How to Set Up Cloudflare Turnstile CAPTCHA on WordPress (Complete Guide)

Keeping a website protected from bots and spammers is crucial for any business and its online presence. That’s why site owners use CAPTCHAs to ensure their visitors are actual humans.

However, it’s also important not to annoy potential customers with difficult images, twisted alphabets, and the like.

User experience is everything, right?

Cloudflare Turnstile CAPTCHA solves this problem with its simple checkbox, or no checkbox at all (invisible CAPTCHA), if you prefer.

Let’s explore how you can set up Cloudflare CAPTCHA on your WordPress website. In this tutorial, you’ll find two methods, along with ways to test and troubleshoot Cloudflare CAPTCHA, as well as best practices.

You’ll also learn how Cloudways makes it easier to set up the entire Cloudflare enterprise, taking your security to the next level!

Cloudflare CAPTCHA Overview

CAPTCHA is an acronym for the Completely Automated Public Turing Test to Tell Computers and Humans Apart. It is a measure of security that helps in blocking bots and spammers from accessing your site.

CAPTCHA asks the user to perform certain actions that are easy for humans but pretty hard for bots – like reading distorted text, selecting images containing a particular object, or checkbox selection.

Cloudflare CAPTCHA is a part of Cloudflare’s broader security suite, designed to block malicious traffic and prevent bot attacks.

What Is Cloudflare Turnstile?

Source: Cloudflare

Cloudflare Turnstile CAPTCHA is a bit different because it is a modern and lightweight solution to traditional CAPTCHAs.

By removing image-based challenges, it ensures smooth form protection through rotating browser tests and non-interactive JavaScript.

This eliminates the need for users to complete frustrating puzzles, enhancing the form submission process.

Plus, you don’t need to be a current Cloudflare customer to use this service. WordPress site owners can sign up for free and easily integrate Cloudflare Turnstile CAPTCHA into their website forms.

Stop Worrying About Security With Cloudways Managed WordPress Hosting

Get the Cloudflare Enterprise add-on with Cloudways WordPress hosting for just $4.99, and secure your business against DDoS attacks and malicious traffic.

Free Trial

Key Features

Key features of Cloudflare CAPTCHA include:

• No user interaction is required
• Non-intrusive
• Non-interactive JavaScript challenges
• Adaptive protection
• Lightweight and fast
• Free for integration

Turnstile Widgets

Turnstile widget types include:

• A non-interactive challenge.
• A non-intrusive interactive challenge (such as checking a box) if the visitor is a suspected bot.

Source: Cloudflare

• An invisible challenge to the browser.

Why Set Up Cloudflare Turnstile in WordPress?

Spam and bots can really disrupt your website, whether by spamming links, attacking login forms, or flooding your lead-generation forms with junk.

These issues can open the door for brute-force attacks and create a frustrating experience for visitors. If you run an online store, automated scripts might even place fraudulent orders, costing you time and money.

Many website owners rely on CAPTCHA or reCAPTCHA to block these malicious bots, but let’s be honest — those tools sometimes create a poor user experience. Some people even worry about their data being harvested by these systems.

That’s where Cloudflare Turnstile comes in.

It’s a new, smarter CAPTCHA solution that runs invisible, non-intrusive challenges directly in the browser.

It protects your site without forcing users to solve frustrating puzzles. Plus, it uses Apple’s Private Access Tokens to verify users while keeping their data safe and private.

If you use form builders or WooCommerce, Turnstile integrates seamlessly with these tools, making it easy to add invisible CAPTCHA protection across your WordPress site.

How to Get Started with Cloudflare CAPTCHA?

For this tutorial, I will add Cloudflare Turnstile CAPTCHA to a contact form on my website.

This is what it looks like right now:

To get started with Cloudflare, go to their website and follow these instructions:

• Find and click the “Sign Up” button or “Start for Free” at the top right corner.

• Add your email address and password to sign up.

Once you have created your account, you will be taken to your Cloudflare dashboard.

• On the left panel, look for “Turnstile”.
• Then, Click on Turnstile Widgets to add your widget.
• Next, name your widget so you can identify it later. I have named mine “Security”.
• After that, click on “Add Hostnames” to add your website.

• Now scroll down to find and select widget mode. 
• Click on Save Changes.

• Once the widget is created, you will be provided with API keys, which you will need for the next step.

How to Add Cloudflare Turnstile to WordPress

There are two ways to add Cloudflare CAPTCHA to your WordPress website.

Method 1: Use WPForms to Add Cloudflare Turnstile CAPTCHA

The most common method is to use WPForms to add Cloudflare Turnstile.

Step 1: Setting Up Turnstile on WPForms

• First, go to Plugins > Add New Plugin.
• In the search bar, type “WPForms.”
• Then, install and activate the WP Forms plugin.

• Then, go to WPForms > Settings > CAPTCHA.
• Click on Turnstile.

Remember, Cloudflare provided you with a Site Key and a Secret Key? It is time to use them here.

• Scroll down to find the section where you can paste the site key and secret key.
• If you want, you can alter the message that will appear if the verification fails.
• Once you have added the keys, hit “Save Settings.”

Step 2: Enabling Turnstile on WordPress Forms

Now that you have added your keys, it is time to enable Turnstile for the form you want.

Take these steps:

• Go to your WordPress dashboard.
• On the left panel, go to WPForms > All Forms.
• Now, look for the form you want to enable Cloudflare CAPTCHA on.
• Right below the form, click on Edit.

💡If the Edit option does not appear, move your cursor over the form. All options will show up.

• In the Editing dashboard, look for Turnstile on the left and click on it.

When you do that, a message will appear telling you that Turnstile has been enabled:

• Hit OK and then click on Save in the top right corner.

And that’s it. You’re done.

Now, go to your website’s front end to check if the widget is appearing.

Here is what my Contact Form now looks like:

What If My Form Is Not Built On WPForms?

If your form is not built on WPForms, you can still use the plugin to integrate Cloudflare CAPTCHA. Another easier method is to use a different plugin. Refer to the next section, “Method 2.”

Method 2: Use a Free Plugin to Add Turnstile CAPTCHA

You can use the Simple Cloudflare Turnstile plugin to add turnstile to your WordPress forms.

• First, go to Plugins > Add New Plugin.
• In the search bar, type “Simple Cloudflare Turnstile”.
• Then, install and activate the Simple Cloudflare Turnstile plugin.

This will take you to the API Key Settings.

• Copy the Site Key and Secret Key here in the relevant sections.

• Scroll down now to checkmark the forms you want to turn Turnstile on.

🌩️ If you’re not using default WordPress forms, you’ll find a section below that will also include forms from other plugins. In my case, you can see it is showing the option for WPForms.

• Click Save Changes. And you’re done.

How to Test Cloudflare CAPTCHA?

To make sure everything goes smoothly, you can first test Cloudflare Turnstile CAPTCHA in a development environment.

Here are the available site keys and secret keys for testing purposes.

If you want to test locally with real keys, you’ll need to add your testing hostnames (like localhost) to your domain allowlist.

You can use dummy site keys from any domain, including localhost.

Cloudflare suggests that production site keys should not allow local domains (such as localhost or 127.0.0.1), but you can choose to add local domains to the allowed list if needed.

Sitekey	Description	Visibility
1x00000000000000000000AA	Always passes	visible
2x00000000000000000000AB	Always blocks	visible
1x00000000000000000000BB	Always passes	invisible
2x00000000000000000000BB	Always blocks	invisible
3x00000000000000000000FF	Forces an interactive challenge	visible

Keep in mind these dummy sitekeys will return an XXXX.DUMMY.TOKEN.XXXX response. Production secret keys will reject this token, so for testing, you should also use a dummy secret key.

However, if you have already added Cloudflare CAPTCHA, there are some ways you can test and troubleshoot. Let’s check them out…

Troubleshooting

Once you have created your Turnstile CAPTCHA, try the following:

Test Form Submissions

Go to your WordPress site and try submitting a form to make sure the Turnstile CAPTCHA appears and functions as it should.

Check that the challenge/verification failed message is showing up correctly and the form goes through smoothly.

If anything goes wrong, the Simple Cloudflare Turnstile plugin offers helpful troubleshooting tools, like API testing and custom error message settings.

Verify API Response

Use Cloudflare’s testing tools to confirm that the API is responding properly and validating submissions. If it’s not working, double-check your API keys and plugin configuration to make sure everything is set up correctly.

Resolve Common Issues

If the CAPTCHA isn’t showing or isn’t validating submissions, ensure your Site Key and Secret Key are entered correctly.

Also, look out for any plugin conflicts that might be interfering with the CAPTCHA’s operation.

Set Custom Error Messages

If the CAPTCHA validation fails, you can create a custom error message to help guide users on how to fix the issue and submit the form again. This is a great way to provide clearer instructions while maintaining security.

Best Practices When Adding Cloudflare CAPTCHA On WordPress

To make the best out of your efforts toward security, consider the following best practices when integrating Cloudflare CAPTCHA:

⭐Add the CAPTCHA to key forms like login, registration, and contact forms to protect against bots without annoying users.

⭐Ensure your Site Key and Secret Key are correctly configured in the plugin settings to avoid any validation issues.

⭐After setting it up, submit a few test forms to ensure everything works smoothly and the CAPTCHA challenge appears as expected.

⭐Keep an eye on your API keys and update them when necessary to ensure everything remains secure and functional.

⭐Tweak the advanced settings for even better performance, adjusting things like challenge difficulty or trigger actions to suit your needs.

⭐Don’t forget to enable CAPTCHA on comment forms to prevent spam and ensure only genuine interactions.

How Cloudways Makes It Easy to Integrate Cloudflare on WordPress?

If you have read till here, I am sure you care about the security of your website – as any business should. And security goes beyond just the Turnstile CAPTCHA by Cloudflare.

Cloudflare offers a suite of security solutions like Content Delivery Network (CDN), Web Application Firewall (WAF), SSL/TSL encryption, and much more.

With a managed WordPress hosting provider like Cloudways, you can take your site’s security and performance to the next level.

If you’re a Cloudways user, you can get the Cloudways Cloudflare Enterprise add-on for just $4.99/month per domain.

On the other hand, if you get the Pro and Business plans from Cloudflare directly, which are priced at $20/month and $200/month, respectively, you’d have to pay a substantially higher cost.

Boost Core Web Vitals with Cloudways Cloudflare Enterprise

Enhance your website’s Core Web Vitals and overall performance with Cloudways Cloudflare Enterprise for as low as $1.99/month per domain.

TRY NOW

Here are the features you get with the Enterprise plan of Cloudflare hosting:

• 100GB Enterprise CDN
• Edge Page Caching
• Argo Smart Routing
• Argo Tiered Caching
• Priority DDoS protection
• Intelligent firewall (WAF)
• Global Rate Limiting
• The Honey Pot Project
• Image optimization with Polish
• Brotli compression
• Mobile optimization with Mirage
• Wildcard SSL support
• PCI DSS compliance
• HTTP/3 support
• Reserved for Cloudways IPs & prioritized routing

Summary

By following the steps in this guide, you will be well-equipped to add Cloudflare CAPTCHAs to your WordPress site.

Setting up Turnstile is one of the easiest and most efficient methods of protecting your site from bots and spam without annoying your users.

You can shield the critical sections of your website such as login, comment and registration forms, while maintaining user experience.

If you’re a Cloudways user, you can go many steps ahead for security, and get the Cloudways Cloudflare Enterprise add-on for just $4.99/month per domain.