“Error: Incorrect CAPTCHA” for all WP Users

  • Resolved will071

    (@will071)


    3 months, 3 weeks ago

    Hello,

    Environment:

    WordPress: 6.8.3
    Hosting: Managed WordPress Platform Version 2.0 (GoDaddy).
    Browser: Firefox 146.0

    Issue: Receiving "Error: Incorrect CAPTCHA. Please try again." when I try to log in at the following from:

    mydomain.com/wp-login.php

    This happens with all of my users. I am not running any CAPTCHA plugins, so I don't understand why it is responding with an "Incorrect CAPTCHA" error.

    The issue started when I was having trouble logging in with one of my accounts. I forgot the password. So I did a password reset, received the email confirmation the new password was generated, tried to log in, and got received the "Incorrect CAPTCHA" error. That was on one of my WordPress user accounts. Yet, since then, no matter which WP user account I try to log in with, I receive the same error.

    I can access my Dashboard if I first log in to GoDaddy and then click on Edit My Site, which passes me through to WordPress with the original admin user that was generated when the WordPress instance was first created. But I cannot log in directly to WordPress from the WordPress Login Page with any of my WordPress accounts, including that one. All of them give the "Incorrect CAPTCHA" error.

    Things I have tried:

    Disabling my plugins (Akismet, Google Analytics/Monster Insights, WordPress Importer, WP 2FA - Two-factor authentication for WordPress, and Yoast SEO).

    Clearing cache and cookies in my browser.

    Disabling extensions in my browser.

    closing and relaunching my browser.

    Trying with a different browser.

    Calling GoDaddy support. They weren't helpful. They basically said to clear cache in my browser, disable plugins, and try another browser. When I explained I did those things before calling, they said if I needed more help, I could pay $50 for a service. 

    KI then tried these additional steps:

    Deleting all my WordPress users besides the original maintenance admin one.

    Recreating those WordPress users and setting new passwords on them.

    Flushing the DNS on my machine (ipconfig /flushdns).

    Rebooting my machine.

    Waiting over 30 minutes before attempting to log in to WordPress again.

    Flushing the cache in my hosting account.

    Resetting File permissions in my hosting account.

    Restoring a backup of my site from a few days ago.

    The odd thing is, I can't even access:

    mydomain.ocm/wp-admin

    When I try that, I get redirected to:
    https://thelooplog.com/wp-login.php?wpaas-standard-login=1

    I feel like there is something on the back-end that got misconfigured or corrupted when I was trying to reset my password the first time, maybe some config that has logged my MAC address or IP and has blacklisted it, and now, ever since, I get the CAPTCHA error on all users.

    I'm not sure what to try next. I do have access to File Manager via GoDaddy if there is something I can check in the files. Just not sure what.

    Any and all suggestions are welcomed. My site is backed up, so if something goes wrong, I can restore it.
    • This topic was modified 3 months, 3 weeks ago by will071.
Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator threadi

    (@threadi)

    3 months, 3 weeks ago

    When I visit your login page, I see an addition from your host GoDaddy. This is visible in the source code. Apparently, they offer an alternative login option that works through their systems. This also explains the parameter “wpaas-standard-login” that you see in the URL (I don’t see it).

    My guess is that you still have a MU plugin in your project. You should be able to see this in the backend under Plugins, where it will be labeled either as “obligatory” or “dropin.” You can only remove it via FTP in the /wp-content/mu-plugins/ directory. My gut feeling is that it probably comes from your host, which also generates the above addition.

    However, I don’t see anything about a captcha anywhere. Have you tried using a different browser?

    Thread Starter will071

    (@will071)

    3 months, 3 weeks ago

    Thank you for the recommendations. I believe I’ve found out what is going on. I was able to successfully log in using my phone when I took it off my home network. I was also able to successfully log in from my laptop when I ran it through a VPN. This led me to believe there is an issue with my public IP from my ISP. I went to MxToolbox.com and ran a blacklist search against my IP. It returned a hit: Spamhaus Policy Block List (PBL).

    Apparently it is standard for ISPs to have blocks of IP addresses on a Policy Block List for things like non-business accounts (which is what I have). The intent is to prevent non-comercial accounts from running mail servers and sending out spam. The thing is, I don’t run a mail server, nor do I send out bulk emails of any kind. But I think what has happened is, my multiple failed login attempts to my WordPress account triggered a security flag with my host provider, and since my IP is already on this PBL from my ISP, GoDaddy’s firewall and/or security environment has flagged my IP on their end, preventing me from logging in unless I am on a VPN or from another IP.

    I spoke to GoDaddy support a second time, but they keep saying they see nothing wrong on their end. They claim my IP is not being flagged, but I feel strongly that it is, since I can access WordPress from another IP.

    I will be reaching out to my ISP tomorrow during regular business hours to discuss if there is anything they can do on their end. Like change my IP or remove it from the blacklist Spamhaus is showing.

    For now, I’m caught in the middle between my host provider and my ISP. I’ll close this ticket here because I don’t think it is an issue with WordPress.

    Thanks again for your response.

    • This reply was modified 3 months, 3 weeks ago by will071.
    Moderator threadi

    (@threadi)

    3 months, 3 weeks ago

    Yes, that sounds very plausible. But I don’t think your ISP will be able to help you either. Because, as I can now see, your website uses Cloudflare. Every request to the website goes through it. And they definitely display captchas like that.

    I would therefore recommend that you check who configured Cloudflare for you. If it was you, you should have access there and be able to check the settings. You could also contact their support team. Ideally, you could disable Cloudflare – then you would no longer have any access problems.

    By the way, there are no tickets here in the forum. These are just normal topics where people can help each other.

    Thread Starter will071

    (@will071)

    3 months, 3 weeks ago

    Interesting. I didn’t realize Cloudflare was involved. They must have a relationship with GoDaddy.

    This is also the first time I went with GoDaddy’s Managed Hosting. In the past, I’ve always used Web Hosting Economy (or Deluxe) – where I had access to cPanel and did everything. The trade-off here is that, while it’s nice to have GoDaddy manage security, I now only have limited access and have to go through their support to resolve the issue, but they are pushing back, saying it is not them. Add Cloudflare into the mix, and now I’m facing potentially interacting with three entities: GoDaddy, Cloudflare and my ISP (if needed).

    I might actually look into switching my hosting account from managed hosting to one of the cPanel accounts. More to manage on my end, but I’ll have full control.

Viewing 4 replies - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.