FAIR

Federated and Independent Repositories

Cybernob Turnstile for Cloudflare

Plugin Banner

Cybernob Turnstile for Cloudflare

by Aneesh MK

Download
Description

Cybernob Turnstile for Cloudflare integrates Cloudflare Turnstile into your WordPress site — the privacy-friendly CAPTCHA that stops bots silently, without making real users solve puzzles.

This plugin is an independent, third-party integration and is not affiliated with or endorsed by Cloudflare, Inc.

Protected locations

  • Login form — blocks brute-force and credential-stuffing attacks
  • Registration form — prevents automated account creation
  • Comment form — stops spam comments without Akismet
  • Contact Form 7 — automatically protects every CF7 form on your site

Features

  • Live status checker — the settings page shows instantly whether your API keys are valid and reachable
  • Invisible mode — widget stays hidden; the form auto-submits once the challenge passes silently
  • Three themes — Auto (follows system preference), Light, Dark
  • Two appearance modes — Always visible, or show on interaction only
  • Clean uninstall — all plugin options are removed on deletion, including multisite support
  • Translation ready — all strings wrapped in i18n functions with the correct text domain
  • No bundled libraries — only Cloudflare’s own CDN script is used; nothing extra added to your site

Why Turnstile?

Unlike reCAPTCHA, Cloudflare Turnstile does not track users across sites or require Google accounts. It is designed to be GDPR-friendly and invisible to legitimate users by default.

Getting started

  1. Create a free Cloudflare Turnstile site widget
  2. Copy your Site Key and Secret Key
  3. Paste them into Settings Cybernob Turnstile and save
  4. The live status indicator confirms everything is working

External Services

This plugin connects to Cloudflare’s Turnstile service to display CAPTCHA challenges and verify user responses.

  • Service: Cloudflare Turnstile
  • When used: When a protected form is loaded (widget script) or submitted (token verification). Only active after the administrator has entered API keys in the plugin settings.
  • Data sent: On verification — the Turnstile response token and the visitor’s IP address are sent to Cloudflare’s API endpoint.
  • Endpoint: https://challenges.cloudflare.com/turnstile/v0/siteverify

Cloudflare Terms of Service | Cloudflare Privacy Policy

  1. Upload the cybernob-turnstile-for-cloudflare folder to the /wp-content/plugins/ directory, or install directly via Plugins Add New in your WordPress admin.
  2. Activate the plugin through the Plugins screen.
  3. Go to Settings Cybernob Turnstile.
  4. Create a free Turnstile widget at dash.cloudflare.com and copy your Site Key and Secret Key.
  5. Paste both keys into the settings page and click Save Settings.
  6. The live status indicator will confirm your CAPTCHA is configured and working correctly.
Do I need a Cloudflare account?

Yes. A free Cloudflare account is required to generate Turnstile API keys. Sign up at cloudflare.com.

Does this work with Contact Form 7?

Yes. If Contact Form 7 is installed and active, this plugin automatically injects the Turnstile widget into every CF7 form and validates the token before mail is sent. No changes to your CF7 forms are needed.

Does this work with WooCommerce?

WooCommerce integration is not included in the current version. It is planned for a future release.

Will this slow down my site?

No. The Cloudflare Turnstile API script is loaded asynchronously and deferred from Cloudflare’s global CDN. It has a negligible effect on page load time.

Is this GDPR compliant?

Cloudflare Turnstile is designed to be privacy-preserving. This plugin does not set any cookies itself and only stores your API keys in the WordPress database. Please review Cloudflare’s privacy policy for their full data handling practices.

The status checker shows “Connection Failed”. How do I fix it?

Your server cannot reach challenges.cloudflare.com. This is typically a firewall or outbound network restriction on your hosting server. Contact your hosting provider and ask them to allow outbound HTTPS connections to Cloudflare’s IP ranges.

The status checker shows “Invalid Secret Key”. What does that mean?

The Secret Key you entered was rejected by Cloudflare. Double-check that you have copied the full key correctly from your Turnstile dashboard and that it belongs to the correct site widget.

Can I use invisible mode?

Yes. Enable Invisible Mode in the Widget Options section. The widget will be hidden from users and the form will auto-submit once the challenge has passed silently in the background.

1.2.0

  • Added: Live CAPTCHA status checker on the settings page
  • Added: Inline error notice for failed comment CAPTCHA (replaces wp_die)
  • Added: Full multisite support in uninstall routine
  • Added: Contact Form 7 integration with class_exists guard
  • Improved: All user-facing strings are now translation-ready with correct text domain
  • Improved: Script and style handles namespaced to avoid conflicts (cnbtsl prefix)
  • Improved: wp_localize_script used for all JS data — no PHP inside JS strings
  • Improved: REMOTE_ADDR sanitized with FILTER_VALIDATE_IP
  • Improved: Output escaping hardened (wp_kses_post, wp_strip_all_tags)
  • Removed: Test Mode option
  • Fixed: Select dropdowns not preserving saved values on reload
  • Fixed: Checkboxes not saving when unchecked
  • Fixed: Plugin renamed to Cybernob Turnstile for Cloudflare for trademark compliance
  • Fixed: All function/class/define/option names updated to 6-character cnbtsl prefix

1.1.1

  • Fixed invisible auto-submit mode
  • Fixed appearance option not saving correctly
  • Improved settings page layout

1.0.0

  • Initial release
Back to top