Kitgenix CAPTCHA for Cloudflare Turnstile

Stop spam without punishing real users. Kitgenix CAPTCHA for Cloudflare Turnstile integrates Cloudflare’s modern, low-friction, reCAPTCHA-free challenge with WordPress so you can block bots and keep conversions high.

Protect WordPress login/registration/password/comments, WooCommerce checkout & account (Classic + Blocks / Store API), and popular form builders using server-side verification, replay protection, and proxy-aware IP detection. Built for performance (async/conditional loading) and privacy (no cookies or tracking added by the plugin; GDPR-friendly).

Why Kitgenix
– Ultra-lightweight & fast — Modern WP Script API (6.3+) with strategy=async; loads only where needed.
– Privacy-first — No cookies/tracking added by the plugin; Turnstile minimizes data collection.
– Rock-solid server-side validation — Official siteverify endpoint.
– Replay protection — Rejects reused tokens by default (TTL filterable).
– Proxy-aware client IP — Honors CF/Proxy headers only from trusted proxies.
– Seamless integrations — WordPress Core, WooCommerce (Classic & Blocks), Elementor Pro, and major form plugins.
– Smart UX — Optional “disable submit until verified”, token freshness timers, inline error hints.
– Production-ready admin — Onboarding, Site Health test, JSON import/export, accessible UI.
– Multisite aware — Clean uninstall removes settings site-wide (and network-wide on Multisite).

Supported Forms & Integrations (with descriptions)

WordPress Core

• Login, Registration, Lost/Reset Password, Comments
  Adds a Turnstile widget to core auth and discussion forms. Validates tokens on submit (POST-only) and blocks invalid/expired/reused tokens with a clear message.

WooCommerce (Classic)

• Checkout, Login, Registration, Lost Password
  Renders near the Place order area and account/auth forms. Server-side verification runs during checkout validation and account actions. Designed to work with fragment reloads; avoids double-submit and duplicate renders.

WooCommerce (Blocks / Store API)

• Checkout (Blocks)
  Injects the widget in Blocks checkout UIs and validates Store API requests on the server. Token can be forwarded via header (e.g., X-Turnstile-Token) and is handled automatically by the plugin/extension.

Elementor Pro (Forms & Popups)

• Elementor Pro Forms (including Popups and dynamically rendered forms)
  Injects before/after the submit area. Listens to Elementor events to re-render on popups, AJAX submissions, and validation errors. Ensures a fresh token on each attempt.

Contact Form 7

• All CF7 forms
  Auto-injects the widget; resets and re-renders after AJAX errors. No special shortcode needed. Prevents send on failed verification.

Fluent Forms

• All Fluent Forms
  Auto-injects and validates server-side via the plugin’s hooks. Handles AJAX and multi-step flows with automatic re-render.

Formidable Forms

• All Formidable forms
  Auto-injects the widget; validates on submit; re-renders after client or server validation errors.

Forminator Forms

• All Forminator forms
  Works with regular and AJAX-loaded forms, including multi-step. Automatically resets token on failed submissions.

Gravity Forms

• All Gravity Forms
  Widget placement before/after submit; validates server-side on the form’s native hooks. Handles AJAX and multi-page with safe re-render.

Jetpack Forms

• Jetpack Contact Forms
  Adds Turnstile to Jetpack forms and validates on submit. Respects Jetpack’s AJAX behaviors.

Kadence Forms (Kadence Blocks)

• Kadence Forms
  Auto-injects on Kadence form blocks; validates server-side; re-renders on client errors.

WPForms

• All WPForms (Lite/Pro)
  Injects before/after the submit area; prevents send until verification passes (optional disable-until-verified UX); resets on AJAX errors.

Forums: bbPress

• Create Topic & Reply forms (bbPress)
  Adds Turnstile to bbPress posting forms to reduce automated spam topics/replies. Validates before content is saved.

Enable/disable each integration and location in Settings → Cloudflare Turnstile.

How It Works (Technical)

1. Loads https://challenges.cloudflare.com/turnstile/v0/api.js?render=explicit with async strategy (WP ≥ 6.3).
2. Injects a widget into enabled forms; re-renders for dynamic loads (AJAX, multi-step, popups).
3. Validates server-side via /v0/siteverify with your secret key and request IP (when appropriate).
4. On failure (invalid/expired/reused token) submission is blocked with clear, customizable messaging.

Quick Start

1. Install & Activate → Plugins → Add New → search “Kitgenix Turnstile”.
2. Add Keys → Settings → Cloudflare Turnstile → paste Site Key & Secret Key from your Cloudflare dashboard.
3. Choose Integrations → toggle WordPress/WooCommerce/Form plugins and specific locations.
4. Save & Test → try login/register/comments/checkout + your form pages.
5. Optional Hardening → enable Disable Submit Until Verified and review Tools → Site Health hints.

Performance Playbook

• Async by default with WP Script API (6.3+).
• Conditional loading — scripts only where protection is active.
• Optimization plugins:
  • Allowlist https://challenges.cloudflare.com.
  • Do not inline or block the Turnstile script.
  • Exclude login, account, and checkout pages from full-page caching.
• Resource hints — preconnect/dns-prefetch for faster first paint.

Security Tips

• Replay protection — enabled by default; tune TTL via kitgenix_turnstile_replay_ttl.
• Trusted proxies — configure Trusted Proxies for accurate client IPs behind Cloudflare/NGINX/etc.
• Developer Mode (warn-only) — on staging, log failures without blocking.
• Whitelisting — logged-in/IP/UA; use sparingly.

Troubleshooting

Widget not showing → Check keys + enabled location; confirm you’re not whitelisted; clear caches; allowlist challenges.cloudflare.com; check console for blockers.
“Please verify you are human” → Token expired/invalid; reduce page-cache TTL on form pages; don’t cache auth/checkout; ensure the server can reach Cloudflare.
Elementor popups/AJAX → Don’t over-defer Elementor/form plugin JS; the plugin listens for those events.
WooCommerce checkout → Don’t cache fragments; confirm widget renders before Place order; ensure token is forwarded on custom checkouts.

Developers

Filters
– kitgenix_captcha_for_cloudflare_turnstile_script_url( $url, $settings ) – Override the Turnstile script URL or add params.
– kitgenix_turnstile_freshness_ms – Control token auto-reset interval (ms).
– kitgenix_turnstile_replay_ttl – Adjust replay-protection cache duration (seconds).
– kitgenix_turnstile_is_whitelisted( $is_whitelisted, $context ) – Modify whitelist decisions programmatically.

Server-side endpoint
– Validates via https://challenges.cloudflare.com/turnstile/v0/siteverify.

Text domain
– kitgenix-captcha-for-cloudflare-turnstile (POT included).

Integration Files (for developers)

(Each integration listed above corresponds to the file(s) below.)

• WordPress Core:
  includes/integrations/wordpress/class-wp-core.php

• WooCommerce (Classic):
  includes/integrations/ecommerce/class-woocommerce.php

• WooCommerce (Blocks / Store API):
  includes/integrations/ecommerce/class-woocommerce-blocks.php

• Elementor Pro:
  includes/integrations/page-builder/class-elementor.php

• Form Plugins:
  Contact Form 7 — includes/integrations/forms/contact-form-7.php
  Fluent Forms — includes/integrations/forms/fluent-forms.php
  Formidable Forms — includes/integrations/forms/formidable-forms.php
  Forminator Forms — includes/integrations/forms/forminator-forms.php
  Gravity Forms — includes/integrations/forms/gravity-forms.php
  Jetpack Forms — includes/integrations/forms/jetpack-forms.php
  Kadence Forms — includes/integrations/forms/kadence-forms.php
  WPForms — includes/integrations/forms/wpforms.php

• Forums:
  bbPress — includes/integrations/forums/bbpress.php

• Integration folders:
  includes/integrations/
  includes/integrations/ecommerce/
  includes/integrations/forms/
  includes/integrations/forums/
  includes/integrations/page-builder/
  includes/integrations/wordpress/

Minimum Requirements

• WordPress 5.0+
• PHP 7.0+
• Cloudflare Turnstile site & secret keys (free)

Roadmap

• Per-form controls and UI refinements
• More granular placement options for additional builders
• Expanded compatibility notes for optimization plugins

External Services

This plugin connects to Cloudflare Turnstile for spam prevention. It sends:
– Site key
– Response token
– User IP and user-agent (used by Cloudflare for verification)

No data is stored or processed by Kitgenix.

Cloudflare Turnstile Terms: https://developers.cloudflare.com/turnstile/
Privacy Policy: https://www.cloudflare.com/privacypolicy/

Trademark Notice

“Cloudflare” and the Cloudflare logo are trademarks of Cloudflare, Inc. This plugin is not affiliated with or endorsed by Cloudflare, Inc.

Copyright

Kitgenix CAPTCHA for Cloudflare Turnstile is built with ❤️ by Kitgenix.

Credits

Cloudflare Turnstile — https://www.cloudflare.com/products/turnstile/
Built with ❤️ by https://kitgenix.com

Support Development

Donate link: https://buymeacoffee.com/kitgenix