Hi @datawest,
Are you referring to Wordfence > Login Security > Settings > Allowlisted IP addresses that bypass 2FA or “Allowlisted IP addresses that bypass all rules” found in the Wordfence > All Options > Advanced Firewall Options section? We would never recommend the latter option for your site users/visitors as it allows them to bypass all Wordfence security protection on your site.
Verification emails are usually triggered by reCAPTCHA, rather than Wordfence. Google has been known to give some people a low score, requiring extra verification via email to prove they aren’t a bot. We aren’t in a position to be informed as to why Google’s algorithm comes to this conclusion.
Are the users experiencing trouble receiving these emails and not carrying out the verification step to gain access? We have been successful at usually disabling verification emails when setting the threshold to be 1.0 (Definitely a human). Let me know whether that stops the issue, or if it’s still insisting on confirming a verification email for you and/or other users.
Thanks,
Peter.
I have a number of elderly users and they are confused by the idea of logging in and then having to check email to log in again and they give up easily and don’t visit my site as often as they would like too and I think even folks my age find it annoying and they are used to using FB which is automatically logged in for them. I understand the reason for the security but if a user is a regularly trusted user…it would be nice to make it easier for them.
I am referring to using the Allowlisted IP addresses that bypass all rules. When I check the IP of that user that tried to login I use that address as their identification unless they are issued a new IP from their provider which happens.
Everyone is getting the verification E-Mail – its just that they don’t really understand they are getting it and what to do – the people I am referring to mostly are elderly.
If I change my reCAPTCHA threshold score from 0.5 to 1.0 – this would make it easier for some of the users?
Thanks
Hi @datawest,
It is unusual to hear of everybody receiving the email unless there is a Javascript error on your site causing problems authenticating the reCAPTCHA input, or you’re using a non-default login page for WordPress/WooCommerce. Inspecting your Browser Console for red Javascript errors, which you could screen grab and upload to a service like Snipboard and share here would let us take a closer look.
Wordfence’s 2FA and reCAPTCHA are not currently compatible with pages other than register/login for WordPress and WooCommerce. If you’re using these, I would expect to see a result of 1.0 removing the need for the vast majority of your customers having to go through additional email login steps.
Thanks,
Peter.
I should mention that I am using BuddyxPro theme from wbcomdesigns
I did try setting wordfence reCaptcha to 1.0 threshold but it didn’t seem to make a difference on my personal account testing and then I am ran reCaptcha in test mode and it certainly stops the emails and still seems to block unwanted visitors.
Now I am trying reCaptcha at 0.9 threshhold and I think it has improved and I have reCaptcha test mode disabled now.
Will see how this goes…pretty sure I tried this but perhaps the software learned that it was me? I am not sure..
Dale
Hi @datawest, thanks for the extra information.
If the threshold at a certain level seems to help, certainly spend some time with the site like that to see if issues subside for most of your customers/visitors also.
I don’t see any prior conflict issues with your theme in our archives but it is possible that themes can contain custom login pages which aren’t supported by our reCAPTCHA and 2FA features. If the theme just utilizes the default login/register pages created by WordPress though I don’t see this as a problem. If you start to see the emails coming through again, it might be worth testing the site for a short period of time with a default theme like Twenty Twenty-Two and plugins disabled except for Wordfence. If the issues subside on a “vanilla” site with no other outside influences, you can reenable everything one-by-one to see when the reCAPTCHA starts triggering confirmation emails again. This could point to the login flow being disrupted by the theme or another plugin.
Thanks,
Peter.
