Beginner's Guide for WordPress / Start your WordPress Blog in minutes

How to Add Cloudflare Turnstile CAPTCHA in WordPress

Do you want to add Cloudflare Turnstile CAPTCHA in WordPress?

CAPTCHA and reCAPTCHA can stop spambots, but they’re also unpopular with visitors. By using a non-intrusive technology like Turnstile, you can protect your website from spambots and automated scripts without annoying your visitors.

In this guide, we will show you how to add Cloudflare Turnstile to a WordPress website.

How to add Cloudflare Turnstile CAPTCHA in WordPress

Why Add Cloudflare Turnstile CAPTCHA in WordPress?

Spam is a big problem for all websites. Spambots can use non-secure forms to send you spammy links, which will make it more difficult for you to do lead generation.

They can also try to break into your site’s login form by using brute force attacks or flooding your site with spam comments that will damage the visitor experience.

If you run an online store, then automated scripts may even place fraudulent orders.

Many website owners use CAPTCHA and reCAPTCHA to block scripts and bots. However, a lot of people complain that these technologies deliver a poor user experience, and some even worry about CAPTCHAs stealing their data.

With those concerns in mind, Cloudflare has introduced Turnstile CAPTCHA. This alternative technology uses a selection of non-intrusive challenges that often run invisibly in the browser. This allows you to protect your website without asking visitors to complete complex puzzles.

To help keep visitor information private, Cloudflare uses Apple’s Private Access Tokens to test whether the visitor is a real person without collecting extra data.

If you’re using form builders or WooCommerce, then Turnstile also integrates with these third-party plugins. This allows you to add invisible CAPTCHAs across many different areas of your WordPress website.

With that said, let’s see how you can add Cloudflare Turnstile CAPTCHA in WordPress. Simply use the quick links below to jump straight to the method you prefer.

Method 1. Add Cloudflare CAPTCHA to Your WordPress Forms

The easiest way to add Cloudflare’s CAPTCHA to your forms is by using the free WPForms plugin.

WPForms is the best drag & drop WordPress form builder plugin used by over 5 million websites. You can use it to create all kinds of forms, including contact forms, booking forms, and much more.

The free WPForms plugin has a ready-made Cloudflare Turnstile field that you can drag and drop onto any form.

How to Add Turnstile CAPTCHA to WPForms

First, you’ll need to install and activate the WPForms plugin. If you need help, then please see our guide on how to install a WordPress plugin.

Upon activation, go to WPForms » Settings and then click on the CAPTCHA tab.

Adding Cloudflare Turnstile to a WordPress form using WPForms

On this page, select ‘Turnstile.’

You’ll now see some new settings where you can enter the Site Key and Site Secret.

Adding Cloudflare Turnstile CAPTCHA to a WordPress website

To get this information, open a new browser tab and head over to the Cloudflare login page. You’ll need to create a Cloudflare account using your email address, if you haven’t already.

Once you’re logged into the Cloudflare dashboard, find ‘Turnstile’ in the left-hand menu and give it a click.

The Cloudflare dashboard

This will take you to a screen with some basic information about Cloudflare Turnstile.

If you’re happy to go ahead, then click on the ‘Add site’ button.

Adding a site to the Cloudflare dashboard

On this screen, start by typing in a ‘Site Name.’

This is just for your reference so you can use anything you want.

Adding a WordPress website to the Cloudflare dashboard

Next, type your website’s domain name into the ‘Domain’ field.

The next step is choosing which CAPTCHA widget you want to create. The first choice is ‘Managed,’ which is the method recommended by Cloudflare. This is where Cloudflare analyzes the browser’s request and then decides what kind of challenge it should run.

While this is happening, the visitor will see a loading animation.

Adding a Cloudflare Turnstile CAPTCHA to WordPress

Wherever possible, Cloudflare will try to run a non-interactive challenge in the background, so the visitor doesn’t have to do anything. In this case, the user will simply see a ‘Success’ message when their browser passes the test.

Sometimes, Cloudflare may decide that it’s safer to show an interactive challenge instead. However, the visitor will simply need to check a box rather than complete a puzzle, so it’s still easier than the traditional puzzle-based CAPTCHAs.

Unless you have a specific reason not to, it’s smart to use managed CAPTCHAs as this gives you a good level of security with minimum impact on the visitor experience.

How to create a managed CAPTCHA for WordPress

Don’t want to use interactive challenges on your WordPress website? Then you can choose ‘Non-interactive’ or ‘Invisible’ instead.

Non-interactive challenges run in the browser so the visitor doesn’t have to take any action. Just like the managed CAPTCHA, visitors will see the loading animation and a ‘Success’ message when the challenge is complete.

If you choose ‘Invisible’ instead, then the visitor won’t see the animation or success message. This setting allows you to completely hide the CAPTCHA from your visitors, which can avoid confusion and won’t add any clutter to your WordPress theme.

After making your decision, click on the ‘Create’ button. As soon as you’ve done that, Cloudflare will show your site key and secret key.

Creating a site key and secret key for your WordPress website

How to Configure Cloudflare Turnstile CAPTCHA For WordPress

Now, switch back to your WordPress blog or website and add the ‘Site Key’ and ‘Site Secret.’

By default, WPForms will show the following message every time a visitor fails the CAPTCHA: ‘Cloudflare Turnstile verification failed, please try again later.’

You can replace this with your own custom messaging by typing into the ‘Fail Message’ field.

Customizing the failed CAPTCHA message

After that, you may want to customize how the CAPTCHA looks on your website by opening the ‘Type’ dropdown and choosing from light, dark, or auto.

The following image shows an example of how the ‘Dark’ theme looks on a custom user registration form.

An example of the Cloudflare dark theme, on a WordPress blog or website

After making this decision, scroll to the bottom of the screen and click on ‘Save Settings.’

With that done, you’re ready to add Turnstile CAPTCHA protection to any form.

Saving the Cloudflare Turnstile settings in WPForms

How to Add Cloudflare Turnstile CAPTCHA to a WordPress Form

Adding Cloudflare Turnstile to WordPress using WPForms is simple and easy.

To create a new form using WPForms, simply go to WPForms » Add New.

Adding a new form to your WordPress website

To start, give the form a name by typing into the ‘Name Your Form Field.’ This is just for your reference so you can use anything you want.

WPForms comes with ready-made templates so you can quickly get started and build all kinds of forms. When you find a design that you want to use, click on the orange ‘Use Template’ button.

Creating a new form using ready-made templates

Note: The free WPForms plugin has temples for creating an email newsletter signup form, a contact form, and more. If you want more, then you can unlock over 600 templates by upgrading to the premium version of WPForms.

After choosing a template, you’ll see the WPForms editor.

To customize a field, simply click to select it in the form editor. The sidebar will then update to display all the settings for the selected field.

Adding fields to a WordPress form

You also change the order these fields appear by using drag and drop. 

To add Cloudflare Turnstile to the form, simply click on the ‘Add Fields’ tab in the left-hand menu.

Here, find the built-in ‘Turnstile’ field and click to add it to your form.

Adding Cloudflare Turnstile CAPTCHA to a WordPress form

WPForms will now show a ‘Turnstile Enabled’ icon in the top right corner.

This lets you know the form is protected with Cloudflare Turnstile.

An example of a Cloudflare Turnstile CAPTCHA, on a WordPress form

Another option is to enable Cloudflare in the form’s settings. Simply select Settings in the left-hand menu and then click ‘Spam Protection and Security.’

You now click on the ‘Enable Cloudflare Turnstile’ switch to turn it from deactivated (grey) to activated (blue).

Protecting your WordPress website or blog using Turnstile CAPTCHA

When you’re happy with how the form is set up, click on the ‘Save’ button.

You can now go to the page or post where you want to show the form, and click on the ‘+’ icon. In the popup that appears, start typing in ‘WPForms.’

Adding the WPForms block to your website

When the right block appears, give it a click to add it to the page or post.

In your new WPForms block, click on the dropdown and select the form you just created.

Creating a form with Cloudflare Turnstile

You can now update or publish your page. Now, if you visit this page or post, you’ll see the form live.

Method 2. How to Add Turnstile CAPTCHA to Comments, WooCommerce, and More

If you want to protect your forms with Cloudflare Turnstile, then WPForms lets you add CAPTCHA protection with just a few clicks.

However, you may want to add Turnstile to other areas of your website. For example, you might use it to combat comment spam in WordPress.

A Cloudflare Turnstile CAPTCHA with a dark theme

You might also want to use Turnstile on your WooCommerce store.

For example, you can protect all your eCommerce pages including the WooCommerce login, signup, and checkout pages. This can help prevent fraud and fake orders in WooCommerce.

The Cloudflare Turnstile CAPTCHA on the WooCommerce checkout page

The easiest way to add Cloudflare’s CAPTCHA to other areas of WordPress is by using Simple Cloudflare Turnstile. This free plugin integrates with many popular WordPress plugins and form builders including Formidable Forms, WPForms, and others.

First, you’ll need to install and activate the plugin. If you need help, then please see our guide on how to install a WordPress plugin.

Upon activation, go to Settings » Cloudflare Turnstile.

Adding a site key and secret key to a WordPress website

The plugin will now ask for a site key and site secret. To get this information, simply follow the same process described above when setting up a Turnstile account.

With that done, add the ‘Site Key’ and ‘Site Secret’ to your WordPress dashboard.

Adding the Cloudflare secret key and site secret to WordPress

After that, you may want to customize how the CAPTCHA looks on your website, and how it acts. To start, you can open the ‘Theme’ dropdown and choose from light, dark, or auto.

By default, Cloudflare Turnstile shows a ‘Please verify that you are human’ message to visitors. To add your own wording, simply type into the ‘Custom Error Message’ field.

Creating a custom error message for a WordPress CAPTCHA

After that, you can select the areas where you want to use the Cloudflare Turnstile CAPTCHA.

You can use Turnstile with all the built-in WordPress forms including the login page, user registration form, and password reset page.

Enabling Cloudflare Turnstile CAPTCHA for the WordPress forms

Depending on the plugins you’ve installed, you may see some extra options.

For example, if you’ve created an online marketplace or store using WooCommerce, then you’ll see a WooCommerce Forms section.

Adding CAPTCHAs to your WooCommerce forms

If you click to expand this section, then you’ll see all the WooCommerce pages where you can add a Cloudflare CAPTCHA.

Simply check the box next to every page you want to protect.

Protecting your WooCommerce store with a CAPTCHA

When you’re happy with the information you’ve entered, scroll to the bottom of the screen and click on ‘Save Changes.’

Now, if you visit your website you’ll see the Turnstile CAPTCHA in action.

We hope this article helped you learn how to add Cloudflare Turnstile CAPTCHA in WordPress. You can also go through our ultimate WordPress security guide and the best WordPress membership plugins.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

2 CommentsLeave a Reply

  1. Hi, thanks for the post. A quick question, do I think disabling submit button until the user answers CF Turnstile is required?

    • It is not required but it can help reduce user confusion if you disable the submit button until it is checked.


Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.