--- title: "How to Add Cloudflare Turnstile to Elementor Forms [FREE — No Plugin]" url: https://adityaarsharma.com/how-to-add-cloudflare-turnstile-to-elementor-forms-free-no-plugin/ date: 2026-04-15 modified: 2026-04-16 author: "Aditya R Sharma" description: "Google reCAPTCHA is annoying. Your visitors hate clicking on traffic lights and crosswalks. You hate paying for it at scale. And honestly, it barely stops bots anymore." categories: - "Elementor" - "WordPress" word_count: 2729 --- # How to Add Cloudflare Turnstile to Elementor Forms [FREE — No Plugin] ## Key Takeaways - Cloudflare Turnstile is free and does not track users across sites, making it a privacy-friendly alternative to reCAPTCHA. - Elementor Pro is required to use the forms widget for adding Cloudflare Turnstile. - A PHP snippet can be used to integrate Cloudflare Turnstile into Elementor forms without a plugin. - Form completions can drop by 10-15% on pages with visible CAPTCHAs, highlighting the importance of using less intrusive options like Turnstile. - The setup requires generating API keys from Cloudflare, which can be done through a free account. Google reCAPTCHA is annoying. Your visitors hate clicking on traffic lights and crosswalks. You hate paying for it at scale. And honestly, it barely stops bots anymore. **Cloudflare Turnstile** is the fix. It is free, invisible, privacy-friendly, and way less friction for your users. But here is the problem: Elementor Pro does not support it natively. You are stuck with reCAPTCHA or hCaptcha, and that is it. I ran into this exact issue on a client site last month. The contact form was getting 40+ spam submissions a day. reCAPTCHA v3 was enabled, score threshold set to 0.5, and the bots sailed right through. I needed Turnstile, but I was not about to install a bloated plugin just to add one field to one form. So I wrote a PHP snippet that adds **Cloudflare Turnstile as a native Elementor form field**. One snippet. No plugin. Works with PHP Code Snippets (or your functions.php). And I am giving it away for free. In this post, I will walk you through the full setup, explain how every piece works in plain language, and give you the complete code you can copy and paste right now. #### Table of Contents ## Why Cloudflare Turnstile Over reCAPTCHA? Before I get into the code, here is why I switched. **reCAPTCHA v2** makes your visitors solve puzzles. That kills conversion rates. I have seen form completions drop 10-15% on pages with visible CAPTCHAs. **reCAPTCHA v3** runs in the background but it is a black box. Google scores your visitors and sometimes flags real people. You also have to load Google tracking JavaScript on every page, which is not great for privacy or page speed. **Cloudflare Turnstile** is different: - Completely free, no usage limits - No puzzles, no friction for visitors - Does not track users across sites - Lighter JavaScript payload - Works without Cloudflare on your domain (you just need a free Cloudflare account for API keys) If you care about your site speed and your visitors privacy, Turnstile is the obvious choice. ## What You Need Before Starting - **Elementor Pro** - The free version does not have the Forms widget. You need Pro. - **A Cloudflare account** - Free tier is fine. You just need it to generate Turnstile API keys. - **A way to add PHP code** - Either [WPCode](https://wordpress.org/plugins/insert-headers-and-footers/), Code Snippets plugin, or your functions.php. I recommend WPCode or Code Snippets. Editing functions.php directly works but you lose the code when you switch themes. ## How to Get Your Cloudflare Turnstile API Keys If you already have your Site Key and Secret Key, skip to the next section. ### Step 1: Log Into Cloudflare Go to your [Cloudflare Dashboard](https://dash.cloudflare.com/) and log in. If you do not have an account, create one. It is free. ### Step 2: Navigate to Turnstile In the left sidebar, click **Turnstile**. Or go directly to the Turnstile section from your account dashboard. ### Step 3: Add a Site Click **Add Site**. Fill in: - **Site Name**: Whatever you want (e.g., "My WordPress Site") - **Domain**: Your website domain (e.g., example.com) - **Widget Mode**: Choose "Managed" for the best balance Click **Create**. ### Step 4: Copy Your Keys - **Site Key** - Public key. Goes in your frontend widget. - **Secret Key** - Private. Stays on your server for verification. Save both. You will paste them into the settings page we are about to create. ## The Complete PHP Snippet Here is the full code. Copy this entire snippet and paste it into WPCode, Code Snippets, or your functions.php. I will explain each section after the code. **Important:** If you are using WPCode or Code Snippets, remove the opening ` '; printf( '
', esc_attr( $site_key ), esc_attr( $theme ), esc_attr( $size ), esc_attr( $appearance ), esc_attr( $language ) ); // Hidden input so the token travels with Elementor's AJAX submission echo ''; echo ''; }, 10, 3 ); /* ────────────────────────────────────────────── 4. Enqueue Turnstile JS on frontend only + callback writes token into hidden input + re-render after AJAX form submission ────────────────────────────────────────────── */ add_action( 'wp_enqueue_scripts', function () { if ( ElementorPlugin::$instance->editor->is_edit_mode() || ElementorPlugin::$instance->preview->is_preview_mode() ) { return; } $site_key = get_option( 'bsfe_cf_site_key', '' ); if ( empty( $site_key ) ) { return; } wp_enqueue_script( 'cf-turnstile-api', 'https://challenges.cloudflare.com/turnstile/v0/api.js?onload=bsfeTurnstileInit', [], null, true ); $inline = <<get( 'form_fields' ) as $field ) { if ( isset( $field['field_type'] ) && 'cf_turnstile' === $field['field_type'] ) { $has_turnstile = true; break; } } if ( ! $has_turnstile ) { return; } $secret = get_option( 'bsfe_cf_secret_key', '' ); if ( empty( $secret ) ) { return; } $token = isset( $_POST['cf-turnstile-response'] ) ? sanitize_text_field( wp_unslash( $_POST['cf-turnstile-response'] ) ) : ''; if ( empty( $token ) ) { $ajax_handler->add_error_message( 'Please complete the security check.' ); return; } $response = wp_remote_post( 'https://challenges.cloudflare.com/turnstile/v0/siteverify', [ 'timeout' => 10, 'sslverify' => true, 'body' => [ 'secret' => $secret, 'response' => $token, 'remoteip' => sanitize_text_field( $_SERVER['REMOTE_ADDR'] ?? '' ), ], ] ); if ( is_wp_error( $response ) ) { $ajax_handler->add_error_message( 'Security check could not be completed. Please try again.' ); return; } $body = json_decode( wp_remote_retrieve_body( $response ), true ); if ( empty( $body['success'] ) ) { $ajax_handler->add_error_message( 'Security check failed. Please try again.' ); } }, 10, 2 ); /* ────────────────────────────────────────────── 6. Admin settings page registration ────────────────────────────────────────────── */ add_action( 'admin_menu', function () { add_submenu_page( 'elementor', 'Cloudflare Turnstile', 'Cloudflare Turnstile', 'manage_options', 'bsfe-cf-turnstile', 'bsfe_cf_settings_page' ); } ); /* ────────────────────────────────────────────── 7. Settings page (full styled UI) Site Key, Secret Key, Theme, Size, Appearance, Language ────────────────────────────────────────────── */ function bsfe_cf_settings_page() { if ( ! current_user_can( 'manage_options' ) ) return; if ( isset( $_POST['bsfe_save'] ) && check_admin_referer( 'bsfe_cf_nonce' ) ) { update_option( 'bsfe_cf_site_key', sanitize_text_field( wp_unslash( $_POST['bsfe_cf_site_key'] ?? '' ) ) ); update_option( 'bsfe_cf_secret_key', sanitize_text_field( wp_unslash( $_POST['bsfe_cf_secret_key'] ?? '' ) ) ); update_option( 'bsfe_cf_theme', sanitize_text_field( wp_unslash( $_POST['bsfe_cf_theme'] ?? 'light' ) ) ); update_option( 'bsfe_cf_size', sanitize_text_field( wp_unslash( $_POST['bsfe_cf_size'] ?? 'normal' ) ) ); update_option( 'bsfe_cf_appearance', sanitize_text_field( wp_unslash( $_POST['bsfe_cf_appearance'] ?? 'always' ) ) ); update_option( 'bsfe_cf_language', sanitize_text_field( wp_unslash( $_POST['bsfe_cf_language'] ?? 'auto' ) ) ); echo '

Settings saved.

'; } $site_key = get_option( 'bsfe_cf_site_key', '' ); $secret_key = get_option( 'bsfe_cf_secret_key', '' ); $theme = get_option( 'bsfe_cf_theme', 'light' ); $size = get_option( 'bsfe_cf_size', 'normal' ); $appearance = get_option( 'bsfe_cf_appearance', 'always' ); $language = get_option( 'bsfe_cf_language', 'auto' ); ?>

Cloudflare Turnstile Settings

Site Key
Secret Key
Theme
Size
Appearance
Language
Cloudflare Turnstile** in your WordPress admin. It gives you fields for: - **Site Key** and **Secret Key** - Your Cloudflare API keys - **Theme** - Light, Dark, or Auto - **Size** - Normal, Compact, or Flexible - **Appearance** - Always visible, invisible, or show only on interaction - **Language** - Auto-detect or force a specific language All inputs are sanitized with `sanitize_text_field()` and protected with a nonce check. The Secret Key is stored in the database and displayed masked, showing only the last 4 characters. ## How to Install the Snippet ### Step 1: Install a Code Snippets Plugin If you do not already have one, install [WPCode](https://wordpress.org/plugins/insert-headers-and-footers/) or [Code Snippets](https://wordpress.org/plugins/code-snippets/) from the WordPress plugin repository. ### Step 2: Create a New PHP Snippet Go to the snippets plugin in your admin panel. Create a new PHP snippet. Give it a name like "Cloudflare Turnstile for Elementor Forms." ### Step 3: Paste and Activate Copy the entire PHP snippet from above and paste it in. If your snippets plugin starts every snippet with ` Cloudflare Turnstile** in your WordPress admin sidebar. Paste your Site Key and Secret Key. Choose your widget settings. Click Save. ### Step 5: Add the Field to Your Form Open any page with an Elementor form in the editor. Add a new field. Set the field type to **Cloudflare Turnstile**. Save. That is it. You will see a green placeholder in the editor. On the frontend, the actual Cloudflare widget will appear. ## Things to Know ### Does It Work With Multiple Forms on One Page? Yes. The JavaScript scans for every `.elementor-cf-turnstile` div on the page. Each one gets its own widget instance. If you have three forms on one page, you get three Turnstile widgets, each generating its own token. ### Can I Style the Widget? The Turnstile widget itself is rendered inside a Cloudflare iframe, so you cannot change its internal appearance with CSS. But you can control theme, size, and wrapper spacing. To center the widget, add this CSS: `.elementor-cf-turnstile { display: flex; justify-content: center; margin: 15px 0; }` ### What Happens if Cloudflare Is Down? If Cloudflare Turnstile API is unreachable, the verification call returns a WP_Error. The code catches this and shows: "Security check could not be completed. Please try again." Your form does not silently fail. The visitor gets a clear message and can retry. If Cloudflare is having a prolonged outage (rare), you can temporarily deactivate the snippet and your forms will work without Turnstile. ## Wrapping Up That is the complete setup. One PHP snippet gives you: - A native Elementor form field for Cloudflare Turnstile - A clean settings page for your API keys - Server-side verification that actually stops bots - Automatic re-rendering after AJAX submissions - No plugin bloat, no annual subscription, no tracking I have been running this on four client sites for the past month. Spam submissions dropped from 40+ per day to zero on every single one. And not a single real submission was blocked. If you found this useful, I share what actually works in WordPress, SEO, and AI automation every week. Real numbers. Real experiments. No recycled advice. [**Need help setting this up on your site, or want managed WordPress hosting where I handle all of this for you? Connect with me here.**](https://adityaarsharma.com/connect/)