Cloudflare’s Turnstile: Combating Spam and Bots on WordPress & Drupal Platforms

Cloudflare’s Turnstile, developed by Cloudflare, serves as an innovative CAPTCHA alternative that can be incorporated into any website. It aims to be less intrusive and functions without redirecting traffic through Cloudflare or displaying a CAPTCHA to visitors.


Turnstile Overview / Source:

Unlike traditional CAPTCHAs, Turnstile uses various non-interactive JavaScript challenges to gather information on the visitor/browser environment, adapting the difficulty based on the specific request. It even implements machine learning models to detect visitor attributes that have passed a challenge previously.

Customers can choose from different widget types to incorporate Turnstile into their websites, either as visible or completely invisible widgets.

Widget Types

Turnstile provides multiple widget types:

  • Non-interactive challenges.
  • Non-intrusive interactive challenges (e.g., clicking a button) if the visitor is suspected to be a bot.
  • Invisible challenges to the browser.


Turnstile is currently in an open beta stage and is available as a free tool for all customers. During the beta, customers are limited to 1 million calls per month to the siteverify verification endpoint per site. Customers needing more requests can upgrade to Enterprise Bot Management.

WordPress and Drupal Integrations

Both WordPress and Drupal have a plugin and a module, respectively, that allow for easy integration of Cloudflare’s Turnstile, as shown below:

To help you better understand the integration process, we will provide steps to configure the plugin and module for both platforms.

Configuring Cloudflare’s Turnstile on WordPress

  1. Upload the simple-cloudflare-turnstile folder to the /wp-content/plugins/ directory of your WordPress installation, or install it from /wp-admin/plugin-install.php
  2. Activate the Simple Cloudflare Turnstile plugin through the ‘Plugins’ menu in your WordPress admin area.
  3. Go to the plugin settings in the WordPress admin menu at “Settings > Cloudflare Turnstile”.
  4. If you haven’t already, generate a “Site Key” and “Site Secret” in your Cloudflare account. Enter these keys in the settings page of the plugin.
  5. Choose which forms you want to enable Turnstile on and click the “Save Changes” button.
  6. Complete a quick test of the widget by clicking “TEST API RESPONSE” to ensure it is working correctly.

Turnstile in the default login form

Configuring Cloudflare’s Turnstile on Drupal

  1. Download and install the Turnstile module from the project page.
  2. Navigate to the Turnstile CAPTCHA administration page in your Drupal admin area: admin / config / people / captcha / turnstile
  3. Register for an account on Cloudflare, if you don’t already have one.
  4. Input the site and secret keys obtained from Cloudflare into the Turnstile module settings on the CAPTCHA administration page.
  5. Visit the main CAPTCHA administration page to determine where you want the Turnstile form to be presented: admin / config / people / captcha

Comparing Turnstile and reCAPTCHA


  • Developed by Cloudflare.
  • Focuses on a less intrusive and user-friendly experience.
  • Employs non-interactive JavaScript challenges and machine learning to assess the traffic.
  • Adapts challenges based on individual visitor/browser and avoids displaying visual puzzles.
  • Integrates with WordPress and Drupal through plugins and modules.


  • Developed by Google.
  • Performs spam and bot detection through interactive challenges.
  • Includes the “I am not a robot” checkbox and image selection puzzles for users.
  • Well-known and widely adopted across different platforms.
  • May occasionally require users to solve more complicated puzzles.

While both solutions provide robust protection against spam and bots, their approach and user experience differ. Turnstile aims for a seamless experience by minimizing or avoiding user interactions, whereas reCAPTCHA relies on interactive challenges for verification.



, ,