Welcome to Turnstile CAPTCHA For WooCommerce
Stop bots at every form on your WooCommerce store — checkout, login, register, pay-for-order, comments, and every major form plugin — using Cloudflare Turnstile. No puzzles for real shoppers, no Google tracking.
Fake orders, brute-force login attempts, and spam registrations waste your time and hurt your hosting bill. Turnstile blocks bots silently in the background while real customers just click and go. Privacy-friendly. Lightweight. Free forever on the Cloudflare side.
What makes it different:
- Zero puzzles — No traffic lights, no bicycles, no "are you human?" riddles
- ~50ms latency — 3x faster than Google reCAPTCHA
- GDPR-friendly — No tracking cookies, no Google account required
- Built-in analytics — 30-day pass/fail trends, top forms, top blocked IPs
- Conditional rules — Skip CAPTCHA for logged-in users, trusted IPs, specific countries
- Per-form config — Different theme, size, and message on each form
- Design Studio — Live widget preview, full color/border/shadow control
- 16+ forms supported — WooCommerce, WordPress, Contact Form 7, WPForms, Gravity Forms, Elementor, and more
- Rate limiting + recovery — Auto-lockout after N failures, one-time recovery URL for support
- Email digest + webhooks — Weekly report to your inbox, Slack alerts on bot spikes
- HPOS + Checkout Blocks — Fully compatible with modern WooCommerce
- One-time price — Pay once, use forever. No subscriptions
You do not need to know any code. Everything lives in your WordPress admin.
Who Is This Plugin For?
| You are... | This plugin helps you... |
|---|---|
| Store Owner | Stop fake orders and card-testing bots hitting your checkout |
| Shop Manager | Cut spam registrations so your customer list stays clean |
| Agency / Developer | Deploy one CAPTCHA plugin across every client site, every form type |
| Membership Site | Block bot signups on WooCommerce, bbPress, BuddyPress, EDD, and Subscriptions |
| Course / Digital Seller | Protect the Easy Digital Downloads checkout and login from automated attacks |
| Forum / Community | Cut forum spam on bbPress and BuddyPress signup and reply forms |
| GDPR-Conscious Store | Drop Google reCAPTCHA without losing protection |
| Site on Cloudflare Already | Use the same vendor you already trust for DNS and CDN |
What Can This Plugin Do?
| Job | How It Helps |
|---|---|
| Block checkout bots | Card-testing and fake-order scripts can't pass the Turnstile challenge |
| Stop brute-force logins | Guessing scripts get rate-limited, locked out, and logged |
| Kill registration spam | Bot-generated accounts that fill your database simply can't sign up |
| Clean comment spam | WordPress comment form gets the same protection |
| Protect 3rd-party forms | CF7, WPForms, Gravity, Elementor, Formidable, Forminator, bbPress, BuddyPress, EDD |
| Skip CAPTCHA for VIPs | IP allow-list, country list, logged-in toggle, after-N-failures mode |
| Measure the impact | Analytics dashboard shows exactly how many bots you blocked this month |
| Alert on attack spikes | Webhook fires when blocks-per-hour crosses your threshold |
How It Works
The plugin sits between every form on your site and the Cloudflare Turnstile service.
Visitor → Your Form → Cloudflare Turnstile → Your WordPress Server
(CAPTCHA token in background — real users never notice)
- Render widget — Plugin injects the Turnstile widget at the right hook on every enabled form
- Get token — Cloudflare silently checks the visitor's browser and returns a token
- Submit form — Token goes along with the form post
- Validate — Plugin calls Cloudflare's verify API to confirm the token is real and fresh
- Pass or block — Valid token = form processes normally. Invalid = error message shown
- Log — Every check is recorded in the
wp_wkcft_logtable for analytics
Where Everything Lives in Your Admin
After activation, look under WooCommerce → Turnstile Settings. You will see the main settings page with 9 tabs. Analytics lives as a separate page under WooCommerce → Webkul Addons → Analytics.
| Page | What It Does |
|---|---|
| Turnstile Settings | 9-tab control panel for every option |
| Analytics | 30-day pass/fail trends, top forms, top blocked IPs |
| Onboarding Wizard | 3-step setup after activation (one-time) |
The 6 Things That Make This Plugin Different
| # | Feature | Why It Matters |
|---|---|---|
| 1 | Cloudflare Turnstile | Real shoppers never see a puzzle. The CAPTCHA is invisible to them |
| 2 | Built-in Analytics | Most CAPTCHA plugins give you zero data. This one shows 30 days of pass/fail trends, top forms, top IPs |
| 3 | Conditional Rules | Skip CAPTCHA for logged-in users, your office IP, specific countries, or only after N failed attempts |
| 4 | Per-Form Config | Different theme, size, language, and error message on each form |
| 5 | Design Studio | Change colors, borders, shadows, labels — with a live widget preview |
| 6 | Recovery URL | If an IP gets wrongly locked out, one secret URL clears it. No database surgery |
Quick Navigation
Getting Started
| Step | Page | What You Do |
|---|---|---|
| 1 | Quick Start | 5-minute overview of the full setup |
| 2 | Installation | Upload the ZIP, activate, run the wizard |
| 3 | Get Turnstile Keys | Create a free Cloudflare account and grab your Site Key + Secret Key |
| 4 | First-Time Setup | Paste keys, pick forms, save |
| 5 | Onboarding Wizard | The built-in 3-step guided setup |
Configure Every Detail
- Settings Overview — Tour all 9 tabs
- API Settings — Site Key + Secret Key
- General — Theme, load mode, lazy delay, warn-only
- Design Studio — Colors, borders, labels with live preview
- Conditional Rules — IP/country lists, skip logged-in, after-N-failures
- Per-Form Config — Different look and message on every form
- Notifications — Email digest + webhooks
Supported Forms
- All Supported Forms — One-page reference
- WooCommerce Forms — Checkout, login, register, pay, track, review
- WordPress Forms — Login, register, lost password, comments
- Third-Party Form Plugins — CF7, WPForms, Gravity, Elementor, and more
- Checkout Blocks — Modern block-based checkout
- Shortcode —
[wkcft-turnstile]on any page
Protection & Monitoring
- Analytics Dashboard — 30-day trends, top IPs, CSV export
- Rate Limiting — Auto-lockout after N failures
- Recovery URL — Clear a stuck IP without DB surgery
- Email Digest — Weekly activity report to your inbox
- Webhooks — Slack alerts on attack spikes
For Developers
- REST API —
/wkcft/v1/verify,/stats,/conditions,/design-studio - Filters & Hooks — Full list of filter names, defaults, context
- Site Health — WordPress Site Health integration
When You Get Stuck
- Troubleshooting — Fixes for common errors
- FAQ — Quick answers
- Glossary — Plain-English terms
Never used Cloudflare before?
Start with Get Turnstile Keys. You will create a free Cloudflare account, add a Turnstile widget, and copy two keys. Takes 3 minutes.
Already using reCAPTCHA or hCaptcha?
Turnstile is a drop-in replacement. See vs reCAPTCHA and vs hCaptcha for side-by-side comparison.