# By MountDev: Cloudflare Turnstile **Protect your WordPress site from spam and bots with Cloudflare Turnstile - a modern, privacy-friendly CAPTCHA alternative that respects your users.** [![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0) [![WordPress](https://img.shields.io/badge/WordPress-5.0%2B-blue)](https://wordpress.org/) [![PHP](https://img.shields.io/badge/PHP-7.4%2B-purple)](https://php.net/) ## Overview Tired of annoying CAPTCHAs that frustrate your visitors? Say goodbye to distorted text puzzles and hello to **Cloudflare Turnstile** - the next-generation CAPTCHA solution that protects your WordPress site without compromising user experience. **By MountDev: Cloudflare Turnstile** brings enterprise-grade bot protection to your WordPress site with zero hassle. Powered by Cloudflare's cutting-edge Turnstile technology, this plugin seamlessly integrates with your existing forms to stop spam, prevent automated attacks, and protect your site - all while keeping your legitimate users happy. ## Why Choose Cloudflare Turnstile? ### Better User Experience Unlike traditional CAPTCHAs that force users to decipher distorted text or identify traffic lights, Cloudflare Turnstile works invisibly in the background. Most legitimate users won't even notice it's there - they'll just submit their forms and move on. No more frustrated visitors abandoning your registration or checkout process. ### Privacy-First Approach Cloudflare Turnstile is built with privacy in mind. It doesn't track users across sites or collect unnecessary personal data. Your visitors' privacy is respected, and you stay compliant with modern privacy regulations. ### Lightweight & Fast This plugin is optimized for performance. It won't slow down your site or add bloat to your WordPress installation. The Turnstile widget loads efficiently, and you have full control over script loading behavior to optimize for your specific needs. ### Enterprise Security, Free to Use Leverage the same powerful bot detection technology that protects millions of websites worldwide. Cloudflare's advanced algorithms analyze visitor behavior to distinguish between humans and bots - and it's completely free for most use cases. ## Perfect for Every WordPress Site Whether you're running a simple blog, a membership site, an online store, or a complex multi-site network, this plugin has you covered. It integrates seamlessly with WordPress core forms and extends support to popular plugins like WooCommerce, Contact Form 7, Elementor Pro, and Fluent Forms. ### E-commerce Protection Protect your WooCommerce store from fake registrations, fraudulent checkouts, and spam orders. Enable Turnstile on login, registration, password reset, checkout, and pay-for-order forms. You can even configure it to only appear for guest checkouts, keeping the experience smooth for your registered customers. ### Form Builder Integration Using Contact Form 7, Elementor Pro Forms, or Fluent Forms? No problem. Enable Turnstile across all your forms with a single click, or selectively protect specific forms. You have complete control over where and how protection is applied. ### Multisite Ready Managing a WordPress Multisite network? This plugin is fully compatible and can be configured independently for each site in your network. ## Supported Forms ### WordPress Core - Login Form - Registration Form - Password Reset Form - Comment Form ### WooCommerce - Login Form - Registration Form - Password Reset Form - Checkout Form - Pay for Order Form ### Third-Party Form Plugins - **Contact Form 7** - All forms or specific forms via shortcode - **Elementor Pro Forms** - All forms with customizable positioning - **Fluent Forms** - All forms with option to exclude specific form IDs ### Additional Features - Fully compatible with WordPress Multisite environments - Customizable widget positioning for different form types - Guest checkout only option for WooCommerce ## Key Features - **Visual Customization** - Choose between light, dark, and auto themes to perfectly match your site's design aesthetic - **Global Language Support** - Set the preferred display language for the Turnstile widget to match your audience - **Flexible Appearance Modes** - Configure the widget to always be visible, or use managed/non-interactive modes - **Form Submission Control** - Enable submit button locking to prevent users from submitting forms until validation is complete - **Branded Error Messages** - Customize the error message displayed when validation fails - **Precise Widget Positioning** - Control exactly where the Turnstile widget appears on different form types - **Built-in Credential Testing** - Verify your Cloudflare API keys are working correctly with one click - **Performance Optimization** - Enable script deferral to optimize page load times - **Granular Form Control** - Enable protection globally or selectively protect individual forms - **Guest Checkout Options** - For WooCommerce stores, optionally show Turnstile only for guest checkouts - **Developer Friendly** - Clean, well-documented code that follows WordPress coding standards ## Installation You can have Cloudflare Turnstile protecting your WordPress forms in less than 5 minutes. ### Quick Install 1. Upload the plugin folder `mountdev-cloudflare-turnstile` to the `/wp-content/plugins/` directory 2. Activate the plugin from the Plugins menu in your WordPress dashboard 3. Navigate to **Settings > By MountDev: Cloudflare Turnstile** in the WordPress admin panel 4. Enter your Site Key and Secret Key from Cloudflare 5. Select the forms where you want Turnstile enabled 6. Save your changes 7. Run the integration test using **TEST CREDENTIALS** to confirm everything is functioning ### Detailed Setup Guide **Step 1: Get Your Cloudflare Turnstile Keys** Head over to your [Cloudflare dashboard](https://dash.cloudflare.com/) and create a free Turnstile site. You'll receive a Site Key and Secret Key - these are like your plugin's credentials to communicate with Cloudflare's verification service. Don't worry, it's completely free for most websites. **Step 2: Install and Activate** Install this plugin just like any other WordPress plugin. You can upload it manually or install it directly from the WordPress plugin directory. Activate it, and you'll be automatically redirected to the settings page. **Step 3: Enter Your Keys** Paste your Site Key and Secret Key into the API Configuration tab. This connects your WordPress site to Cloudflare's Turnstile service. **Step 4: Choose Your Forms** Navigate to the Integrations tab and select which forms you want to protect. You can enable Turnstile on WordPress login forms, WooCommerce checkout, Contact Form 7 submissions, and more. Enable as many or as few as you need. **Step 5: Customize (Optional)** Visit the General Settings tab to customize the widget's appearance, language, and behavior. Want a dark theme? Done. Need it in Spanish? No problem. Prefer the widget to only appear when necessary? You got it. **Step 6: Test It** Click the TEST CREDENTIALS button to verify everything is configured correctly. You'll get instant feedback confirming your setup is working. **Step 7: You're Protected!** That's it! Your forms are now protected by enterprise-grade bot detection. Sit back and watch as spam submissions drop to zero while your legitimate users breeze through without frustration. ## Configuration The plugin provides an intuitive settings interface organized into several tabs: ### API Configuration - **Site Key** - Your Cloudflare Turnstile site key - **Secret Key** - Your Cloudflare Turnstile secret key - **Test Credentials** - One-click testing to verify your API keys are working ### Integrations Select which forms to protect: - **WordPress Core Forms** - Login, registration, password reset, comments - **WooCommerce Forms** - Login, registration, password reset, checkout, pay for order - **Contact Form 7** - Enable globally or use shortcode for specific forms - **Elementor Pro Forms** - Enable globally with customizable positioning - **Fluent Forms** - Enable globally with option to exclude specific form IDs ### General Settings - **Theme** - Choose between light, dark, or auto themes - **Language** - Set the widget display language - **Appearance Mode** - Always visible, managed, or non-interactive - **Widget Size** - Normal, compact, or flexible sizing ### Advanced Settings - **Submit Button Locking** - Prevent form submission until validation completes - **Custom Error Messages** - Personalize validation failure messages - **Script Deferral** - Optimize page load performance - **Widget Positioning** - Control where the widget appears on different form types ## Frequently Asked Questions ### What is Cloudflare Turnstile? Cloudflare Turnstile is a smart, privacy-friendly CAPTCHA alternative developed by Cloudflare - one of the world's largest internet security companies. Unlike traditional CAPTCHAs that make users solve puzzles or identify objects in images, Turnstile works invisibly in the background using advanced algorithms to detect bots. ### Do I need a Cloudflare account? Yes, you'll need a free Cloudflare account to generate the Site Key and Secret Key that this plugin requires. Creating an account takes just a few minutes, and Cloudflare Turnstile is free for most websites. You don't need to move your DNS to Cloudflare or use any of their other services. ### Will this slow down my website? Not at all! This plugin is built with performance in mind. The Turnstile script is lightweight and loads asynchronously, so it won't block your page rendering. You can also enable script deferral for even better performance. ### Is Cloudflare Turnstile really free? Yes! Cloudflare Turnstile is free for most websites. Cloudflare offers generous free tier limits that cover the vast majority of WordPress sites. The free tier includes millions of verifications per month - more than enough for most businesses. ### Does this work with WordPress Multisite? Yes! This plugin is fully compatible with WordPress Multisite installations. Each site in your network can have its own independent Turnstile configuration, or you can network-activate it and manage settings centrally. ### Can I use this on client websites? Yes! There are no licensing restrictions. You can install this plugin on as many websites as you like - your own sites, client sites, or commercial projects. Each site will need its own Cloudflare Turnstile keys (which are free to generate). ## Support Policy ### What support is provided? Complimentary support is limited to issues with this plugin's installation, settings, documented features, and plugin-related errors. If a problem is caused by Cloudflare, other plugins, themes, custom code, or hosting, we may help identify the source but will not troubleshoot it. ### What is NOT covered by support? - Cloudflare account creation, configuration, or troubleshooting - Turnstile site/secret keys, DNS, or any Cloudflare settings - WordPress site troubleshooting or styling - Turnstile badge styling, form styling, layout, or CSS - Theme or plugin conflicts - Site-wide adjustments or custom code For support inquiries, visit [Cascadia Web Services](https://cascadiaweb.services/contact). ## Development ### Building CSS The plugin uses Tailwind CSS for styling. To build the CSS: ```bash npm install npm run build:css ``` ### File Structure ``` mountdev-cloudflare-turnstile/ ├── src/ │ ├── css/ # Tailwind CSS source │ ├── js/ # JavaScript files │ │ ├── button.js # Submit button control │ │ └── integrations/ # Integration-specific JS │ └── wp/ # WordPress PHP files │ ├── admin/ # Admin interface │ ├── settings/ # Settings pages │ ├── integrations/ # Third-party integrations │ │ ├── ecommerce/ │ │ ├── forms/ │ │ └── builder/ │ ├── turnstile.php # Core Turnstile functionality │ └── wordpress.php # WordPress core integration ├── dist/ # Compiled assets ├── mountdev-cloudflare-turnstile.php # Main plugin file ├── README.md └── readme.txt # WordPress.org readme ``` ### Hooks and Filters The plugin provides several hooks for developers: - `mountdev_cfturnstile-settings-section` - Add custom settings sections - `mountdev_turnstile-settings-not-installed` - Modify the not-installed plugins list - Various WordPress standard hooks for form integration ## External Services This plugin connects to Cloudflare Turnstile, a third-party captcha service, to provide spam protection and bot detection for your WordPress forms. ### What data is sent - When a user interacts with a protected form, the plugin sends the Turnstile response token to Cloudflare's verification endpoint - The plugin loads Cloudflare's Turnstile JavaScript API to render the captcha widget - Data sent includes: the response token, your site's secret key, and the user's IP address - This occurs every time a user submits a form that has Turnstile protection enabled ### Service provider information - **Service**: Cloudflare Turnstile - **Provider**: Cloudflare, Inc. - **Terms of Service**: https://www.cloudflare.com/terms/ - **Privacy Policy**: https://www.cloudflare.com/privacypolicy/ - **Documentation**: https://developers.cloudflare.com/turnstile/ ## License This plugin is licensed under the GPLv3 or later. ``` By MountDev: Cloudflare Turnstile Copyright (C) 2025 Cascadia Web Services This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. ``` ## Changelog ### 1.0.0 - 2025 **Initial Release - Welcome to Cloudflare Turnstile for WordPress!** We're excited to bring enterprise-grade bot protection to WordPress with this first release. **Core WordPress Integration** - Full support for WordPress login forms - protect your admin area from brute force attacks - Registration form protection - stop fake account creation and spam registrations - Password reset form security - prevent automated password reset abuse - Comment form spam prevention - say goodbye to comment spam forever **WooCommerce E-commerce Protection** - WooCommerce login and registration forms - protect your customer accounts - Password reset security for WooCommerce accounts - Checkout form protection - stop fraudulent orders and fake transactions - Pay for Order page security - protect payment processing pages - Guest checkout options - show Turnstile only for guests, not logged-in customers - Flexible widget positioning for checkout pages **Third-Party Form Plugins** - Contact Form 7 - Enable globally or use shortcode for specific forms - Elementor Pro Forms - Full integration with customizable positioning - Fluent Forms - Protect all forms with option to exclude specific form IDs **Customization & Control** - Three visual themes (light, dark, auto) to match any design - Multi-language support for global audiences - Flexible appearance modes (always visible, managed, non-interactive) - Customizable widget positioning for each form type - Custom error messages to maintain your brand voice - Submit button locking for enhanced security **Performance & Testing** - Lightweight, optimized code that won't slow down your site - Script deferral options for improved page load times - Built-in credential testing - verify your setup with one click - Clean, well-documented code following WordPress standards **Enterprise Features** - WordPress Multisite compatibility - Developer-friendly with hooks and filters - Granular control over which forms to protect - Automatic redirect to settings on activation ## Credits Developed by [Cascadia Web Services](https://cascadiaweb.services) ## Contributing Contributions are welcome! Please feel free to submit issues or pull requests. --- **Protect your WordPress forms from spam and bots with this modern, privacy-friendly CAPTCHA alternative. Install now and stop spam in less than 5 minutes!**