Frequently Asked Questions
Quick answers to common questions. For deeper issues, see Troubleshooting.
General
Does this plugin require a Cloudflare account?
Yes. Cloudflare Turnstile is a Cloudflare-hosted service. You need a free Cloudflare account to generate Site Key and Secret Key. No card required, no paid plan needed. See Get Turnstile Keys.
Do I need to move my DNS to Cloudflare?
No. Turnstile works regardless of where your DNS is hosted. You just need the account to create the widget.
Is Turnstile itself free?
Yes. Unlimited usage on every Cloudflare plan, including the Free plan.
What is this plugin's price?
One-time license fee at store.webkul.com. No recurring fees, lifetime updates.
Is this plugin GPL-licensed?
Yes — GPL v2 or later.
Privacy & Compliance
Is this plugin GDPR-compliant?
Yes. Cloudflare Turnstile does not set tracking cookies and does not share user data with third parties. The plugin itself stores only hashed user-agents and IP addresses (for rate-limiting) with 90-day retention by default.
Do I need a cookie banner for this plugin?
No. Turnstile does not set cookies. The plugin does not set cookies. You do not need consent to use it.
What data is sent to Cloudflare?
- The visitor's token when validating (token itself — no PII)
- Your Secret Key (on the server-side verify call)
- Source IP (set by your server when making the verify request)
Cloudflare privacy policy: cloudflare.com/privacypolicy.
Does it track users across sites?
No. Turnstile does not use cross-site tracking cookies.
Compatibility
Does it work with WooCommerce Checkout Blocks?
Yes. Full React integration. Classic shortcode checkout also supported. See Checkout Blocks.
Does it work with HPOS (custom order tables)?
Yes — declared compatible. The plugin's order-side interactions are HPOS-safe.
Does it work with WooCommerce Subscriptions?
Yes — separate toggle on the WooCommerce Forms tab enables protection on subscription renewal payment pages.
Does it work with Multisite?
Yes. Each site on the network has its own settings and log table. Keys can differ per site.
Does it slow down my site?
Minimal. Cloudflare ships a ~50kb JS and the verify API averages ~50ms. Set Load Mode to lazy on General tab to shift the load off the critical render path. See General Settings.
Does it work with caching plugins (WP Rocket, LiteSpeed, W3TC, Autoptimize)?
Yes — with exclusions. The Cloudflare API script must not be concatenated/minified, and checkout/login pages should be excluded from full-page cache. See Troubleshooting → Caching Plugin Conflicts.
Is it compatible with Cloudflare's Super Bot Fight Mode?
Yes. SBFM is server-side; Turnstile is form-side. They complement each other — SBFM stops traffic, Turnstile stops form submissions.
Can I use it alongside reCAPTCHA or hCaptcha?
Technically yes — they do not conflict. But stacking CAPTCHAs on one form is pointless. See vs reCAPTCHA / vs hCaptcha to pick one.
Functionality
Does it protect against ALL bots?
No CAPTCHA catches 100% of bots. Turnstile catches the vast majority — simple bots, script kiddies, low-sophistication attackers. Sophisticated bots with real browser automation can pass any CAPTCHA. For those, pair with rate-limiting, IP blacklist, and Cloudflare's WAF.
Can I see how many bots have been blocked?
Yes — built-in Analytics dashboard shows 30-day pass/fail trends, top forms, top blocked IPs, error breakdown, and CSV export.
Can I skip CAPTCHA for certain users?
Yes. The Conditional Rules engine lets you skip CAPTCHA for:
- Logged-in users
- Known customers (with completed orders)
- Specific IPs (with CIDR support)
- Specific countries (ISO codes)
- Only after N failed attempts
Can different forms have different styling?
Yes. Per-Form Config tab lets you override theme, size, language, error message, and label text per form.
Does it work on the mobile site?
Yes. The widget is responsive. Set Size to flexible on Design Studio for the best mobile fit.
Can I use it on a form not listed in the supported forms?
Yes — use the shortcode [wkcft-turnstile]. For server-side validation you need to call WKCFT_Validator::wkcft_check($token, $context) in your custom form handler.
What happens during a Cloudflare outage?
During the rare Cloudflare outage, the Turnstile API becomes unreachable. Options:
- Plugin returns
request_failederror — all form submissions fail - OR: Turn on warn-only mode temporarily to let submissions through without validation
- Use the Recovery URL to bypass rate-limits yourself
Security
Is my Secret Key secure?
It is stored in the wp_options table under wkcft_secret_key. Only users with manage_options / manage_woocommerce capability can read it in the admin UI. If your WordPress DB is compromised, so is the Secret Key — rotate immediately in that case.
What if my Secret Key leaks?
Rotate it: Cloudflare dashboard → Turnstile → your widget → Rotate secret key. Paste the new one in the plugin. See API Settings.
Can bots crack the Secret Key by brute force?
No — keys are long random strings. Brute-forcing is infeasible. Most key leaks come from developers accidentally committing to git, not from cryptographic attack.
Is the Recovery URL safe?
Yes — comparison is timing-safe (hash_equals()). Pick a 32+ char random token. Rotate every 90 days. See Recovery URL.
Settings
How do I change the error message?
General Settings tab → Error Message field. Per-form override on Per-Form Config.
How do I disable on a specific form?
Untick it on the relevant settings tab (WooCommerce / WordPress / WooCommerce Forms).
How do I disable for admin users only?
Conditional Rules → Skip logged-in users. All logged-in users (including admins) skip.
For "admin role only", use the filter:
add_filter('wkcft_conditions_should_skip', function($skip) {
if (current_user_can('manage_options')) {
return true;
}
return $skip;
}, 10, 2);
Can I set different keys per environment (staging / production)?
Yes — it is just a WordPress option. Use your existing env-based config setup:
// wp-config.php or mu-plugin
if (WP_ENV === 'staging') {
add_filter('pre_option_wkcft_site_key', fn() => 'STAGING_SITE_KEY');
add_filter('pre_option_wkcft_secret_key', fn() => 'STAGING_SECRET_KEY');
}
Troubleshooting
The widget does not appear
See Troubleshooting → Widget Does Not Appear.
Validation always fails
See Troubleshooting → Validation Always Fails.
I am locked out of wp-admin
See Troubleshooting → Locked Out of wp-admin.
Email digest never arrives
Usually WP-Cron not running on low-traffic sites. See Troubleshooting → WP-Cron Not Running.
Development
Is there a REST API?
Yes — under /wkcft/v1. See REST API.
What filters can I use?
Full list: Filters & Hooks.
Can I translate the plugin?
Yes. Ships with .pot template and 4 locales (de_DE, es_ES, fr_FR, pt_BR). Use Poedit or Loco Translate for others.
Can I white-label the plugin?
License does not permit white-labeling. You can use it as-is for any client site.
Support
Where do I get support?
Webkul UVdesk — file a ticket with your order ID.
How do I report a bug?
Same support portal. Include: WP version, WC version, PHP version, plugin version, steps to reproduce, any error from logs.
Related Pages
- Troubleshooting — Fixes for specific symptoms
- Glossary — Plain-English definitions