That seems more like a misconfiguration on the site owner's part; if something is designed to be read by bots/programs, they shouldn't put a challenge on it.
Is it covered in the onboarding docs for that feature (a disable for routes used by bots (rss feeds, api endpoints etc) )? Or is it just happy path "Do these 3 steps to make your Wordpress cake blog safe from botnets"