Under Attack

Under Attack is the captcha mode of CoreWAF. When it is on, visitors get a checkbox they have to tick before they can enter — automated bots fail to pass it. Once verified, the visitor stops seeing the captcha for as long as you configure.

Every time you change the mode, add a pattern or touch the configuration, go to Status and click Verify so the agent receives the latest version.

Status

This is where you pick when the captcha shows up. Three modes:

  • Off — the captcha never shows up.
  • By patterns — it only shows up when the visitor matches one of the patterns from the Patterns tab. Useful to protect a specific path (/wp-login.php, for example) or a type of visitor (a suspicious User-Agent).
  • Under attack — it shows up for every visitor without a verified cookie. Meant only for active attacks: turn it off once the attack is over.

Patterns

Lists of "when to show the captcha" used when the mode is By patterns. The structure is the same as in Rules, with six sections: IP, Range, Brand, Catalog, User Agent and URL. The difference is that here there is no blacklist or whitelist — every match simply triggers the captcha for that request.

Configuration

Three blocks.

Challenge behaviour

  • Minimum time before validating — milliseconds the visitor has to wait before they can tick the checkbox. Automated bots fire in under 100 ms.
  • Require previous movement — requires the visitor to have moved the mouse or touched the screen at least once before ticking.
  • Validate event.isTrusted — rejects script-generated clicks (real browsers mark events as trusted).
  • Skip challenge on AJAX — on by default: no captcha is served on AJAX/fetch requests (without a page reload). Turn it off if an attack uses AJAX requests and you want those to pass the captcha too.

Recidivism → blacklist

  • Fails to ban — between 3 and 100. If an IP fails the captcha that many times within 24 hours, it gets blocked permanently. The window is always 24 hours and the ban is permanent.
  • Days the cookie lasts — how long the visitor stops seeing the captcha after passing it. The cookie is tied to the visitor IP: if their IP changes, they see the captcha again.
  • Exclude whitelist — IPs and User-Agents on your whitelist never see the captcha.
  • Test mode — only logs (status would_challenge), does not serve the captcha. Useful to tune patterns without affecting real visitors.