A lightweight plugin that protects core WordPress forms and selected third‑party plugins from spam and bot attacks using Cloudflare Turnstile CAPTCHA.
You can get Cloudflare Turnstile API keys for free by creating an account at Cloudflare.com.
Description
Bot Protection with Turnstile plugin lets you drop-in Cloudflare’s privacy-focused, no-CAPTCHA challenge on the most common attack surfaces of a WordPress site:
- Core forms – login, registration, password reset, and comments
- Accept Stripe Payments – protect checkout and payment pop-ups
- Simple Download Monitor – secure download buttons and squeeze forms
Just add your Turnstile Site Key and Secret Key, choose the forms you want to protect, and you’re done. No more subjecting your users to image puzzles or accessibility headaches.
Turnstile can generate multiple types of non-intrusive challenges to verify users are human, all without showing visitors a puzzle.
Highlights
- Zero-friction, user-friendly bot protection
- A free reCAPTCHA alternative for WordPress
- Works even when visitors are behind ad-blockers or privacy extensions
- Granular toggles to enable/disable on individual forms
- Debug logging feature
- Fully translatable and developer-friendly with action/filter hooks
- Road-map for upcoming integrations with other popular plugins
Download the Plugin
You can download the plugin from the WordPress.org website.
Installation
- Upload the plugin ZIP via Plugins → Add New → Upload Plugin, or install it directly from the WordPress.org repository.
- Activate Bot Protection with Turnstile via the Plugins menu.
- Navigate to Settings → Turnstile.
- Enter your Site Key and Secret Key from the Cloudflare Turnstile Dashboard.
- Check the boxes for the forms and integrations you wish to protect.
- Save changes and test a form to confirm the Turnstile widget appears.
Obtaining Turnstile API Keys
You can get Cloudflare Turnstile API keys for free by creating an account at Cloudflare.com.
Step 1) Go to the Cloudflare Turnstile Dashboard
Go to Cloudflare Turnstile Dashboard and click the ‘Add Widget‘ button. See the screenshot below for reference.

Step 2) Configure the Widget Details
Enter a name for the widget, add your domain name, and then click the ‘Create’ button at the bottom of the page. You can add multiple domain names if you plan to use the same key on multiple sites.

Step 3) Copy and API Keys
After the widget is created, copy the Site and Secret keys, then paste them into the corresponding fields in the plugin’s settings menu.
Plugin Integrations
Currently supported plugin integrations are listed below. Additional integrations will be added in the future.
Frequently Asked Questions
Where do I get a Site Key and Secret Key?
Sign in to your Cloudflare account, add a Turnstile widget, and copy the credentials provided.
Does this slow down my site?
No. The Turnstile script is tiny and loaded from Cloudflare’s global edge network. It adds a negligible footprint.
Can I style or reposition the widget?
Yes – choose a theme and widget size in the settings menu.
I only need it on comments – is that possible?
Absolutely. Toggle off any forms you don’t wish to protect.