Turnstile Token Reuse Allows Brute Force Attempts?

Hi there,

Thanks for the plugin — it’s been really helpful on my site!

I wanted to ask about something I noticed recently. My WordPress site was hit with over 1000 login attempts in just a few minutes. It looked like someone was trying to brute-force a user account, and I have Turnstile enabled on the login form through your plugin.

That made me curious, so I tried to understand how the attack might have worked. I went to the login page, solved the Turnstile challenge manually (got verified as human), and then opened the browser console. From there, I sent repeated login attempts using fetch() and the same Turnstile token I got from that one challenge. To my surprise, WordPress kept validating the credentials each time — it didn’t seem to block or expire the token.

Is that expected behavior? I thought the token might only work once, or at least for a short period. But in this case, it seemed reusable for many requests, which might explain how the attacker got through the Turnstile check once and then reused the token for the rest.

Or is it possible that the plugin only verifies the token once per session, and then allows any number of login attempts after that?

If you’d like to test this yourself, you can try the following:

1. Go to your WordPress login page and complete the Turnstile check (so you’re marked as human).
2. Open Chrome DevTools and keep the “Network” tab open.
3. Enter any username and a wrong password, then click the “Log In” button.
4. In the “Network” tab, find the login request, right-click it, and choose Copy > Copy as fetch.
5. Paste that fetch() code into the browser console and run it multiple times.

You should see that each request is still processed by WordPress, even though it uses the same Turnstile token every time.
Also, the response from WordPress confirms whether the password is correct or not, meaning the credentials are actually being validated and no extra challenge is triggered.

Just wanted to check if this is how it’s supposed to work, or if maybe I missed a configuration option.
Maybe this isn’t something that Turnstile or the plugin is meant to handle directly, and I need to look into another way to block brute force attempts.
If that’s the case, feel free to disregard this post!

Thanks again for your work on the plugin!