CWeb Form Protection with Turnstile for Elementor Forms

Description

This plugin adds Cloudflare Turnstile — a free, privacy-friendly CAPTCHA alternative — to your WordPress site.

Its key difference from other Turnstile plugins is per-form control for Elementor Pro: instead of toggling Turnstile globally for every Elementor form, you add a “Cloudflare Turnstile” field to the specific forms you want to protect, exactly like Elementor’s built-in reCAPTCHA field. Forms without the field are left untouched. If you prefer the all-at-once approach, an optional setting protects every Elementor Pro form automatically.

Features

• Per-form Turnstile field for Elementor Pro Forms — drag it into the forms you choose.
• Optional “all Elementor Pro forms” switch — protect every Elementor Pro form at once, without adding the field to each one (off by default).
• Optional protection for the built-in WordPress forms:
  • Login
  • Registration
  • Lost password
  • Comments
• One-click import of keys and settings from the “Simple Cloudflare Turnstile” plugin (no need to recreate your Cloudflare keys).
• Global widget appearance settings (theme, size, visibility, language).
• Strict server-side token verification (single-use tokens, 5-minute validity).
• Secure-by-default behaviour: missing/invalid tokens are always blocked; the
  behaviour when Cloudflare itself is unreachable is configurable.
• Write-only secret key (never displayed or sent to the browser).
• Lightweight: in the default per-form mode, the Cloudflare script loads only on pages that actually show a widget. (The optional “all forms” mode loads it across the front end so late-loaded forms are covered.)

Requirements

• The Elementor field requires Elementor Pro (the Forms widget is a Pro feature). Without Elementor Pro, the WordPress form integrations still work.
• A free Cloudflare Turnstile site key and secret key.

Third-party service

This plugin renders the official Cloudflare Turnstile widget and verifies tokens with Cloudflare.

• When a protected form is displayed, the visitor’s browser loads https://challenges.cloudflare.com/turnstile/v0/api.js from Cloudflare.

• When a protected form is submitted, your server sends a request to https://challenges.cloudflare.com/turnstile/v0/siteverify containing: the Turnstile token from the widget (cf-turnstile-response), your secret key, and — unless disabled with the cwebts_remoteip filter — the visitor’s IP address (REMOTE_ADDR). The secret key is never sent to the browser.

• Cloudflare Turnstile: https://www.cloudflare.com/products/turnstile/

• Terms of Service: https://www.cloudflare.com/website-terms/
• Privacy Policy: https://www.cloudflare.com/privacypolicy/

About the name

The distinctive part of the name is CWeb Form Protection, after Collectif WEB, the agency that maintains this plugin. The trailing “with Turnstile for Elementor Forms” only describes what the plugin integrates with: “Turnstile” is the Cloudflare service it uses, and “for Elementor Forms” signals compatibility with Elementor’s Forms widget. This plugin is not affiliated with, sponsored by, or endorsed by Cloudflare, Inc. or Elementor Ltd.

Trademarks

Not affiliated with Cloudflare, Inc. or Elementor Ltd. “Cloudflare” and “Turnstile” are trademarks of Cloudflare, Inc. “Elementor” is a trademark of Elementor Ltd. These names are used only to describe compatibility.