Cloudflare Turnstile Protection for CheckoutWC

Introduction

Cloudflare Turnstile is a privacy-first, CAPTCHA-free solution for protecting your WooCommerce checkout and account pages from bots and spam orders. Unlike traditional CAPTCHAs that require users to solve puzzles, Turnstile runs invisible challenges that verify users are human without interrupting their experience.

CheckoutWC’s Turnstile integration provides comprehensive bot protection while maintaining a smooth checkout experience for legitimate customers.

Requirements

⚠️ Important: Cloudflare Turnstile requires a Pro or Agency plan. This feature is not available on Basic plans.

• CheckoutWC Pro or Agency plan
• Cloudflare account with Turnstile access
• Site Key and Secret Key from Cloudflare Turnstile

Getting Started with Cloudflare Turnstile

Step 1: Set Up Turnstile in Cloudflare

1. Log into your Cloudflare dashboard
2. Navigate to Turnstile in the sidebar
3. Click Add Site to create a new Turnstile application
4. Configure your site:
   • Site name: Enter a descriptive name (e.g., “Your Store Checkout”)
   • Domain: Add your website domain
   • Widget mode: Choose Managed (recommended) or Non-interactive
5. Click Create to generate your keys
6. Copy both the Site Key and Secret Key for use in CheckoutWC

Step 2: Configure CheckoutWC

1. Navigate to WP Admin → CheckoutWC → Integrations 
2. Find the Cloudflare Turnstile section
3. Follow the configuration guide below

Configuration Guide

Basic Settings

Enable Cloudflare Turnstile

• Setting: Enable/disable Turnstile protection
• Description: Master switch to activate Cloudflare Turnstile CAPTCHA protection across selected pages
• Default: Disabled

Site Key

• Setting: Your Cloudflare Turnstile site key
• Description: The public key generated in your Cloudflare Turnstile dashboard
• Required: Yes (when Turnstile is enabled)
• Format: alphanumeric string (e.g., 0x4AAAAAAABkMYinukNPQa7J)

Secret Key

• Setting: Your Cloudflare Turnstile secret key
• Description: The private key generated in your Cloudflare Turnstile dashboard
• Required: Yes (when Turnstile is enabled)
• Security: This field is password-protected and will be hidden from view
• Format: alphanumeric string (e.g., 0x4AAAAAAABkMYioUEkRD4b_invalid_key)

Location Settings

Control where Turnstile protection appears on your site:

Enable on Checkout

• Description: Show Turnstile widget on the checkout page
• Recommended: ✅ Yes – Primary protection for order completion
• Default: Enabled when Turnstile is active

Enable on Order Pay

• Description: Show Turnstile widget on the order pay page (for pending orders)
• Use case: Protects payment completion for orders created through other means
• Default: Enabled when Turnstile is active

Enable on Login

• Description: Show Turnstile widget on the My Account login form
• Use case: Prevents brute force login attempts
• Default: Enabled when Turnstile is active

Enable on Registration

• Description: Show Turnstile widget on the My Account registration form
• Use case: Prevents spam account creation
• Default: Enabled when Turnstile is active

Display Settings

Position on Checkout

Controls where the Turnstile widget appears on the checkout page:

• Before Place Order Button (default)

  • Places widget immediately before the “Place Order” button
  • Recommended: ✅ Best for conversion – users complete verification just before placing order

• Before Payment Methods

  • Places widget before payment method selection
  • Use case: Early verification, but may increase abandonment

• After Payment Methods

  • Places widget after payment method selection
  • Use case: Compromise between early verification and user experience

Theme

Visual appearance of the Turnstile widget:

• Light: Light theme with white background
• Dark: Dark theme with dark background
• Auto (recommended): Automatically matches user’s system preference (light/dark mode)

Size

Physical size of the Turnstile widget:

• Normal: Standard size widget (300x65px)
• Compact: Smaller widget size (150x140px) – good for mobile or tight layouts

Guest Users Only

• Description: Only show Turnstile for guest (non-logged-in) users
• Use case: Reduces friction for trusted logged-in customers while still protecting against anonymous bots
• Recommendation: ✅ Enable to improve UX for returning customers

Best Practices

Recommended Configuration

For most stores, we recommend:

Enable Cloudflare Turnstile: On
Enable on Checkout: On
Enable on Order Pay: On Enable on Login: On
Enable on Registration: On
Position: Before Place Order Button Theme: Auto
Size: Normal
Guest Users Only: On

Performance Tips

• Guest Users Only: Enable this setting to reduce verification requests for logged-in users
• Position: “Before Place Order Button” provides the best balance of security and user experience
• Theme: Use “Auto” to respect user preferences automatically

Troubleshooting

Common Issues

Turnstile Not Appearing

1. Verify your plan level (Pro or Agency required)
2. Check that Turnstile is enabled in CheckoutWC settings
3. Ensure Site Key and Secret Key are correctly entered
4. Clear any caching plugins

Conflict Warnings

If you see a conflict warning, it means another plugin is already providing CAPTCHA functionality:

• Review the conflict notice displayed
• Disable conflicting CAPTCHA plugins
• Or configure them to work together by excluding overlapping pages

Failed Verifications

• Verify Secret Key is correct and matches the Site Key
• Check Cloudflare Turnstile dashboard for error logs
• Ensure your domain is properly configured in Cloudflare

Mobile Display Issues

• Try switching to “Compact” size for mobile-optimized layouts
• Consider using “Auto” theme for better mobile experience

Privacy & Compliance

Cloudflare Turnstile is designed with privacy in mind:

• No personal data collection required for verification
• GDPR compliant
• No user tracking across sites
• Invisible to users in most cases

This makes it an excellent choice for stores in privacy-conscious regions or industries.