Support » Plugin: Wordfence Security - Firewall & Malware Scan » Will reCaptcha v3 generate unnecessary emails?

  • Resolved EvanGoss

    (@evangoss)


    I’m trying to determine if verification emails are automatically sent when reCaptcha v3 detects a bot on the login page. In other words, if a bot tries to login as me, will I receive a verification email?

    Here’s the relevant documentation I’ve found:

    https://www.wordfence.com/help/login-security/#captcha-options

    If any valid users get a low score from Google reCAPTCHA and are blocked while logging in, they will see a message saying “Additional verification is required for login”, and asking them to check their email. They should receive an email with a link that will allow them to log in.

    https://www.wordfence.com/blog/2019/05/announcing-3-new-login-security-features/

    As a fail-safe, any user that Google erroneously deems to be a bot (and who does not have 2FA active) may continue logging in by clicking a verification link in an email sent to the account’s email address. User registration attempts that are blocked may also send an email to the email address configured for site administration, which is rate limited to prevent abuse.

Viewing 5 replies - 1 through 5 (of 5 total)
  • WFGerroald

    (@wfgerald)

    Hey @evangoss,

    It’s possible, but it is rate-limited to avoid bombarding you with bot emails, which I haven’t seen any reports of. The idea is to verify likely humans even if they’re Threshold Score is low for some reason.

    Thanks,

    Gerroald

    EvanGoss

    (@evangoss)

    Okay, thanks. I didn’t want to turn it on and get a bunch of questions from users if bots attempt to login as them. Since I don’t know off-hand how to impersonate a bot, can you tell me any way to test it out? The only thing I can think of is changing the threshold score to 1.0. At the very least, I’d like to know what the email looks like so that I know what my users may see.

    WFGerroald

    (@wfgerald)

    Hey @evangoss,

    It’s a Google magic algorithm that we don’t have access to, so I can’t tell you exactly how to trigger it. But I would set it to the lowest to test, 0.0 definitely a bot.

    Please let me know how it goes.

    Thanks,

    Gerroald

    I set the threshold to 1.0 so that any score below that is considered a bot. In my limited experience, the highest I’ve seen is 0.9, so setting the required threshold to 1.0 results in everyone being considered a bot. This was sufficient to get rejected when trying to login and trigger the verification email.

    Here is what I saw after attempting to login:

    VERIFICATION REQUIRED: Additional verification is required for login. Please check the email address associated with the account for a verification link.

    Here is the email I received:

    Subject: Login Verification Required

    Please verify a login attempt for your account on Some Blog.

    Request Time: December 13, 2019 10:01:23 AM
    IP: 123.456.789.000

    The request was flagged as suspicious, and we need verification that you attempted to log in to allow it to proceed. This verification link will be valid for 15 minutes from the time it was sent. If you did not attempt this login, please change your password immediately.

    You may bypass this verification step permanently by enabling two-factor authentication on your account.

    Verify and Log In

    I wasn’t sure if reCaptcha was running when the login page was requested or when attempting to login. I can now say that it doesn’t run until a login is attempted.

    Thanks for your help Gerroald.

    I have extaly the same problem, in my case, in the main login.php i have the score on 1 and its okay por me. But, in the login onf woocomerce, all the attems are of 0.0. To bad for my clients.

    By now, I had to deactivate that function.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Will reCaptcha v3 generate unnecessary emails?’ is closed to new replies.