Empex CAPTCHA for Cloudflare Turnstile
·
Invisible bot protection for WordPress forms via Cloudflare Turnstile. Install once — protect every form.
Empex CAPTCHA for Cloudflare Turnstile adds invisible, privacy-friendly bot protection to every form on your WordPress site using Cloudflare Turnstile. No puzzles. No friction. No CAPTCHAs.
Supported Forms
- WordPress Core — Login, Registration, Password Reset, Comments
- WooCommerce — Classic Checkout, Blocks Checkout, My Account (Login, Register, Lost Password)
- Contact Form 7 — Automatic or manual widget injection
- WPForms (Lite & Pro)
- Gravity Forms
- Fluent Forms
- Elementor Pro — Inline forms and popups
- Formidable Forms
- Forminator
- Kadence Forms
- SureForms
- Jetpack Forms
- MemberPress — Registration, Login
- Ultimate Member — Register, Login, Profile
- Paid Memberships Pro — Checkout, Login
- BuddyPress — Registration
- wpDiscuz — Comments
- WP User Manager — Register, Login, Password Reset
- Easy Digital Downloads — Checkout
Key Features
- 🔒 Invisible protection — legitimate users never see a challenge
- ⚡ One-click setup — enter your Cloudflare keys, enable forms, done
- 🛡️ Token replay prevention — server-side one-time-use enforcement
- 🔄 AJAX-safe — tokens refresh automatically after failed submissions
- 📊 Logging dashboard — see blocked attempts, pass rates, form-level stats
- 🌐 Multisite compatible — network or per-site activation
- 🧩 Developer-friendly — filters, shortcode, extensible integration base
- ♿ Accessible — WCAG 2.1 AA on admin screens, ARIA labels on widgets
How It Works
- Install and activate the plugin
- Enter your Cloudflare Turnstile Site Key and Secret Key
- Toggle which forms to protect
- That’s it — bots are blocked, real users pass through invisibly
External Service
This plugin connects to the Cloudflare Turnstile service to verify form submissions:
- Cloudflare Turnstile API:
https://challenges.cloudflare.com/turnstile/v0/siteverify - Cloudflare Turnstile JavaScript:
https://challenges.cloudflare.com/turnstile/v0/api.js
When a user submits a form, their browser interaction data, IP address, and browser fingerprint are sent to Cloudflare for verification. This is required for the plugin to function.
The plugin itself does not store personal data by default. IP address logging is opt-in and must be explicitly enabled in Settings.