Support » Plugin: Wordfence Security - Firewall & Malware Scan » Recaptcha fails to load and exposes key

  • Resolved LilGames

    (@lilgames)


    I just updated Wordfence and happily turned on the Recaptcha feature + whitelisted my IP.

    A. It fails to load the recpatcha js. (Verified by Inspect mode of the Chrome Browser)

    B. You are calling https://www.google.com/recaptcha/api.js?render= and appending my key after that. Like, publicly exposed! That doesn’t seem right… ?? Other implementations of recaptcha only call: https://www.google.com/recaptcha/api.js

    C. Then the system also flags me as needing email verification. I go through all that and it doesn’t work. Still won’t let me in (presumably because the recaptcha part fails).

    I’m now locked out of my own site.

    In case it matters, my site uses the free tier of Cloudfare CDN.

    (Not posting my site link publicly due to the key exposure)

    • This topic was modified 8 months, 1 week ago by LilGames.
    • This topic was modified 8 months, 1 week ago by LilGames.
Viewing 6 replies - 1 through 6 (of 6 total)
  • I just want to jump in here, the key is exposed on the frontend one way or another and is correct according to the developer docs.

    https://developers.google.com/recaptcha/docs/v3

    However, the key being exposed should not matter as you need to verify the domain in the admin console for recaptcha. Now, unless you turned off domain verification for some reason or another the key being exposed does not matter.

    See -> https://developers.google.com/recaptcha/docs/domain_validation

    That’s fine and I was kinda expecting that that was the case.

    However, the fact that the attempt to load the api js fails, is of greater concern to me than the exposed key. For one, I can no longer log in to my admin. And I DO have domain validation enabled, etc. My key is working fine with the recaptcha on my Contact Page. (It’s v2 reCaptcha… does WF only work with v3?)

    These are the JS errors reported by the browser’s console:

    Failed to load resource: the server responded with a status of 400 ()
    https://www.google.com/recaptcha/api.js?render=MY_KEY_NORMALLY_IS_HERE_BUT_REMOVED_IN_THIS_POST
    login.1557854560.js:5 Uncaught ReferenceError: grecaptcha is not defined
    at wfls_init_captcha (login.1557854560.js:5)
    at login.1557854560.js:237
    at login.1557854560.js:239
    tag_assistant_compiled.js:117 GET https://www.google.com/recaptcha/api.js?render=MY_KEY_NORMALLY_IS_HERE_BUT_REMOVED_IN_THIS_POST 400

    I’ve followed instructions on how to get back in to a site when locked out, and then I disabled the reCaptcha option. I am hoping official support can follow up on this anyways. I’d like to use the feature.

    • This reply was modified 8 months, 1 week ago by LilGames.
    LilGames

    (@lilgames)

    Hello? @WordFence Support….

    Aaaannnnd still no response regarding Recaptcha failing to load.

    Plugin Support wfscott

    (@wfscott)

    @lilgames

    Sorry for the delay.

    Could you please send over your diagnostics via Wordfence > Tools > Diagnostics > Send Report by Email to wftest at wordfence dot com with your forum username here in that second field.

    Please respond here when those are sent.

    I also have the same problem but i cant login to change the wordfence setting because recaptha v3 is failing!
    Do you have any suggestions?

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.