Cloudflare recently announced a privacy-focused alternative to CAPTCHA that is non-intrusive and free to use and the WordPress plugin community slowly begins adding support for the new solution.
But not all plugin developers are racing to add support for Turnstile, offering reasons that may cause others to think twice.
Turnstile is a privacy-focused solution for blocking spammers from any kind of form that a user might fill out, such as a contact form, a user registration form or a login form.
Aside from the fact that it doesn’t collect user information, what also makes it useful is that it is virtually invisible, enabling it to provide a friction-free user experience for site visitors.
Someone who added Turnstile to their site reported that out of 127 site visitors only one site visitor was challenged by Turnstile.
out of 120 visits, only 1 needed to click a checkbox to verify being human pic.twitter.com/6dKvIK1G8q
— chris sev (@chris__sev) September 29, 2022
Turnstile is a privacy-focused solution because it does not collect or store user information at all.
According to Cloudflare:
“In June, we announced an effort with Apple to use Private Access Tokens.
Visitors using operating systems that support these tokens, including the upcoming versions of macOS or iOS, can now prove they’re human without completing a CAPTCHA or giving up personal data.
By collaborating with third parties like device manufacturers, who already have the data that would help us validate a device, we are able to abstract portions of the validation process, and confirm data without actually collecting, touching, or storing that data ourselves. Rather than interrogating a device directly, we ask the device vendor to do it for us.
Private Access Tokens are built directly into Turnstile.
While Turnstile has to look at some session data (like headers, user agent, and browser characteristics) to validate users without challenging them, Private Access Tokens allow us to minimize data collection by asking Apple to validate the device for us.
Integration With WordPress
While Cloudflare’s announcement of Turnstile didn’t mention a WordPress plugin for integrating it into WordPress sites, TechCrunch quoted a Cloudflare representative as saying a WordPress plugin is in the works.
“Cloudflare says it’s working on plugins for major platforms like WordPress to make Turnstile easier to deploy…”
That said some WordPress plugins are already integrating Turnstile into their software to make it easy for users to choose it.
The publishers of the WS Form WordPress plugin added Turnstile support into their plugin on October 4, 2022, making WS Form another choice for those wanting to use it.
A few days later, the publishers of the Fluent Forms WordPress plugin added support for Turnstile on October 07, 2022 and published a helpful tutorial on how to use it.
The Site Reviews plugin, currently used by over 40,000 WordPress publishers added support for Turnstile on October 11, 2022.
Contact Form 7, used by over 5 million WordPress publishers has not added support for Turnstile.
A publisher asking for Contact 7 support in adding Turnstile noted that official support is needed to integrate Turnstile into Contact Form 7:
“…The migration instruction provided by Cloudflare is more likely for a static page/website.
You have to migrate differently with WordPress and CF7, which will involve …modifying the CF7 reCaptcha module files and even the contact template.
So I guess it is will easier to check CF7’s source code and build a new module.”
There is a request for integration into Contact Form 7 posted in GitHub but the publisher of the contact form responded and said they will not be adding support for it at this time.
They explained their position on Turnstile:
“For now, I’m not interested in natively supporting Turnstile.
Cloudflare has not yet provided sufficient ground that supports Turnstile is greater than reCAPTCHA in privacy terms.
Also it’s still in the open beta stage.”
Someone in the Contact Form 7 GitHub feature request responded to the publisher’s statement that Cloudflare had not provided “sufficient ground” for migrating away from reCAPTCHA for reasons of privacy:
“I think the fact that Google’s business is advertising (which benefits from analytics about the users who are their product that they sell to advertisers) and Cloudflare’s business is selling services to people and companies who pay them is a good basis for the difference in their motivations and their different approach to protecting privacy.
An example of this is how Mozilla has partnered with Cloudflare because of this commitment to privacy that they have and their lack of a conflict of interests between user privacy and their business (which differs from Google). (Disclosure, I work at Mozilla)”
The publisher followed up:
“Maybe I would reject the PRs. Turnstile is not that attractive to me. I would suggest creating it as an independent plugin.”
Turnstile is in Beta
The reason given by the publisher of Contact Form 7 to not integrate Turnstile at this time is valid.
When a product is in beta that means that is ready to be used by could contain some problems and needs testing.
So anyone who installs Turnstile is essentially testing it for Cloudflare.
That said, many people are enthusiastic about using Turnstile because Cloudflare is a trusted brand that is known for privacy, security and high quality solutions that help publishers speed up their websites.
Turnstyle is another free alternative to Recaptcha https://t.co/ZL7E7TYMr8 #WordPress
— Adam J. Humphreys (@Making8) October 11, 2022
Integration with more WordPress plugins may continue to grow, offering another option for blocking spammers from WordPress websites.
Read Cloudflare’s announcement of Turnstile, including directions on how to sign up for free:
Announcing Turnstile, a user-friendly, privacy-preserving alternative to CAPTCHA
Featured image by Shutterstock/goodluz