◦ Comprehensive security
◦ 24/7 support
WordPress Guide → Security → Add Cloudflare Captcha
How to add Cloudflare CAPTCHA on WordPress
Tired of spam on your WordPress forms, logins, or comments? Cloudflare Turnstile gives you a free, privacy-first CAPTCHA that doesn’t make users solve puzzles or check boxes. It’s a smooth, invisible way to stop bots—and it takes just minutes to set up.
Let’s walk through how to add Cloudflare Turnstile to your WordPress site using a plugin or form builder.
What is Cloudflare Turnstile and why use it?
Cloudflare Turnstile is a CAPTCHA alternative that protects your site from bots and spam without frustrating your visitors. It doesn’t show challenges like “select all crosswalks” or “click the fire hydrants.” Instead, it checks behind the scenes whether the user is real, using browser signals and invisible logic.
It’s 100% free, works with or without a Cloudflare proxy, and respects user privacy. No personal data gets sent to Google or other third parties.
Step 1: Create a Cloudflare account
Before you can use Turnstile, you’ll need a free Cloudflare account.
- Go to https://dash.cloudflare.com/sign-up.
- Enter your email and create a password.
- Verify your email address when prompted.
Once you’re in, you’ll be able to manage your sites and services from the Cloudflare dashboard.
Step 2: Add your WordPress site to Cloudflare (optional but helpful)
You don’t need to proxy your domain through Cloudflare to use Turnstile, but if you want extra security, performance, and protection, it’s worth doing.
- In your Cloudflare dashboard, click Add a Site.
- Enter your domain name and choose the free plan.
- Cloudflare will scan your DNS records.
- You’ll be asked to change your nameservers at your domain registrar.
- Wait for the update to finish (usually within a few hours).
If you skip this step, Turnstile will still work—just choose “I’m not proxying traffic” when setting up your site.
Step 3: Get your Turnstile site key and secret key
These keys let WordPress connect to Cloudflare Turnstile.
- In the Cloudflare dashboard, go to Turnstile (find it in the left menu).
- Click Add Site.
- Fill in:
- A name for your site (for your reference).
- The domain name (or leave it open for all domains).
- Widget type: choose Managed for the easiest setup.
- Click Create.
- Copy the Site Key and Secret Key—you’ll use these in WordPress.
Step 4: Add Turnstile to WordPress using a plugin
The easiest way to add Turnstile to login pages, comments, or WooCommerce is with a plugin.
- From your WordPress dashboard, go to Plugins > Add New.
- Search for “Simple Cloudflare Turnstile.”
- Click Install Now, then Activate.
- Go to Settings > Cloudflare Turnstile.
- Paste in your Site Key and Secret Key from Cloudflare.
- Choose where to show Turnstile:
- Login form
- Registration form
- Comments
- WooCommerce login/checkout (if you use WooCommerce)
- Login form
- Save your changes.
That’s it! Turnstile will now show up where you selected, and visitors won’t see any annoying puzzles.
Step 5: Add Turnstile to forms using a form builder
If you use a form plugin like WPForms, Formidable Forms, or Gravity Forms, you can add Turnstile directly to your forms.
WPForms
- Go to WPForms > Settings > CAPTCHA.
- Select Cloudflare Turnstile as your CAPTCHA type.
- Enter your Site Key and Secret Key.
- Choose which forms should use CAPTCHA. and Secret Key—you’ll use these in WordPress.
Note: Turnstile is only available in the WPForms Pro version.
Formidable Forms
- Go to Formidable > Global Settings > CAPTCHA.
- Choose Cloudflare Turnstile.
- Enter your keys and enable it for individual forms.
Other form plugins may support Turnstile with an add-on or shortcode. Always check the plugin’s documentation for details.
Step 6: Configure Turnstile widget behavior
Cloudflare gives you three widget modes. You can pick the best one for your site during setup or change it later in the Turnstile dashboard.
- Managed: Automatically chooses the best experience (recommended).
- Non-interactive: Shows a small checkmark, but no puzzles.
- Invisible: Users won’t see anything at all—runs silently in the background.
Most WordPress users should stick with Managed unless you want more control over the appearance.
Step 7: Test and troubleshoot your CAPTCHA setup
After adding Turnstile, test your forms and logins to make sure everything works.
- Try submitting a form as a logged-out user
- Check the login and registration forms
- Test in incognito mode or a different browser
- Open the browser console (right-click > Inspect > Console) to check for JavaScript errors
Common Cloudflare CAPTCHA issues
- CAPTCHA not showing: Make sure your keys are valid and saved.
- Forms not submitting: Try switching widget types or disabling other CAPTCHA plugins.
- Site errors: Disable and re-enable the plugin, or check for plugin conflicts.
If all else fails, try temporarily switching to a default theme like Twenty Twenty-Four and disabling other security plugins to narrow down the issue.
Add Turnstile to WooCommerce or custom forms
The Simple Cloudflare Turnstile plugin includes built-in support for WooCommerce. You can enable CAPTCHA for:
- Checkout
- Login
- Registration
- Password reset
If you’re building a custom form and need to manually insert the CAPTCHA, use the plugin’s shortcode:
[cloudflare-turnstile]
Place this inside your form HTML or page editor, and Turnstile will show up.
Next steps for adding Cloudflare CAPTCHA on WordPress
Cloudflare Turnstile is one of the simplest and most privacy-friendly ways to stop spam in WordPress. It works quietly behind the scenes, speeds up your site, and keeps bots away—without annoying your visitors.
Your next step is to get your Turnstile keys from Cloudflare, then install a plugin or form builder integration to put them to use.
Ready to upgrade your WordPress experience? Professional hosting improves speeds, security, and reliability for a website and a brand that people find engaging and trustworthy.
Don’t want to deal with server management and maintenance? Our fully managed hosting for WordPress is the best in the industry. Our team are not only server IT experts, but WordPress hosting experts as well. Your server couldn’t be in better hands.
Click through below to explore all of our hosting for WordPress options, or chat with a WordPress expert right now to get answers and advice.
Additional resources
Comprehensive guide to securing WordPress with ModSecurity
→
This guide provides a comprehensive overview of how to use ModSecurity to enhance the security of your WordPress site.
How to prevent content sniffing in WordPress →
Protect your WordPress site from MIME-type attacks by preventing content sniffing in browsers.
Why security matters for WordPress enterprise hosting
→
Use the blog as your guide to attacks to watch out for, security best practices, and steps to improve the WordPress protection you already have.