Kitgenix CAPTCHA for Cloudflare Turnstile

Spam is expensive. It wastes time, fills your inbox, creates fake accounts, and on WooCommerce sites it can even lead to abandoned checkout noise and fraudulent activity.

At the same time, traditional CAPTCHA systems can hurt conversions. If real customers have to click traffic lights and buses just to place an order, you’ll feel it in your revenue.

Cloudflare Turnstile is designed to solve that: it’s a modern, privacy-first CAPTCHA alternative that reduces friction for real people while still blocking bots.

Kitgenix CAPTCHA for Cloudflare Turnstile is a production-ready Turnstile integration for WordPress that focuses on three things:

It works across the places spam actually happens, it validates properly on the server, and it stays fast.

This plugin adds Cloudflare Turnstile to WordPress core forms, WooCommerce checkout and account forms (including WooCommerce Blocks / Store API checkout), Elementor (forms and popups), Easy Digital Downloads, BuddyPress and bbPress, plus a range of popular form plugins like Contact Form 7, WPForms, Gravity Forms, Forminator, Fluent Forms, Formidable and more.

It also includes security features you’d expect from a serious implementation: replay protection, proxy-aware client IP handling, flexible whitelisting, and a developer mode that lets you log failures without blocking users.

Cloudflare Turnstile for WordPress, WooCommerce and forms (without the usual headaches)

Many Turnstile plugins work “in simple cases”, then break when you: enable caching, switch to WooCommerce Blocks checkout, use an Elementor popup, or run behind Cloudflare / a reverse proxy.

Kitgenix Turnstile is built to handle those real-world setups. It uses conditional script loading, renders widgets carefully to avoid duplicates, and verifies tokens server-side using Cloudflare’s official endpoint.

If you’re looking for: — a Cloudflare Turnstile plugin for WooCommerce checkout, — a Turnstile integration for Elementor forms and popups, — a privacy-first reCAPTCHA alternative for Contact Form 7 / WPForms / Gravity Forms, — or simply a reliable anti-spam plugin for WordPress login and registration,

this plugin is made for you.

Where Turnstile is added (supported integrations)

You can enable or disable each integration from the settings, so you only protect what you need.

WordPress Core: Login, registration, lost password, reset password, comments. This includes special handling for WooCommerce product reviews where needed so the widget appears in the right place.

WooCommerce (Classic): Checkout, My Account login, My Account registration, lost password.

WooCommerce Blocks (Store API): Blocks checkout UI rendering plus server-side validation of Store API checkout requests. This matters for modern WooCommerce sites that use the block-based checkout.

Elementor (Page Builder): Elementor forms and dynamic content. Designed to behave correctly with popups, delayed popups, AJAX submission and multiple forms on one page.

Easy Digital Downloads: Adds Turnstile protection to key EDD flows to reduce automated purchases and abuse.

Forms: Contact Form 7, WPForms, Gravity Forms, Forminator, Fluent Forms, Formidable, Jetpack Forms, Kadence Forms.

Forums / community: bbPress topic and reply forms, plus BuddyPress flows where spam signups and automated posting are common.

Why Kitgenix Turnstile is different

It validates on the server (properly). A CAPTCHA is only as good as its verification. This plugin verifies tokens server-side against Cloudflare’s official siteverify endpoint for supported forms. Missing, expired and invalid tokens are handled consistently.

Replay protection is enabled by default. Bots love replaying tokens. Kitgenix caches recent tokens (hashed) and rejects re-use. TTL is filterable.

It’s proxy-aware, without trusting spoofed headers. If your site sits behind Cloudflare or another proxy, IP headers like CF-Connecting-IP and X-Forwarded-For are only trustworthy if the request is actually coming from your proxy. This plugin lets you configure trusted proxies so headers are honoured safely.

It stays fast. Turnstile scripts are conditionally loaded only where needed. The plugin uses modern WordPress script loading and keeps public CSS scoped and lightweight.

It’s built for dynamic forms. Elementor popups, AJAX forms, multi-step flows and dynamically injected forms are common sources of “widget didn’t render” issues. This plugin listens for the events those systems use and triggers safe re-renders when appropriate.

It includes a staging-friendly mode. Developer mode (warn-only) logs failures but doesn’t block submissions. That’s ideal when you want to test keys, caching behaviour or proxy settings without risking customer friction.

Manual placement (shortcode)

If you have a custom theme form or a plugin we don’t support yet, you can manually render the widget using:

[kitgenix_turnstile]

Many integrations also support “shortcode only” behaviour to give you full control over placement.

Quick Start (recommended setup)

1. Install and activate the plugin.
2. Open the Turnstile settings under the Kitgenix hub in wp-admin.
3. Add your Cloudflare Turnstile Site Key and Secret Key.
4. Enable the integrations you want (WordPress, WooCommerce, forms, etc).
5. Save changes, then test the forms that matter most: login, checkout, registration and your main contact form.

Tip: Use Developer mode (warn-only) first on staging or during initial rollout. Once you’re happy, disable warn-only to enforce strict blocking.

Performance and caching notes (important for WooCommerce sites)

Turnstile is lightweight, but aggressive optimisation can break it if the loader is delayed too heavily.

If you use caching or optimisation plugins: — Allowlist https://challenges.cloudflare.com — Avoid full-page caching for login/account/checkout pages — Avoid combining or inlining the Turnstile loader — Avoid heavily delaying Elementor/form plugin scripts — If your host blocks outbound HTTP requests, ensure your site can reach Cloudflare for verification

Developers

Shortcode: [kitgenix_turnstile]

Common filters: — kitgenix_captcha_for_cloudflare_turnstile_script_url( $url, $settings ) — kitgenix_turnstile_freshness_ms — kitgenix_turnstile_replay_ttl — kitgenix_turnstile_is_whitelisted( $is_whitelisted, $context )

Server-side verification: Uses Cloudflare Turnstile siteverify endpoint: https://challenges.cloudflare.com/turnstile/v0/siteverify

External Services

This plugin uses Cloudflare Turnstile to verify requests and prevent spam and abuse.

When verification is enabled, the plugin sends to Cloudflare: — Your Turnstile site key — The Turnstile response token — The visitor IP address and user agent (used by Cloudflare for verification)

The plugin does not add tracking cookies itself and does not sell or share personal data.

Cloudflare Turnstile Terms: https://developers.cloudflare.com/turnstile/ Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/

Trademark Notice

“Cloudflare” and the Cloudflare logo are trademarks of Cloudflare, Inc. This plugin is not affiliated with or endorsed by Cloudflare, Inc.

Support Development

If this plugin helps keep spam away without slowing your site down, you can support ongoing development here: https://buymeacoffee.com/kitgenix

Credits

Built with ❤︎ by @kitgenix — https://kitgenix.com