Description
Empex CAPTCHA for Cloudflare Turnstile adds invisible, privacy-friendly bot protection to every form on your WordPress site using Cloudflare Turnstile. No puzzles. No friction. No CAPTCHAs.
Supported Forms
- WordPress Core — Login, Registration, Password Reset, Comments
- WooCommerce — Classic Checkout, Blocks Checkout, My Account (Login, Register, Lost Password)
- Contact Form 7 — Automatic or manual widget injection
- WPForms (Lite & Pro)
- Gravity Forms
- Fluent Forms
- Elementor Pro — Inline forms and popups
- Formidable Forms
- Forminator
- Kadence Forms
- SureForms
- Jetpack Forms
- MemberPress — Registration, Login
- Ultimate Member — Register, Login, Profile
- Paid Memberships Pro — Checkout, Login
- BuddyPress — Registration
- wpDiscuz — Comments
- WP User Manager — Register, Login, Password Reset
- Easy Digital Downloads — Checkout
Key Features
- 🔒 Invisible protection — legitimate users never see a challenge
- ⚡ One-click setup — enter your Cloudflare keys, enable forms, done
- 🛡️ Token replay prevention — server-side one-time-use enforcement
- 🔄 AJAX-safe — tokens refresh automatically after failed submissions
- 📊 Logging dashboard — see blocked attempts, pass rates, form-level stats
- 🌐 Multisite compatible — network or per-site activation
- 🧩 Developer-friendly — filters, shortcode, extensible integration base
- ♿ Accessible — WCAG 2.1 AA on admin screens, ARIA labels on widgets
How It Works
- Install and activate the plugin
- Enter your Cloudflare Turnstile Site Key and Secret Key
- Toggle which forms to protect
- That’s it — bots are blocked, real users pass through invisibly
External Service
This plugin connects to the Cloudflare Turnstile service to verify form submissions:
- Cloudflare Turnstile API:
https://challenges.cloudflare.com/turnstile/v0/siteverify - Cloudflare Turnstile JavaScript:
https://challenges.cloudflare.com/turnstile/v0/api.js
When a user submits a form, their browser interaction data, IP address, and browser fingerprint are sent to Cloudflare for verification. This is required for the plugin to function.
The plugin itself does not store personal data by default. IP address logging is opt-in and must be explicitly enabled in Settings.
Screenshots
Installation
- Upload the
empex-cloudflare-turnstilefolder to/wp-content/plugins/, or install directly from the WordPress plugin directory. - Activate the plugin through the Plugins menu in WordPress.
- Go to Settings Empex Cloudflare Turnstile.
- Enter your Cloudflare Turnstile Site Key and Secret Key (get them from the Cloudflare Dashboard).
- Click Verify & Save to confirm your keys work.
- Enable protection on the forms you want to protect.
Recommended: Define Keys in wp-config.php
For production sites, define your keys as constants in wp-config.php to prevent exposure via the database:
define( 'EMPEX_CT_SITE_KEY', 'your-site-key-here' );
define( 'EMPEX_CT_SECRET_KEY', 'your-secret-key-here' );
FAQ
-
Do I need a Cloudflare account?
-
Yes. You need a free Cloudflare account to obtain Turnstile API keys. Turnstile itself is free for unlimited use.
-
Will this slow down my site?
-
No. The Cloudflare Turnstile script is loaded asynchronously and only on pages with protected forms. The plugin adds less than 5ms to server-side processing.
-
What happens if Cloudflare is down?
-
You can configure “Soft-Fail” mode in Settings Behaviour. In soft-fail mode, form submissions are allowed through (and logged) when Cloudflare is unreachable. In block mode (default), submissions are rejected.
-
Does this work with page caching?
-
Yes. The Turnstile widget renders fresh on each page visit regardless of HTML caching. We recommend excluding
/wp-admin/admin-ajax.php?action=empex_*from your cache rules. -
What if JavaScript is disabled?
-
The widget won’t render and no token will be generated. The server treats this as a missing token and applies your configured fail mode (block or soft-fail).
-
Is this GDPR compliant?
-
The plugin itself collects no personal data by default. Cloudflare Turnstile is documented as GDPR-compliant by Cloudflare. IP address logging in the plugin is opt-in. See our privacy policy suggestion in Settings Privacy.
-
Can I use this with custom forms?
-
Yes. Use the
[empex_ct_turnstile]shortcode to add a widget to any form. Developers can verify tokens server-side using theempex_ct_verify_shortcodefilter. -
Does it support multisite?
-
Yes. The plugin supports both network-wide and per-site activation. Settings are stored per-site.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“Empex CAPTCHA for Cloudflare Turnstile” is open source software. The following people have contributed to this plugin.
Contributors
Translate “Empex CAPTCHA for Cloudflare Turnstile” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.0.0
- Initial release
- Core WordPress form protection: Login, Registration, Password Reset, Comments
- WooCommerce integration: Classic Checkout, Blocks Checkout, Account forms
- Contact Form 7, WPForms, Gravity Forms, Fluent Forms, Elementor Pro support
- MemberPress, Ultimate Member, Paid Memberships Pro, BuddyPress, wpDiscuz support
- Easy Digital Downloads, Formidable, Forminator, Kadence, SureForms, Jetpack Forms
- Ninja Forms, Everest Forms, JetFormBuilder, weForms, Empex Form Builder support
- Admin settings with first-run onboarding wizard
- Clean widget fit on narrow login/register/lost-password forms (standard widget seated inside the login card)
- Token replay prevention with SHA-256 transients
- Rate limiting (configurable per IP) including failed attempts
- AES-256-GCM secret key encryption
- Event logging with retention and row cap
- Block and soft-fail modes
- Competing Turnstile plugin conflict detection
- Shortcode: [empex_ct_turnstile]
- WCAG 2.1 AA accessible admin UI
- Full multisite support
- Privacy policy integration
- PHPUnit test suite