Working on Cloudflare’s Captcha Hell

Posted on by

Dear patient readers,

It appears that in the last two weeks some readers are getting captchas with much greater frequency when they try to comment, and worse, for some, the captcha refuses to accept correct responses. The really bad cases seem to be happening to readers using older OS and browsers, but we aren’t sure it is limited to them.

We are pretty confident this problem comes from Cloudflare. We already tried contacting Cloudflare to tell the about this new bad behavior and also opened up a trouble ticket, but all we have gotten so far is bureaucratic handwaves (and yes, we pay a reasonable amount of hard dollars to Cloudflare, so the poor customer service attitude does not speak well of them).

Our webhost is concerned that if we turn off the captcha function altogether, we will be inundated with spam. In theory Akismet (a spam service that works with WordPress) ought to catch that, but theory and practice are often different things. We could have the moderator swamped with spam in the mod queue, or worse, lots of spam showing up in published comments before we can nuke them.

So our webhost Keith will debug this by changing single Cloudflare settings, with the plan being to test one a day, to see if the change doesn’t wreck havoc with site operations and whether it significantly reduced the captcha problem. This is painstaking, so please bear with us.

So if you get a captcha, please e-mail me at yves-at-nakedcapitalism-dot-com with “Captcha” in the headline and tell us:

1. The time when you got the captcha

2. If this is new or if it happened before

3. If it happened before, whether the frequency seems higher, lower, the same, or you aren’t sure

4. If it happened before, if the severity is the same or worse (as in if you are a “captcha hell” victim who got multiple challenges on the same comment, are you still getting multiple challenges or has it at least dropped down to a single challenge?)

5. Your OS and browser (including versions).


Print Friendly, PDF & Email


    1. Yves Smith Post author

      Thanks but we get 3,000-4,000 spam comments a day, so what works for most sites may not work for us. It doesn’t hurt to try, but we are in what a top developer called “the 2% WordPress”. We run WP so hard with the size of our comments and post databases and the frequency of our updates that coding practices that are just fine for most sites may not work for us.

      1. Jack

        Wow that’s a lot of comments. My business WordPress site was getting several hundred spam comments and captcha spam forms a day. Invasion of the bots. I switched to using the CleanTalk plugin and it solved my problem. It’s a premium plugin but cheap. It might work for you because it blocks the spam before it reaches your system. Cloud based.

  1. Carolinian

    I’ve had them in the past and it may be related to NC cookies and in particular, perhaps, one called “viewcount.” Had never had a captcha before a couple of months ago.

  2. Arizona Slim

    Never encountered a captcha, but I’ve had comments that go to moderation purgatory.

  3. Will S.

    Thank you Yves, once again I have to appreciate how much work you, Lambert, Jerri, et al put in to this little refuge of ours, especially as you’re still mourning your beloved feline companion. I get married in 12 days but once that has passed, I will try to remember to send some concrete material benefits to NC proper as well as the 2PMWC.

  4. dcrane

    Never saw this before about a month ago, and now it has happened several times. Twice the comment was seemingly accepted by Cloudflare but never actually appeared on the site. In two cases, I have been allowed to submit brief comments without Cloudflare challenge after getting the query on a longer one (maybe a hint for me to keep it brief!). Switching from Firefox to Chrome didn’t help the one time I tried this.

    Will send the details from now on when I am challenged.

  5. shtove

    I haven’t had captcha NK problems from the UK side, but in the same time frame have had ’em with sicsempertyrannis on disqus, and yet nothing with disqus on Richard North’s site. Cheers, you cheeky Americans! (Please, no more pictures of traffic lights and store-fronts. Ugh!)

  6. Grebo

    I just got my first one ten minutes ago. Didn’t work too well as I have strict controls on javascript. I removed the link from my comment and it didn’t trouble me again.

    Vivaldi 2.4.1488.40 with uMatrix 1.3.16 on Debian Buster.

  7. ewmayer

    I’m one of the older-browser (FF 22.0 on macos 10.6.8 – that version of FF is the last before Mozilla ‘helpfully’ removed image-display from the Preferences pane … I supplement with PaleMoon 27.7.2, which retains said option but is slower, so I use only for pages where https needs TLS above level 1.0) who got hit by the sudden onslaught of captcha hell and the correct-solution-leads-to-blank-page issue. A fellow user suggested removing my accumulated NC cookies a few days ago, that seemed to help, no more captchas until just now, when tried to post a ~900-byte comment to 2pmwc. Deleted NC cookies, tried to repost same … no joy. But cutting ~100 chars from the message allowed it to go through. So fellow sufferers, you may have to try multiple things, but hopefully having at least the above 2 tricks will work most of the time.

  8. PressGaneyMustDe

    I comment occasionally with my JavaScript turned off on my iPhone. Never see a captcha.

  9. oaf

    …no Captchas;(yet!) but recently , a comment which was allowed one day; was nowhere to be seen the next!
    Must have been offensive enough!!! ; )

  10. JCC

    I’ve had a few over the last 3 weeks or so, maybe 4 or 5. I’m running the latest Fedora (29) and the latest FF (66.0.4) supplied by this distro.

    I often clear out a lot of cookies, but never NC and I don’t think I’ve touched Cloudfare cookies either, but no guarantees on the latter.

    If I see a change, I’ll be sure to let you all know.

    They wouldn’t be so bad if you only had to go through one series, but seeing the same pages of fire hydrants, bicycles, buses, traffic signals, crosswalks, etc., over and over again can be a little aggravating :) It’s pretty obvious this is a Cloudflare thing and not NC.

    Good luck, but don’t hurt yourselves over this. Many years ago I had a publicly available site with comments for awhile and didn’t check them for a few weeks since only friends – I thought – ever looked at the site. It took me multiple hours over a few days to clean them all up and eventually I said the heck with it and just shut off the site altogether.

    You all have been wonderfully good about this, so whatever works best for you is acceptable for all, I’m sure.

  11. rjs

    i’m using an ancient version of IE and a Chrome that can’t be updated under Vista and have not experienced this yet.

  12. flora

    …the plan being to test one a day, to see if the change doesn’t wreck havoc with site operations and whether it significantly reduced the captcha problem. This is painstaking, so please bear with us.

    Very good plan, imo. Nothing worse than trying to sort a problem with multiple, non-discrete variables in play. imo


  13. Ryan (Cloudflare)

    Hi Yves,

    Sorry for the frustrating support experience. I was able to find the ticket for your case and it appears that what felt like a handwave may have occurred because the person who contacted support on your behalf is in no way linked to your Cloudflare account. Because of this the ticket did not get correctly tied to your account, routed to the right team for handling, and closed because we can’t discuss account details with someone not on the account.

    If you can submit a new ticket from the email address on your account, and CC your associate, that will make sure the ticket gets routed to the right people and be enough to authorize our agents to work with him.


    1. Ruby Furigana

      Thank you Ryan. If you search the Cloudflare ticketing system now for tickets titled “Captcha Hell” you should find our efforts to open a ticket. Anything you could do to facilitate that process would be greatly appreciated.

      1. Ryan (Cloudflare)

        Hi Ruby,

        I was able to find the tickets, but the problem is that none are coming from the actual email address that is on the Cloudflare account. For security reasons we can’t work with someone not listed on the account.

        There are two options. The easiest would be to email support AT cloudflare FROM the address on the account, and cc everyone who is authorized to help in the matter. Our support engineers can then work the issue with anyone already on the ticket. The other option would be to login to the dashboard and open a ticket from the Support link. The only problem here is that communication will go to and from the address on the account, so any of you that don’t have access to that account won’t be able to help without logging into the Help Center from the dashboard.

        1. Ryan (Cloudflare)

          Also, once this is resolved I strongly recommend setting up Shared Account Access. Everyone has their own Cloudflare account, and the domain owner can invite people to have access. All of the linked accounts can then contact support.

          1. Ruby Furigana

            Ryan, Cloudflare support gave us a configuration change to make which seems to have resolved the issue.

            Thank you.

Comments are closed.