plugins one-by-one to see when the issue reoccurs.
Learning Mode could help and you should give this a try next, if disabling plugins didn’t rule Wordfence out. From the Wordfence Dashboard click on Manage WAF. Then you will see Basic Firewall Options > Web Application Firewall Status. Change the option to Learning Mode. This will help Wordfence learn that any actions during this time are normal and it will allow them in the future. Try logging in on the page with hCAPTCHA again during this time. Afterwards, switch the WAF from Learning Mode back to Enabled and Protecting.
If that hasn’t done the job, we can try installing the Enable jQuery Migrate Helper plugin below to see if the issue is resolved. Wordfence is fully compatible with WordPress 5.6, but some plugins may not be: https://ww.wp.xz.cn/plugins/enable-jquery-migrate-helper/
Please let me know how you get on!
Thanks,
Peter.
Hi @wfpeter
No unfortunately there isn’t any output to the console at all. I’ve done some testing and confirmed wordfence is the culprit, however I also found it only fails when 2FA is configured on the user account. Is there anything that can be done in the configs to get it working or is it a change in the plugin code? Or incorporate hCaptcha as an alternative to Google’s captcha maybe?
Hi @nasherx, sorry for the slightly delayed response but we wanted to run some tests around the configuration you have described in case hCaptcha needed to be added to our list of incompatible plugins with Wordfence 2FA.
Without any configuration tweaks at all, I have:
– Enabled Wordfence 2FA
– Disabled my previous reCAPTCHA solution
– Registered for hCaptcha and downloaded the WordPress plugin
– Enabled hCaptcha for the login form in the plugin settings
I am able to successfully complete the username/password/hCaptcha combination and am presented with the 2FA code page, which signs me in after completion.
I would strongly suggest disabling all plugins other than hCaptcha and Wordfence, and switching to a default theme such as Twenty Twenty to see if you can find that one of your other plugins or theme scripts are causing the conflict that breaks the hCaptcha checks. You may wish to use a maintenance mode plugin during this time which will prevent site visitors from seeing the theme change or breaking of plugin functionality.
Thanks again,
Peter.
Hi @wfpeter, I’ve done some more testing with plugins disabled and the theme as the default 2020 one.
If the 2FA code is ticked to be remembered or the IP is entered in the allowlisted bypass section the error is thrown, but without these the login is successful.
For now, I’ve removed all IPs from the bypass section and disabled the remembering 2FA for now.
I’ll see if i can record a video of it one night this week
Thanks
Danny
Hi @wfpeter,
I’ve uploaded a video if it helps:
https://youtu.be/9voEAOaqvU0
I sped parts up and censored my IP address where needed
Thanks
Danny
Hi @nasherx,
Thanks for your detailed responses, that’s great information. We don’t recommend adding IPs to the bypass section under most circumstances as Wordfence is bypassed in its entirety, so could certainly be the source of a problem when the site relies on Wordfence 2FA to proceed.
I am able to remember user during my tests also, but I will forward your comments to the developers in case they can find a use-case to replicate the results you have been seeing.
Thanks,
Peter.
