Cloudflare Turnstile
This implementation should be made for you by the Globber team, if you have any questions on this let us know.
Cloudflare Turnstile is a CAPTCHA-free bot-protection widget. When enabled, a lightweight challenge is embedded in your site's forms — it runs silently in the background and only presents a visible interaction to users flagged as suspicious.
Where to configure
In the left menu of WordPress, go to Site Settings, then open the Cloudflare Turnstile sub-page.
Getting your API keys
- Log in to the Cloudflare Dashboard.
- Navigate to Turnstile in the left sidebar.
- Click Add site, enter a name and your domain, then click Create.
- Copy the Site Key and Secret Key — you will paste these into WordPress.
Never share your Secret Key. It is used server-side only and must be kept confidential.
Settings reference
| Field | Description |
|---|---|
| Enable Turnstile | Master switch. Must be on for any protection to apply. |
| Site Key | Public key from your Cloudflare Turnstile dashboard. Shown to visitors. |
| Secret Key | Private key from your Cloudflare Turnstile dashboard. Used server-side only. |
| Widget Theme | Visual style of the widget: Auto (matches browser dark/light mode), Light, or Dark. |
| Widget Appearance | Always visible — widget always shown. Invisible — runs silently on interaction. Interaction only — widget appears only when a challenge is actually needed. |
Per-form protection toggles
| Toggle | Default | Description |
|---|---|---|
| Protect Login Form | ✅ On | Adds the widget to the login modal. |
| Protect Registration Form | ✅ On | Adds the widget to the account registration modal. |
| Protect Password Reset Form | ✅ On | Adds the widget to the forgot-password modal. |
| Protect Checkout | ❌ Off | Adds the widget above the Place Order button on the WooCommerce checkout page. |
How it works
- When a visitor loads a protected form, the Turnstile JavaScript widget renders automatically.
- On form submission, the browser sends a
cf-turnstile-responsetoken along with the form data. - The WordPress theme verifies this token server-side by calling Cloudflare's
siteverifyAPI before processing the form. - If verification fails the request is blocked and the user sees an error message.
The Cloudflare API script is loaded with data-cfasync="false" to prevent interference from Cloudflare's own Rocket Loader optimisation.
Logged-in users are never shown the Turnstile widget — the script is only enqueued for guest visitors.
Saving your settings
After entering your keys and choosing your options, click Update / Publish at the top of the page. Changes take effect immediately on the live site.
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
| Widget never appears | Enable Turnstile toggle is off, or Site/Secret Key is blank. | Enable the master switch and save both keys. |
| Widget appears but form still submits without passing | Test keys in use (Cloudflare test keys always pass). | Replace test keys with production keys. |
| Widget appears twice on checkout | Another plugin is also injecting a Turnstile widget. | Disable the third-party plugin's Turnstile option. |
| Server-side verification always fails | Secret Key is incorrect or the site sits behind a proxy that strips IP headers. | Double-check the Secret Key; the theme reads CF-Connecting-IP first, then standard forwarded-IP headers. |