Cloudflare Turnstile Protection

Overview

Cloudflare Turnstile replaces traditional CAPTCHA with a frictionless bot detection challenge. It verifies that submissions come from real humans without requiring users to solve puzzles.

Configuration

Setting	Value
Site Key	`0x4AAAAAADtB5yaGTe_ZKCjW`
Secret Key	Stored in WPCodeBox2 snippet (PHP constant)
Widget Mode	Managed (adaptive challenge)
Data Action	`turnstile-spin-v1`

Frontend Integration

The Turnstile widget is rendered inside the contact form:

<div class="cf-turnstile" data-sitekey="0x4AAAAAADtB5yaGTe_ZKCjW" data-action="turnstile-spin-v1"></div>
<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>

Server-Side Verification

$response = wp_remote_post("https://challenges.cloudflare.com/turnstile/v0/siteverify", [
    "body" => [
        "secret"   => $secret_key,
        "response" => $_POST["cf-turnstile-response"],
    ],
]);
$body = json_decode(wp_remote_retrieve_body($response), true);
$is_valid = is_array($body) && true === ($body["success"] ?? false);

Verification Placement

Turnstile verification runs in the form handler between honeypot check and field validation. Failed verification returns: "Please complete the security check."

Why Not a Worker

Turnstile verification is handled directly via WordPress wp_remote_post() rather than a Cloudflare Worker. This keeps the implementation self-contained within the WPCodeBox2 snippet, avoiding additional infrastructure dependencies.

Overview​

Configuration​

Frontend Integration​

Server-Side Verification​

Verification Placement​

Why Not a Worker​