A short while back, Cloudflare announced a new tool – Turnstile. It’s an alternative to the ubiquitous CAPTCHA forms that are used on 98% of websites. This new tool achieves the same goal of protecting you from spam, but without the intrusive puzzle-solving and sending your data to Google. Here’s how to integrate Cloudflare’s turnstile onto your site.
Step 1: Log in to Cloudflare and Generate a Domain Key
Unlike other Cloudflare services, you don’t need to integrate your site with Cloudflare to use Turnstile. Of course, you need a Cloudflare account, so log into your dashboard and select “Turnstile” on the right-hand side as shown below. This is an account-wide feature, so don’t choose any specific site:
For this test, I’m using the test NameHero domain. So under “Domain”, either choose a site you’ve already added to Cloudflare or create a new one. Under “Widget Type”, select “Non-interactive”. You can also choose to hide the Turnstile entirely if you want.
After this, Cloudflare will assign a “Site Key” and a “Secret Key” as shown here:
Keep both of these keys in a safe location.
Step 2: Download the Simple Cloudflare Turnstile Plugin
This is a “set it and forget it” plugin. Compared to other add-ons like WS Forms, the Simple Cloudflare Turnstile has a basic configuration, is braindead, and is easy to use. Download and install the plugin and in the configuration screen, enter your Site Key and Secret Key as shown here:
You can choose to disable your form’s “Submit” button until the challenge is solved and choose the theme of the Turnstile. Further down, select the WordPress forms to which you want to apply the Cloudflare Turnstile. You can start with the comment form as shown here:
All the above forms are popular targets for bots and spammers. So there’s no harm in enabling them all. Save your changes. Now the Simple Cloudflare Turnstile plugin will ask you to validate the API response like this:
Click the green “Test API Response” button, and if everything goes well, it should validate as shown here:
And you’re done.
Testing the Cloudflare Turnstile Form
Navigate to a form on which you’ve enabled the Cloudflare Turnstile widget. You should see something like this:
As shown above, the widget will evaluate your behavior to determine if you’re a human or not. And if so, it’ll show “Success,” and you can submit the form without further interaction. This is the easiest way to add Cloudflare’s Turnstile widget to WordPress.
How Turnstile is Better than CAPTCHA
The most obvious way that Turnstile is superior to CAPTCHA is that it doesn’t require user interaction. Unlike CAPTCHA, you don’t have to solve a puzzle or click images. It’s easier and more seamless for your users.
The other benefit, however, is that it’s a massive improvement in privacy. CAPTCHA sends your data to Google and users with a Google cookie receive a higher value than those who don’t. Google swears up and down that they don’t use the data they collect for ad targeting. But is it believable? I don’t think so. On the other hand, Cloudflare Turnstile doesn’t send your data to Cloudflare in the first place. And because of this, it’s more privacy friendly than Google’s CAPTCHA.
Turnstile is mature enough for production use, and I recommend everyone who uses a CAPTCHA to use Turnstile instead.
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!