Cloudflare Turnstile is a privacy‑friendly alternative to reCAPTCHA.
Below is a quick and easy setup guide for my free “Simple CAPTCHA Alternative using Cloudflare Turnstile” plugin, which you can use to easily protect your WordPress login, checkout pages, and contact forms in just a few minutes.
1) Get your Cloudflare keys
First, create a Cloudflare account at: https://dash.cloudflare.com/sign-up
Visit the Cloudflare Dashboard, select “Turnstile” in the menu sidebar, and click “Add site”.
Enter a site name and domain, then select the widget type.
- Managed (Recommended): Cloudflare will use information from the visitor to decide if an interactive challenge should be used. If it does show an interaction, the user will be prompted to check a box (no images or text to decipher).
- Non-interactive: A purely non-interactive challenge. Users will see a widget with a loading bar while the browser challenge is run.
- Invisible: Challenge that does not require interaction.
Click the “Create” button.
You will then see a “Site Key” and “Secret Key“, which you will need to copy later.
2) Install the plugin
- In WordPress go to: Plugins → Add New → Search for “Simple Cloudflare Turnstile“.
- Install the plugin, and activate it.
- You’ll then be taken to the plugin’s settings page.
3) Add Your Keys
Paste your Site Key and Secret Key from Cloudflare into the settings fields.
Optionally for developers, you can store the keys in the wp‑config.php file instead of the database with the following:
define('CF_TURNSTILE_SITE_KEY', 'your-site-key');
define('CF_TURNSTILE_SECRET_KEY', 'your-secret-key');4) Basic Settings
Now you have keys setup, you can optionally customise the other settings available in the plugin such as:
- Theme:
- Light
- Dark
- Default
- Language:
- Select a specific language.
- Let it auto‑detect.
- Disable Submit Button:
- Prevents clicking Submit until Turnstile has validated (nice safety net).
5) Advanced Settings
Select the “Advanced Settings” dropdown for even more customisation options:
- Widget Size:
- Normal (300px)
- Flexible (100%)
- Compact (150px)
- Appearance Mode:
- Always: Turnstile Widget is always displayed for all visitors.
- Interaction Only: Turnstile Widget is only displayed in cases where an interaction is required. This essentially makes it “invisible” for most valid users.
- Custom Error Message:
- Shown if the form is submitted without completing the Turnstile challenge. Leave blank to use the default message (localized): “Please verify that you are human.”
- Extra Failure Message:
- This will show a message below the Turnstile widget if they receive the “Failure!” response. Useful to give instructions in the *very rare* case a valid user is being flagged as spam. Currently it is not possible to edit the actual “Failure!” message shown on the widget.
- Defer Scripts:
- When enabled, the javascript files loaded by the plugin will be deferred. You can disable this if it causes any issues with your other optimisations.
- Performance Plugin Compatibility:
- Adds better compatibility with popular performance/optimization plugins (e.g. WP Rocket, LiteSpeed Cache, Autoptimize, Perfmatters, SG Optimizer) to prevent their JS optimizations from breaking Turnstile. Disable only if this causes issues.
6) Enable Turnstile on your forms
The plugin auto‑detects what you have installed and shows simple toggleable sections for each integration that is available.
Simply enable which forms you would like Turnstile to protect in the settings.
Supported integrations include:
- WordPress core: Login, Registration, Password Reset, and Comments.
- WooCommerce: Checkout, Pay for Order, Login, Registration, Password Reset.
- Popular form builders: WPForms, Contact Form 7, Gravity Forms, Fluent Forms, Formidable, Forminator, Jetpack, Kadence Forms.
- Other: Elementor Pro Forms, Easy Digital Downloads, BuddyPress/bbPress, MemberPress, WP‑Members, WP User Frontend/Manager, Mailchimp for WP, MailPoet, wpDiscuz, and more.
7) Save Settings & Test Reponse
When you are ready, click the “Save Settings” button.
Note: When you first save your “Site Key” or “Secret Key”, or update it, you will be required to test the API response, to make sure everything is working OK.
The plugin won’t enforce Turnstile on forms until this test passes (so you don’t get locked out).
Simply complete the Turnstile challenge, and click “TEST RESPONSE”.
Helpful Extras (optional)
Whitelist:
- Skip Turnstile for logged‑in users.
- You can also whitelist IPs or User Agents (these can be spoofed).
Tools:
- Export/Import plugin settings as JSON (handy for staging/production or when enabling on multiple sites).
- Enable the Debug Log to see pass/fail entries, error codes, and URLs while you’re testing.
Troubleshooting
Widget not showing on an Elementor form?
Switch the “Integration Method” in the Elementor section or disable Elementor’s element caching for that form.
Form issues with optimisation plugins?
Toggle off “Defer Scripts” or enable “Performance Plugin Compatibility.”
Using Express payments?
Expect some flows, such as Express Payment Gateways, to skip Turnstile checks. Consider protecting your regular checkout path and consider rate‑limiting/fraud rules in your gateway.
Comments not working with Jetpack Comments?
That specific comments mode isn’t compatible; use the default WordPress comments or wpDiscuz.
401 console error, is this a problem?
You can safely ignore the error. It is requesting a “Private Access Token (PAT) Open external link” that your device or browser does not support yet. Click here for more information.
The Turnstile Challenge is not appearing, what should you do?
Firstly, make sure you have completed the setup guide correctly, and that you have completed the “TEST API RESPONSE” on the settings page.
If you are still having issues, please post a support topic on the WordPress.org forums.
How can you get support?
Please bare in mind, the Simple CAPTCHA Alternative with Cloudflare Turnstile plugin is 100% free, developed as a way to give back to the WordPress community. You can post a support thread on the WordPress.org forums to get help from the community, and we will also keep an eye on this quite frequently, providing support and answers where possible. However, we can not guarantee an answer every single support ticket.
Click here to create a support topic.
The support forums are the only place you should submit a support ticket for 100% free support from me, and the WordPress community.
