silentCAPTCHA: What is the High Reputation Bypass option and how does it work?

Every IP address accessing your site gets its own unique visitor score - the higher the score, the better the visitor i.e. the more likely it's human.

Visitors that have accumulated a high IP reputation and silentCAPTCHA Bot Minimum Score should ideally never be blocked. But, this can happen sometimes. To prevent this, we added a new option: High Reputation Bypass.

This option is a part of the silentCAPTCHA AntiBot system. It prevents visitors with a high reputation scores from being blocked by Shield.

The IP address will still accumulate offenses and will still be subject to Shield’s rules, but, if the number of offenses would normally lead to an IP address being blocked, but the IP reputation is good enough, the block will not be put in-place.

You can think of it like: Shield will see everything your IP does, and it’ll mark offenses against it. Once the IP has accumulated enough offenses and it’s about to block your IP address, it’ll lookup your Bot Reputation Score and if it’s high enough, you wont be blocked.

How does the High Reputation Bypass work?

To answer this questions, best is to use examples...

Example 1: High reputation - not blocked by Shield

Configuration:

silentCAPTCHA complexity: Low
Bot minimum score: 20
High Reputation Bypass: 60

The Offense Limit is set to 3.

Visitor has failed to login, triggering the offense. Normally, when they reach the offense limit 3, they'll get blocked by Shield. But, if over that time their IP reputation is good enough, Shield won't block them.

So, if you set the reputation bypass to 60, visitor that gets reputation score higher than 60, will not get blocked. Shield will not consider this visitor being a bot.

Total reputation score for a particular IP can be seen with the IP Analysis dialog. In this example, visitor's total reputation is 215, which is higher than 60 (set):

This is why they'll never be blocked, even if reaching the offense limit set (3).

WP Activity Log

Bots & IP Rules section will list this IP and you'll see that an IP is on the blocklist because it reached the offense limit 3 but IP is not actually blocked due to high reputation bypass.

Example

Site admins will also see a notice that an IP is blocked. They can ignore this notice because, similar to the visitor mentioned above, the IP is marked as 'blocked' due to reaching the offense limit, but it isn't actually blocked.

It's important to note here that Shield doesn't "whitelist" your IP if your reputation is high, but it's like being whitelisted since you'll never be blocked. But you're really not whitelisted... you're just never blocked. if you've demonstrated you're a good person (high reputation), Shield pretends it can't see you've made too many offenses.

Important: If site admin changes a minimum score for that setting, then as soon as their IP reputation is lower than that reputation score and they have caused enough offenses, they'll be blocked.

In this example, if it's about site admin's IP, they reached the offense limit (3), and their reputation was 215, if they are still logged in and try to change setting by putting higher reputation then 215 (i.e. 200), they'll immediately get blocked. Why? Because of offenses.

Too many offenses > you're blocked.

Nothing has changed in the way Shield blocks you. if you don't want to get blocked, you'll need to remove your offenses first.

Example 2: Low reputation - blocked by Shield

Settings:

silentCAPTCHA complexity: Medium
Bot minimum score: 95
High Reputation Bypass: 250
Offense Limit: 3

In this example, visitor triggered the Shield offenses x3 times and gets auto-blocked.

The reason why this happens is because their reputation score was 200, which is lower than 250 (set):

WP Activity Log

You can see the all details in your activity log: