server level captcha protection

We’re excited to announce that the Captcha WAF module is now officially available in cPFence.

No more hours spent manually adding CAPTCHA plugins or scripts to every login page — with cPFence, you get one-click, server-level protection that applies instantly across all your sites. This feature brings silent, offsite protection to your login pages, blocking bots before they ever reach your server — all with zero user interaction required.

Why Captcha WAF?

Most CMS-based websites, especially WordPress, are constantly hit by automated POST requests to login pages like /wp-login.php. These attacks are often slow and distributed, using different IPs and user agents to bypass traditional brute-force protections.

That’s where Captcha WAF comes in:

  • Intercepts bots offsite, before they reach your web server
  • No user interaction – real visitors pass through silently
  • Blocks automated brute-force, dictionary, and credential-stuffing bots
  • Reduces server load by handling logic offsite
  • Supports all popular CMS and custom login URLs
  • User-defined protection – apply it to any path you want
  • Working with WordPress, Joomla, Laravel, and any custom CMS or login system
  •  Powered by cPFence’s load-balanced backend for accurate, high-speed validation

It’s a smarter way to handle login protection—low impact, high effectiveness.


How It Works

  1. A visitor tries to access a protected login page
  2. The request is redirected to cPFence’s offsite Captcha WAF
  3. It’s silently analyzed in real-time
  4. Real users are passed through instantly, bots are blocked

Visual example:

Analyzing behavior in real time
No user interaction – real visitors pass through silently
Block bad bots & scripts


Built for Privacy and Performance

Captcha WAF is fully GDPR compliant, keeping user privacy intact while protecting your login pages.


Fully Integrated in the WebUI

Managing Captcha WAF is easy via:

WebUI → WAF Management

You’ll see:

  • Captcha WAF (Global) to enable or disable the module server-wide
  • Captcha WAF for Domain to enable or disable it for individual domains
WAF Management Overview
WAF Management Overview

Per-Domain Control


Prefer the CLI?

If you prefer working on the command line, these commands are available:

cpfence --enable-captcha-waf-domain DOMAIN
    Re-enable CAPTCHA WAF protection for a specific domain
    (e.g., cpfence --enable-captcha-waf-domain a.com)

cpfence --disable-captcha-waf-domain DOMAIN
    Disable CAPTCHA WAF protection for a specific domain
    (e.g., cpfence --disable-captcha-waf-domain a.com)

cpfence --enable-captcha-waf-global
    Re-enable CAPTCHA WAF Module globally for all domains on the server

cpfence --disable-captcha-waf-global
    Disable CAPTCHA WAF Module globally for all domains on the server

Easily Customize Protected URLs

You can now manage exactly which login pages are protected by Captcha WAF using a simple interface in the WebUI. Go to:

WebUI → Edit Configuration Files → “Edit Captcha Protected URLs”

From there, you can add or remove any login path you want to protect — whether it’s a WordPress login, a custom admin panel, or a third-party app.

This gives you full flexibility to define protection at any entry point without editing files manually on the server. Or simply edit the file :

/opt/cpfence/app/cpfwaf/userdata_login_pages

LiteSpeed Cache Compatibility – Handled Automatically

To ensure proper interception of login requests, WP-AutoShield now automatically disables LiteSpeed cache on WordPress login pages when Captcha WAF is active.

This behavior is enabled by default, but you can control it via config or CLI:

Config option:
autoshield_disable_ls_cache_login_page

CLI commands:

cpfence --bulk-disable-ls-cache-login-page
    Disable login page caching in LiteSpeed Cache server-wide (recommended for Captcha WAF)

cpfence --bulk-enable-ls-cache-login-page
    Re-enable login page caching in LiteSpeed Cache server-wide (if not using Captcha WAF)

This ensures Captcha WAF works smoothly even with aggressive caching setups, with no extra configuration needed.


Ready to enable it on your servers? Update to the latest version of cPFence and let’s stop bots before they knock.

No comment

Leave a Reply

Your email address will not be published. Required fields are marked *