Spam Protection with Turnstile
Why Turnstile?
Cloudflare Turnstile is a privacy-friendly, non-intrusive alternative to traditional CAPTCHAs. Visitors never have to solve puzzles or click images. Turnstile runs a lightweight challenge in the background and verifies the user is human automatically.
Getting Your API Keys
- Log in to the Cloudflare dashboard.
- Go to Turnstile in the left sidebar.
- Click Add Site.
- Enter your domain name and choose the widget mode:
- Managed — Cloudflare decides when to show a visible challenge (recommended).
- Non-interactive — Always invisible; best user experience but slightly less robust.
- Invisible — Completely hidden; runs in the background.
- Click Create and copy the Site Key and Secret Key.
Configuring in Xtreme Forms
- In WordPress, go to Xtreme Forms > Settings > Spam Protection.
- Select Cloudflare Turnstile as the spam protection method.
- Paste your Site Key and Secret Key into the corresponding fields.
- Choose the widget theme: Auto (matches user's system preference), Light, or Dark.
- Click Save Settings.
Enabling on Individual Forms
Open any form in the builder and drag the Turnstile field onto the canvas — typically at the bottom, just above the submit button. That is all you need to do. The Turnstile widget will render automatically when the form loads.
Testing
Submit a test entry on the front end. You should see a brief Turnstile challenge (or nothing at all if using invisible mode), followed by a successful submission. In the Cloudflare dashboard, check Turnstile > Analytics to confirm challenges are being served and solved.
Troubleshooting
- Widget not appearing — Confirm the Site Key is correct and your domain is added in Cloudflare.
- "Verification failed" errors — Double-check the Secret Key. Also ensure your server can reach
https://challenges.cloudflare.com(some aggressive firewalls block it). - Conflicts with caching — If you use a page cache plugin, exclude the form page from caching or ensure the Turnstile script is not being cached as static HTML.