Hi Shawn,
I'm running App for Cloudflare with Turnstile enabled on the WordPress login form, alongside Wordfence's Login Security 2FA (required for admin accounts).
The issue: the first step (username + password + Turnstile) works fine, and the Wordfence 2FA prompt appears as expected. However, after entering a valid 2FA code and submitting, I get an "Invalid Turnstile challenge" error and get bounced back to a fresh login page (all fields cleared).
My understanding is that Wordfence 2FA doesn't load a new page (I'm in /wp-login.php still). It shows an overlay on top of the same login form, and submitting the 2FA code resubmits the entire login form again. Since Turnstile tokens are single-use, the token generated/consumed during the first step is no longer valid by the time the 2FA code is submitted, so the second submission fails Turnstile validation even though the credentials and 2FA code are both correct.
I'm running App for Cloudflare with Turnstile enabled on the WordPress login form, alongside Wordfence's Login Security 2FA (required for admin accounts).
The issue: the first step (username + password + Turnstile) works fine, and the Wordfence 2FA prompt appears as expected. However, after entering a valid 2FA code and submitting, I get an "Invalid Turnstile challenge" error and get bounced back to a fresh login page (all fields cleared).
My understanding is that Wordfence 2FA doesn't load a new page (I'm in /wp-login.php still). It shows an overlay on top of the same login form, and submitting the 2FA code resubmits the entire login form again. Since Turnstile tokens are single-use, the token generated/consumed during the first step is no longer valid by the time the 2FA code is submitted, so the second submission fails Turnstile validation even though the credentials and 2FA code are both correct.
