We’re excited to announce that the Captcha WAF module is now officially available in cPFence.
No more hours spent manually adding CAPTCHA plugins or scripts to every login page — with cPFence, you get one-click, server-level protection that applies instantly across all your sites. This feature brings silent, offsite protection to your login pages, blocking bots before they ever reach your server — all with zero user interaction required.
Why Captcha WAF?
Most CMS-based websites, especially WordPress, are constantly hit by automated POST requests to login pages like /wp-login.php
. These attacks are often slow and distributed, using different IPs and user agents to bypass traditional brute-force protections.
That’s where Captcha WAF comes in:
- Intercepts bots offsite, before they reach your web server
- No user interaction – real visitors pass through silently
- Blocks automated brute-force, dictionary, and credential-stuffing bots
- Reduces server load by handling logic offsite
- Supports all popular CMS and custom login URLs
- User-defined protection – apply it to any path you want
- Working with WordPress, Joomla, Laravel, and any custom CMS or login system
- Powered by cPFence’s load-balanced backend for accurate, high-speed validation
It’s a smarter way to handle login protection—low impact, high effectiveness.
How It Works
- A visitor tries to access a protected login page
- The request is redirected to cPFence’s offsite Captcha WAF
- It’s silently analyzed in real-time
- Real users are passed through instantly, bots are blocked
Visual example:
Built for Privacy and Performance
Captcha WAF is fully GDPR compliant, keeping user privacy intact while protecting your login pages.
Fully Integrated in the WebUI
Managing Captcha WAF is easy via:
WebUI → WAF Management
You’ll see:
- Captcha WAF (Global) to enable or disable the module server-wide
- Captcha WAF for Domain to enable or disable it for individual domains

Prefer the CLI?
If you prefer working on the command line, these commands are available:
cpfence --enable-captcha-waf-domain DOMAIN
Re-enable CAPTCHA WAF protection for a specific domain
(e.g., cpfence --enable-captcha-waf-domain a.com)
cpfence --disable-captcha-waf-domain DOMAIN
Disable CAPTCHA WAF protection for a specific domain
(e.g., cpfence --disable-captcha-waf-domain a.com)
cpfence --enable-captcha-waf-global
Re-enable CAPTCHA WAF Module globally for all domains on the server
cpfence --disable-captcha-waf-global
Disable CAPTCHA WAF Module globally for all domains on the server
Easily Customize Protected URLs
You can now manage exactly which login pages are protected by Captcha WAF using a simple interface in the WebUI. Go to:
WebUI → Edit Configuration Files → “Edit Captcha Protected URLs”
From there, you can add or remove any login path you want to protect — whether it’s a WordPress login, a custom admin panel, or a third-party app.
This gives you full flexibility to define protection at any entry point without editing files manually on the server. Or simply edit the file :
/opt/cpfence/app/cpfwaf/userdata_login_pages
LiteSpeed Cache Compatibility – Handled Automatically
To ensure proper interception of login requests, WP-AutoShield now automatically disables LiteSpeed cache on WordPress login pages when Captcha WAF is active.
This behavior is enabled by default, but you can control it via config or CLI:
Config option:
autoshield_disable_ls_cache_login_page
CLI commands:
cpfence --bulk-disable-ls-cache-login-page
Disable login page caching in LiteSpeed Cache server-wide (recommended for Captcha WAF)
cpfence --bulk-enable-ls-cache-login-page
Re-enable login page caching in LiteSpeed Cache server-wide (if not using Captcha WAF)
This ensures Captcha WAF works smoothly even with aggressive caching setups, with no extra configuration needed.
Ready to enable it on your servers? Update to the latest version of cPFence and let’s stop bots before they knock.
No comment