Kitgenix CAPTCHA for Cloudflare Turnstile

Cloudflare Turnstile, done properly for WordPress.

Kitgenix CAPTCHA for Cloudflare Turnstile is a lightweight, privacy-first reCAPTCHA alternative that adds Cloudflare Turnstile to your WordPress, WooCommerce and form plugins with server-side validation, replay protection and proxy-aware IP detection.

Protect:

• WordPress core forms – login, registration, lost/reset password, comments
• WooCommerce – checkout, account login/registration, lost password (Classic and Blocks / Store API)
• Form plugins – WPForms, Fluent Forms, Gravity Forms, Formidable Forms, Forminator, Contact Form 7, Jetpack Forms, Kadence Forms
• Elementor Pro Forms and Popups
• Forums – bbPress topic and reply forms

All with conditional, async loading, no extra cookies or tracking and zero unnecessary front-end bloat.

Why Kitgenix?

• Ultra-lightweight and fast

  • Uses the modern WordPress Script API (6.3+) with strategy=async
  • Scripts load only on protected pages and forms

• Privacy-first

  • The plugin itself does not add cookies or tracking
  • Cloudflare Turnstile is designed to minimise data collection

• Rock-solid server-side validation

  • Uses Cloudflare’s official siteverify endpoint
  • Validates tokens server-side for all supported forms

• Replay protection

  • Rejects reused tokens by default (TTL is filterable)

• Proxy-aware client IP

  • Correctly resolves IPs behind Cloudflare, reverse proxies and load balancers
  • Honours proxy headers only from configured trusted proxies

• Deep integrations

  • WordPress core, WooCommerce (Classic and Blocks), Elementor Pro
  • WPForms, Fluent Forms, Gravity Forms, Formidable Forms, Forminator, Contact Form 7, Jetpack Forms, Kadence Forms
  • bbPress forums

• Smart UX

  • Optional “disable submit until verified”
  • Token freshness timers and auto-resets
  • Clean inline error hints designed to match Cloudflare’s own UI

• Production-ready admin

  • Onboarding wizard and Site Health integration
  • Modern sidebar UI with overview card, collapsible sections, search/filter box, and an “Unsaved changes” bar
  • Shortcode copy button next to [kitgenix_turnstile]

• Multisite-aware

  • Per-site settings
  • Clean uninstall removes settings site-wide (and network-wide if run via Network Admin)

Supported Forms and Integrations

WordPress Core

• Login (wp-login.php)
• Registration
• Lost and Reset Password
• Comments

Turnstile is injected into each core form and validated only on POST submissions. Invalid, expired or reused tokens block the action with a clear message.

WooCommerce (Classic)

• Checkout
• Login
• Registration
• Lost Password

Turnstile appears near the Place order button and WooCommerce account forms. Validation runs during checkout and account actions. Designed to work safely with checkout fragments and avoids duplicate rendering.

WooCommerce (Blocks / Store API)

• Checkout (Blocks / Store API)

The widget renders in the Blocks checkout UI and validates Store API requests server-side. Tokens can be forwarded via X-Turnstile-Token or similar headers and are handled automatically by the plugin.

Elementor Pro (Forms and Popups)

• Elementor Pro Forms (including popups and dynamically loaded forms)

The widget injects before or after the submit area, listens for Elementor popup and AJAX events and ensures a fresh token for each attempt. Handles multiple forms, popups and delayed popups reliably.

Contact Form 7

• All CF7 forms

Auto-injects the widget and re-renders after AJAX errors. A shortcode [kitgenix_turnstile] is available for manual placement. In Shortcode-only mode, CF7 forms are passed through do_shortcode() so manual placement works reliably.

Fluent Forms

• All Fluent Forms

Auto-injects, validates server-side and handles AJAX and multi-step flows with automatic re-renders.

Formidable Forms

• All Formidable Forms

Injects near the submit area, validates on submit and re-renders after client or server validation errors.

Forminator Forms

• All Forminator forms

Works with regular and AJAX forms, including multi-step flows. Tokens are reset on failed submissions.

Gravity Forms

• All Gravity Forms

Widget placement before or after submit, with server-side validation on Gravity’s native hooks. Handles AJAX and multi-page forms with safe re-render and no overlapping buttons.

Jetpack Forms

• Jetpack Contact Forms

Adds Turnstile to Jetpack forms with proper validation and AJAX behaviour.

Kadence Forms (Kadence Blocks)

• Kadence form blocks

Auto-injects on Kadence form blocks, validates server-side and re-renders on validation errors.

WPForms

• WPForms Lite and Pro

Injects before or after the submit area. Optional “disable submit until verified” UX, auto-resets on AJAX errors and prevents overlap or layout issues.

Forums – bbPress

• Create Topic and Reply forms

Adds Turnstile to bbPress posting forms to reduce automated spam topics and replies, validating before content is saved.

You can enable or disable each integration and location under Settings → Cloudflare Turnstile.

How It Works

1. Loads the Cloudflare Turnstile API https://challenges.cloudflare.com/turnstile/v0/api.js?render=explicit using the WordPress Script API (async for WordPress 6.3+).

2. Injects a widget into enabled forms Handles AJAX, multi-step forms, popups and other dynamic DOM changes.

3. Verifies tokens server-side Uses Cloudflare’s /v0/siteverify endpoint with your secret key and request IP (when appropriate).

4. Enforces replay protection Caches recent tokens (hashed) and rejects re-use (TTL is filterable).

5. Blocks on failure Submissions with invalid, expired or reused tokens are blocked with a clear, user-friendly message.

Quick Start

1. Install and activate from Plugins → Add New by searching for “Kitgenix Turnstile”.
2. Go to Settings → Cloudflare Turnstile.
3. Enter your Site Key and Secret Key from the Cloudflare Turnstile dashboard.
4. Enable the integrations and specific forms you want to protect.
5. Save changes, then test login, registration, comments, checkout and form pages.

Performance and Security

Performance playbook

• Async by default using the WordPress Script API with strategy=async on WordPress 6.3+.
• Conditional loading so Turnstile assets load only where protection is enabled.
• Works with caching and optimisation plugins:
  • Allowlist https://challenges.cloudflare.com in defer/optimise settings.
  • Avoid inlining, combining or heavily delaying the Turnstile script.
  • Exclude login, account and checkout pages from full-page caching where possible.
• Resource hints (preconnect/dns-prefetch) for https://challenges.cloudflare.com to speed up first paint.

Security tips

• Replay protection is enabled by default; adjust duration using kitgenix_turnstile_replay_ttl.
• Configure trusted proxies when using Cloudflare/CDN/reverse-proxy so the correct client IP is used.
• Use Developer Mode (warn-only) on staging to log failures without blocking users.
• Whitelisting (logged-in users, IPs and user agents) is supported but should be used sparingly.

Troubleshooting

Widget not showing

• Confirm Site and Secret Keys are correct.
• Check that the integration and specific form location are enabled.
• Verify you are not whitelisted (user, IP or user agent).
• Clear caches (page, object, CDN).
• Allowlist challenges.cloudflare.com in optimisation plugins.
• Check the browser console for blocked or failed scripts.

Always seeing “Please verify you are human”

• Token may be expired or invalid.
• Reduce page cache TTL on form pages.
• Do not full-page cache auth or checkout pages.
• Ensure your server can reach Cloudflare (no firewall blocks).

Elementor popups or AJAX forms

• Avoid over-deferring Elementor or form plugin JavaScript.
• The plugin listens to Elementor events and re-renders containers dynamically.

WooCommerce checkout issues

• Avoid caching dynamic fragments.
• Confirm the widget renders before the Place order button.
• If using custom checkout flows, ensure the token is forwarded correctly.

Minimum Requirements

• WordPress 5.0 or higher
• PHP 7.0 or higher
• Cloudflare Turnstile Site and Secret Keys (free)

Developers

Key filters

• kitgenix_captcha_for_cloudflare_turnstile_script_url( $url, $settings ) Override the Turnstile script URL or append query arguments.

• kitgenix_turnstile_freshness_ms Control token auto-reset interval (milliseconds).

• kitgenix_turnstile_replay_ttl Adjust replay protection cache duration (seconds).

• kitgenix_turnstile_is_whitelisted( $is_whitelisted, $context ) Modify whitelist decisions programmatically.

Shortcode

• [kitgenix_turnstile] – Render the Turnstile widget manually. Integrations detect the shortcode or rendered widget container and skip auto-injection to prevent duplicates.

Server-side endpoint

• Validates via https://challenges.cloudflare.com/turnstile/v0/siteverify.

Text domain

• kitgenix-captcha-for-cloudflare-turnstile (POT file included).

Integration Files

Each integration maps to a dedicated adapter class for maintainability.

• WordPress Core:

  • includes/integrations/wordpress/class-wp-core.php

• WooCommerce (Classic):

  • includes/integrations/ecommerce/class-woocommerce.php

• WooCommerce (Blocks / Store API):

  • includes/integrations/ecommerce/class-woocommerce-blocks.php

• Elementor Pro:

  • includes/integrations/page-builder/class-elementor.php

• Form plugins:

  • Contact Form 7 — includes/integrations/forms/contact-form-7.php
  • Fluent Forms — includes/integrations/forms/fluent-forms.php
  • Formidable Forms — includes/integrations/forms/formidable-forms.php
  • Forminator Forms — includes/integrations/forms/forminator-forms.php
  • Gravity Forms — includes/integrations/forms/gravity-forms.php
  • Jetpack Forms — includes/integrations/forms/jetpack-forms.php
  • Kadence Forms — includes/integrations/forms/kadence-forms.php
  • WPForms — includes/integrations/forms/wpforms.php

• Forums:

  • bbPress — includes/integrations/forums/bbpress.php

• Integration folders:

  • includes/integrations/
  • includes/integrations/ecommerce/
  • includes/integrations/forms/
  • includes/integrations/forums/
  • includes/integrations/page-builder/
  • includes/integrations/wordpress/

  Roadmap

• Per-form controls and additional UI refinements
• More granular placement options for page builders and theme forms
• Expanded compatibility notes and presets for popular optimisation and caching plugins
• Additional developer hooks and integration examples

External Services

This plugin connects to Cloudflare Turnstile to perform spam and abuse prevention checks. It sends:

• Turnstile site key
• Turnstile response token
• User IP address and user agent (used by Cloudflare for verification)

No personal data is stored or processed by Kitgenix.

Cloudflare Turnstile Terms: https://developers.cloudflare.com/turnstile/ Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/

Trademark Notice

“Cloudflare” and the Cloudflare logo are trademarks of Cloudflare, Inc. This plugin is not affiliated with or endorsed by Cloudflare, Inc.

Copyright

Kitgenix CAPTCHA for Cloudflare Turnstile is built with ❤️ by Kitgenix.

Credits

Cloudflare Turnstile – https://www.cloudflare.com/products/turnstile/ Built with ❤️ by https://kitgenix.com

Support Development

If this plugin helps you stop spam and keep your forms fast and user-friendly, you can support ongoing development here:

https://buymeacoffee.com/kitgenix