Bot Protection with Turnstile Plugin

A lightweight plugin that protects core WordPress forms and selected third‑party plugins from spam and bot attacks using Cloudflare Turnstile CAPTCHA.

You can get Cloudflare Turnstile API keys for free by creating an account at Cloudflare.com.

Description

Bot Protection with Turnstile plugin lets you drop-in Cloudflare’s privacy-focused, no-CAPTCHA challenge on the most common attack surfaces of a WordPress site:

• Core forms – login, registration, password reset, and comments
• Accept Stripe Payments – protect checkout and payment pop-ups
• Simple Download Monitor – secure download buttons and squeeze forms

Just add your Turnstile Site Key and Secret Key, choose the forms you want to protect, and you’re done. No more subjecting your users to image puzzles or accessibility headaches.

Turnstile can generate multiple types of non-intrusive challenges to verify users are human, all without showing visitors a puzzle.

Highlights

• Zero-friction, user-friendly bot protection
• A free reCAPTCHA alternative for WordPress
• Works even when visitors are behind ad-blockers or privacy extensions
• Granular toggles to enable/disable on individual forms
• Debug logging feature
• Fully translatable and developer-friendly with action/filter hooks
• Road-map for upcoming integrations with other popular plugins

Download the Plugin

You can download the plugin from the WordPress.org website.

Installation

1. Upload the plugin ZIP via Plugins → Add New → Upload Plugin, or install it directly from the WordPress.org repository.
2. Activate Bot Protection with Turnstile via the Plugins menu.
3. Navigate to Settings → Turnstile.
4. Enter your Site Key and Secret Key from the Cloudflare Turnstile Dashboard.
5. Check the boxes for the forms and integrations you wish to protect.
6. Save changes and test a form to confirm the Turnstile widget appears.

Obtaining Turnstile API Keys

You can get Cloudflare Turnstile API keys for free by creating an account at Cloudflare.com.

Step 1) Go to the Cloudflare Turnstile Dashboard

Go to Cloudflare Turnstile Dashboard and click the ‘Add Widget‘ button. See the screenshot below for reference.

Step 2) Configure the Widget Details

Enter a name for the widget, add your domain name, and then click the ‘Create’ button at the bottom of the page. You can add multiple domain names if you plan to use the same key on multiple sites.

Step 3) Copy and API Keys

After the widget is created, copy the Site and Secret keys, then paste them into the corresponding fields in the plugin’s settings menu.

Plugin Integrations

Currently supported plugin integrations are listed below. Additional integrations will be added in the future.

• Accept Stripe Payments
• Simple Download Monitor
• Contact Form 7
• Simple Shopping Cart
• WP Express Checkout

Contact Form 7 Individual Forms

To integrate Turnstile protection with a specific Contact Form 7 form, add the following form tag to your desired location within the form editor on the Contact Form 7 edit page.

[bot_protection_turnstile bpcft]

See the example screenshot below for reference.

The screenshot below shows an example of how the Turnstile CAPTCHA appears on the contact form.

Frequently Asked Questions

Where do I get a Site Key and Secret Key?

Sign in to your Cloudflare account, add a Turnstile widget, and copy the credentials provided.

Does this slow down my site?

No. The Turnstile script is tiny and loaded from Cloudflare’s global edge network. It adds a negligible footprint.

Can I style or reposition the widget?

Yes – choose a theme and widget size in the settings menu.

I only need it on comments – is that possible?

Absolutely. Toggle off any forms you don’t wish to protect.