First-Time Setup

This is the longer, manual version of the setup. If you prefer the auto-guided experience, run the Onboarding Wizard instead.

Step 0 — Get Your Keys

If you have not yet created a Cloudflare account and a Turnstile widget, do that first. Full walkthrough: Get Turnstile Keys.

By the end you should have two strings:

• Site Key — starts with 0x4AAA..., safe to share, goes on your frontend
• Secret Key — starts with 0x4AAA..., never share, goes on your server only

Step 1 — Paste Keys on the API Tab

1. Go to WooCommerce → Turnstile Settings
2. Click the API Settings tab (selected by default)
3. Paste the Site Key
4. Paste the Secret Key (use the show/hide eye icon to double-check)
5. Click Save Changes
6. Click Test Connection — you should see "API keys are valid"

If the test fails, see Troubleshooting.

Full tab reference: API Settings.

Step 2 — Enable Forms

Native WooCommerce Forms

1. Click the WooCommerce tab

2. Tick the forms you want to protect. Recommended minimum:

   • [x] Login
   • [x] Registration
   • [x] Lost Password
   • [x] Checkout (enables both classic and Blocks checkout)
   • [x] Pay for Order

3. Optional — Pick a checkout widget position (before pay button / after / before submit / near billing)

4. Optional — Tick Logged-in only or Guest only for the checkout widget

5. Click Save Changes

Native WordPress Forms

1. Click the WordPress tab

2. Tick as needed:

   • [ ] WP Login (recommended for every site)
   • [ ] WP Registration (recommended if you allow registration)
   • [ ] WP Lost Password
   • [ ] WP Comments (if you allow comments)

3. Click Save Changes

Third-Party Form Plugins

1. Click the WooCommerce Forms tab (this tab covers every non-core form plugin, despite the name)

2. Each form plugin shows a status badge:

   • Active — Ready to toggle on
   • Installed — Click "Activate" first
   • Not installed — Click "Install" first

3. Tick the plugins you want Turnstile on (CF7, WPForms, Gravity, Elementor, Formidable, Forminator, bbPress, BuddyPress, EDD)

4. Click Save Changes

Full form reference: Supported Forms.

Step 3 — Pick a Theme and Load Mode

1. Click the General tab
2. Set Theme — light, dark, or auto (auto follows the visitor's system preference)
3. Set Load Mode — instant (load widget with page) or lazy (load when visitor interacts — lighter page, slight delay)
4. Set Lazy Delay in ms if using lazy (default 2000)
5. Optional — Tick Disable submit button until CAPTCHA is completed
6. Click Save Changes

Full tab reference: General Settings.

Step 4 — Customize the Look (Optional)

If you want the widget to match your theme's colors and spacing:

1. Click the Design Studio tab
2. You get a live preview widget on the right
3. Adjust on the left:
   • Size (normal / compact / flexible)
   • Wrapper alignment (left / center / right)
   • Background color, border color, border width, border radius
   • Shadow preset (none / subtle / medium / strong)
   • Optional label text above the widget
   • Optional helper text below the widget
4. Click Save Changes — settings apply everywhere instantly

Full tab reference: Design Studio.

Step 5 — Set Conditional Rules (Optional)

If you want to skip CAPTCHA for yourself or specific visitors:

1. Click the Conditional Rules tab
2. Common picks:
   • [x] Skip for logged-in users — Real customers never see CAPTCHA
   • [ ] Skip for known customers — Only users with a completed order skip
   • IP Whitelist — Paste your office IP or CIDR range (one per line)
   • After N failures — Set to 3 to challenge only after 3 failed attempts
3. Click Save Changes

Full tab reference: Conditional Rules.

Step 6 — Set Rate-Limit + Recovery (Optional)

Still on the Conditional Rules tab:

1. Scroll to Abuse Protection
2. Max retries — Failed attempts before lockout (default 10)
3. Lockout time (minutes) — How long the IP stays blocked (default 5)
4. Blocked usernames — Comma or newline list of usernames to always block on login
5. Recovery token — Paste a secret string (or leave blank to auto-generate) — this becomes part of your Recovery URL
6. Click Save Changes

Full tab reference: Rate Limiting · Recovery URL.

Step 7 — Turn On Notifications (Optional)

1. Click the Notifications tab

Email Digest

• Enabled — Tick
• Frequency — Daily / Weekly / Monthly
• Recipient email — Where the digest goes
• Click Send test digest to verify delivery

Webhooks

• Enabled — Tick
• Webhook URL — Any https:// endpoint (or Slack webhook URL)
• Threshold per hour — Min blocks/hour that fire an alert (default 50)
• Throttle (minutes) — Min minutes between alerts (default 30)
• Click Send test webhook to verify

Full tab reference: Notifications.

Step 8 — Test Every Enabled Form

Open each enabled form in an incognito window.

If a widget is missing: clear your caching plugin, then hard-refresh the page (Ctrl+Shift+R / Cmd+Shift+R).

Step 9 — Open Analytics

After a few test submits, open WooCommerce → Webkul Addons → Analytics.

You should see:

• A handful of "pass" events for your tests
• KPI cards updating
• Trend chart showing today's point

Keep the plugin running for 24 hours on a live site. Bot hits will start showing up.

Full page reference: Analytics.

What to Tune After a Week

After a week of data, revisit these:

Related Pages

• Quick Start — 5-minute version
• Onboarding Wizard — Guided version
• Settings Overview — Tour of all 9 tabs
• Troubleshooting — Fixes for common issues