Posted on

How to Add Cloudflare Turnstile CAPTCHA in WordPress

Do you want to add Cloudflare Turnstile CAPTCHA in WordPress?

CAPTCHA and reCAPTCHA can stop spambots, but they’re also unpopular with visitors. By using a non-intrusive technology like Turnstile, you can protect your website from spambots and automated scripts without annoying your visitors.

In this article, we will show you how to add Cloudflare Turnstile to your WordPress website.

How to add Cloudflare Turnstile CAPTCHA in WordPress

Why Add Cloudflare Turnstile CAPTCHA in WordPress?

Spam is a big problem for all websites including WordPress. Spambots can use non-secure forms to send you spammy links, which will make it more difficult for you to do lead generation.

They can also try to break into your site’s login form by using brute force attacks or flooding your site with spam comments that’ll damage the visitor experience and your WordPress SEO.

If you run an online store, then automated scripts may even place fraudulent orders.

Many website owners use CAPTCHA and reCAPTCHA to block scripts and bots. However, a lot of people complain that these technologies deliver a poor user experience, and some even worry about CAPTCHAs stealing their data.

With that being said, Cloudflare has introduced Turnstile CAPTCHA. This alternative technology uses a selection of non-intrusive challenges that often run invisibly in the browser. This allows you to protect your website without asking visitors to complete complex puzzles.

To help keep visitor information private, Cloudflare uses Apple’s Private Access Tokens to test whether the visitor is a real person without collecting extra data.

If you’re using form builders or WooCommerce, then Turnstile also integrates with these third-party plugins. This allows you to add invisible CAPTCHAs across many different areas of your WordPress website.

With that in mind, let’s see how you can add Cloudflare Turnstile CAPTCHA in WordPress. Simply use the quick links below to jump between the different steps.

Install a WordPress Cloudflare CAPTCHA Plugin

The easiest way to add Cloudflare’s CAPTCHA to WordPress is by using Simple Cloudflare Turnstile. This free plugin allows you to connect your website to the Turnstile service, and then check that it’s responding to your requests correctly.

First, you’ll need to install and activate the plugin. If you need help, then please see our guide on how to install a WordPress plugin.

Upon activation, go to Settings » Cloudflare Turnstile.

Adding a site key and secret key to a WordPress website

The plugin will now ask you to provide a site key and site secret.

You can get these for free by clicking on the link next to ‘You can get your site key and secret from here.’

Get a Cloudflare Turnstile Site Secret and Site Key

The link will take you to the Cloudflare login page where you can register your domain and create a site key and site secret. This is free, but you will need to create a Cloudflare account using your email address, if you haven’t already.

Once you’re logged into the Cloudflare dashboard, find ‘Turnstile’ in the left-hand menu and give it a click.

The Cloudflare dashboard

This will take you to a screen with some basic information about Cloudflare Turnstile.

If you’re happy to go ahead, then click on the ‘Add site’ button.

Adding a site to the Cloudflare dashboard

On this screen, start by typing in a ‘Site Name.’

This is just for your reference so you can use anything you want.

Adding a WordPress website to the Cloudflare dashboard

Next, type your website’s domain name into the ‘Domain’ field.

The next step is choosing which CAPTCHA widget you want to create. The first choice is ‘Managed,’ which is the method recommended by Cloudflare. This is where Cloudflare analyzes the browser’s request and then decides what kind of challenge it should run.

While this is happening, the visitor will see a loading animation.

Adding a Cloudflare Turnstile CAPTCHA to WordPress

Wherever possible, Cloudflare will try to run a non-interactive challenge in the background, so the visitor doesn’t have to do anything.

In this case, the user will simply see a ‘Success’ message when their browser passes the test.

Creating a managed Cloudflare Turnstile CAPTCHA

Sometimes, Cloudflare may decide that it’s safer to show an interactive challenge instead. However, the visitor will simply need to check a box rather than complete a puzzle, so it’s still easier than the traditional puzzle-based CAPTCHAs.

Unless you have a specific reason not to, it’s smart to use managed CAPTCHAs as this gives you a good level of security with minimum impact on the visitor experience.

How to create a managed CAPTCHA for WordPress

Don’t want to use interactive challenges on your WordPress website? Then you can choose ‘Non-interactive’ or ‘Invisible’ instead.

Non-interactive challenges run in the browser so the visitor doesn’t have to take any action. Just like the managed CAPTCHA, visitors will see the loading animation and a ‘Success’ message when the challenge is complete.

If you choose ‘Invisible’ instead, then the visitor won’t see the animation or success message. This setting allows you to completely hide the CAPTCHA from your visitors, which can avoid confusion and won’t add any clutter to your WordPress theme.

After making your decision, click on the ‘Create’ button.

As soon as you’ve done that, Cloudflare will show your site key and secret key.

Creating a site key and secret key for your WordPress website

You can now add this information to the plugin’s settings on your website.

Add Cloudflare Turnstile CAPTCHA to Your WordPress Website

In your WordPress dashboard, head back to Settings » Cloudflare Turnstile. You can now go ahead and add the ‘Site Key’ and ‘Site Secret’ to your WordPress dashboard.

Adding the Cloudflare secret key and site secret to WordPress

After that, you may want to customize how the CAPTCHA looks on your website, and how it acts. To start, you can open the ‘Theme’ dropdown and choose from light, dark, or auto.

The following image shows an example of how the ‘Dark’ theme looks in the WordPress comment section.

A Cloudflare Turnstile CAPTCHA with a dark theme

By default, Cloudflare Turnstile shows a ‘Please verify that you are human’ message to visitors. You may want to change this. For example, you might briefly explain why the CAPTCHA is so important, or that it will only take a few seconds to complete.

To add your own wording, simply type into the ‘Custom Error Message’ field.

Creating a custom error message for a WordPress CAPTCHA

After that, you can select the forms where you’ll use the Cloudflare Turnstile CAPTCHA.

The options you see may vary depending on the plugins you’ve installed, but by default, you can use Turnstile with all the built-in WordPress forms. This includes the login page, user registration form, and password reset page.

Enabling Cloudflare Turnstile CAPTCHA for the WordPress forms

When you’re happy with the information you’ve entered, scroll to the bottom of the screen and click on ‘Save Changes.’

Now, if you visit your website you’ll see the Turnstile CAPTCHA in action.

Bonus: Add Turnstile CAPTCHA to Your WordPress Forms

WordPress comes with different built-in forms, but you’ll often want to create custom forms. For example, you might replace the default forms with professionally-designed alternatives that better suit your website.

You can also add forms that are missing from the core WordPress software, such as contact forms and online order forms.

Simple Cloudflare Turnstile integrates with the best contact form plugins for WordPress including WPForms and Formidable Forms. This allows you to add the same advanced CAPTCHAs to all your forms, no matter how you created them.

How to add a CAPTCHA to a WordPress contact form

To add a CAPTCHA to any WPForms or Formidable Forms page, simply go to Settings » Cloudflare Turnstile in your WordPress dashboard.

At the bottom of the page, you should see a section for either WPForms or Formidable Forms, depending on which plugin you’re using.

Integrating Cloudflare with WPForms and Formidable Forms

Simply click on either of these sections to expand.

To add the CAPTCHA to all your forms, just check the ‘Enable on all…’ box.

Enabling CAPTCHA for WPForms

If you’re using a ‘Managed’ or ‘Non-interactive’ CAPTCHA, then you can change whether the loading and success animation appears before or after the form’s ‘Submit’ button.

In the following image, we’re using the ‘After button’ option.

Changing where the CAPTCHA appears in WPForms

To make this change, simply open the ‘Widget Location’ dropdown.

Then, choose either ‘Before Button’ or ‘After Button.’

Changing the location of the CAPTCHA widget

Some forms may not need a CAPTCHA. For example, you might disable the CAPTCHA for forms that aren’t getting many conversions, to see whether this improves your conversion rates. For more information, see our guide on WordPress conversion tracking made simple.

To remove the CAPTCHA, you’ll need to type the form’s ID into the ‘Disable Form IDs’ field.

Removing the CAPTCHA from WPForms

If you’re using WPForms, then you can get this ID by going to WPForms » All Forms.

The ‘Shortcode’ column shows each form’s ID. For example, in the following image the form ID is 62.

How to disable CAPTCHAs on your WordPress website

If you’re a Formidable Forms user, then head over to Formidable » Forms instead.

On this screen, find the form that you want to exclude and make a note of the number in the ‘ID’ column.

Forms, created using the Formidable Forms WordPress plugin

You can now add these IDs to the ‘Disable Form IDs’ field.

To remove the CAPTCHA from multiple forms, simply separate each ID with a comma.

Disabling the Cloudflare CAPTCHA for multiple forms

When you’re happy with how you’ve set up the integration, don’t forget to click on ‘Save Changes’ to store your settings.

Now if you visit any form created using Formidable Forms or WPForms, you’ll see the Cloudflare Turnstile CAPTCHA in action.

Bonus: Add Cloudflare Turnstile CAPTCHA to WooCommerce

Scripts and bots aren’t just bad news for WordPress blogs and websites. If you run an online store, then spambots and automated scripts might try to register with your store and place fake orders.

Every transaction comes with processing feeds, so fake orders can cost you a lot of money and make it difficult to grow your business.

The good news is that Cloudflare Turnstile also integrates with WooCommerce. This allows you to protect all your eCommerce pages including the WooCommerce login, signup, and checkout pages.

The Cloudflare Turnstile CAPTCHA on the WooCommerce checkout page

To add Cloudflare Turnstile to your WooCommerce pages, simply go to Settings » Cloudflare Turnstile.

Then, scroll to the ‘WooCommerce Forms’ section.

Adding CAPTCHAs to your WooCommerce forms

If it isn’t already expanded, then click on this section.

You’ll now see all the WooCommerce pages where you can add a Cloudflare CAPTCHA. Simply check the box next to each page that you want to protect.

Protecting your WooCommerce store with a CAPTCHA

After that, don’t forget to click on ‘Save Changes’ to store your settings. Now, if you visit any of your WooCommerce pages, you’ll see the Cloudflare Turnstile CAPTCHA.

We hope this article helped you learn how to add Cloudflare Turnstile CAPTCHA in WordPress. You can also go through our ultimate WordPress security guide and the best WordPress membership plugins.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post How to Add Cloudflare Turnstile CAPTCHA in WordPress first appeared on WPBeginner.

Posted on

How To Add Google reCAPTCHA v3 In PHP Contact Form

Google has introduced another and upgraded form of recaptcha called Google reCAPTCHA v3. It gives greater protection from the spam bot or maltreatment in your web structures or web forms. Google reCAPTCHA v3 API works on the premise of spam score which implies that the reCAPTCHA v3 API restores the spam score of each input given by the client action.

Benefits of Google reCAPTCHA v3

This reCAPTCHA v3 is exceptionally simple to utilize as compared to Google reCAPTCHA v2 on the grounds that the client doesn't have to click on the checkbox which is in the Google reCAPTCHA v2. It just ascertains the spam score dependent on the information and client's movement and chooses whether it is a spam action or not.

Posted on

How to Create a Secure Contact Form in WordPress

Do you want to create a secure form in WordPress?

Forms allow users to submit information on your website. However, they can also be used by hackers to steal information, attack websites, and install malicious code.

In this article, we will show you how to create a secure contact form in WordPress. We’ll explain how to ensure secure WordPress form submissions on your site.

Creating a secure contact form in WordPress

Here is a summary of what we’ll cover in this article.

What You Need to Secure WordPress Forms?

To make your WordPress contact form secure, you need two things.

  • A secure WordPress contact form plugin
  • A secure WordPress hosting environment

Let’s start with the form plugin.

1. Choosing a Secure Contact Form Plugin

A secure contact form plugin allows you to save form entries securely on your website. It also allows you to use secure email methods to deliver your form notifications.

We recommend using WPForms, which is the best WordPress contact form plugin on the market.

It comes with a tons of powerful features to secure WordPress forms and protect your website from spam, hacking, and data theft.

There is also a free version available called WPForms Lite. It is equally secure but has limited features.

2. Choosing a Secure Hosting Platform

Choosing the right WordPress hosting is crucial for the security of your website and your contact forms.

We recommend using Bluehost. They are one of the largest hosting companies in the world and officially recommended WordPress hosting provider.

More importantly, they are offering WPBeginner users free domain and SSL certificate (you’ll need it for better WordPress form security).

You can also use other popular WordPress hosting companies like SiteGround, WP Engine, HostGator, etc because they all offer free SSL.

What is SSL? And why do you need it to secure WordPress forms?

SSL stands for Secure Sockets Layer. It switches your WordPress site from HTTP to HTTPs (secure HTTP). You’ll notice a padlock icon next to your website indicating that it is using SSL protocol to transfer data.

Padlock icon indicating a website using SSL HTTPs protocol

SSL protects your information by encrypting the data transfer between a user’s browser and the website. This adds WordPress form encryption support which makes it harder for hackers to steal data.

For more details, see our article on how to get a free SSL certificate for your website.

That being said, now let’s take a look at how to create a secure contact form in WordPress.

Creating a Secure Contact Form in WordPress

Creating a secure WordPress contact form is easy if you already checked the above-mentioned requirements. See our tutorial on how to quickly add a contact form in WordPress if you haven’t already done so.

Next, is to add more security layers to your WordPress contact form. This helps you keep form data safe and also helps you reduce spam and improve your website performance.

Securing contact form emails

The following are some of the most common ways someone can steal information or abuse your WordPress forms.

First, they can sniff the information as it is submitted by a form. You can address this by using a secure WordPress hosting platform and enabling SSL encryption on your website.

The next part is when your WordPress form sends notification emails. Business email services are not part of WordPress, and if you are not properly sending those emails, then they can be insecure.

Lastly, your WordPress forms can be abused to send spam messages and DDoS attacks. If you are using a custom WordPress login form, then hackers can use brute force attacks to login to your WordPress site.

Now let’s address each one of them to make your WordPress forms more secure.

Securing WordPress Contact Form Email Notifications

As we mentioned earlier, insecure emails can be spied upon and are unsafe. There are two ways you can handle form notification emails.

1. Don’t send form data via email notifications

The first thing you would want to consider is not sending form data via emails.

For instance, when someone submits your contact form, you only get an email alert that someone has submitted form and not the form data itself.

WPForms comes with a built-in entry management system that stores your form data in your WordPress database. You can simply go to WPForms » Entries page to view all form submissions.

Form entries

Note: You’ll need to upgrade to the paid version of WPForms for entry management features.

2. Send secure WordPress form notification emails

For some users, sending form notification emails is necessary for their business.

For instance, if you have an online order form, a donations form, or a payment form, then you may need to send email notifications to your users.

For this, you need to set up a proper SMTP service to securely send emails.

SMTP stands for Secure Mail Transfer Protocol. It is the industry standard to securely send emails on the internet.

We recommend using G Suite which allows you to create a professional business email address. Powered by Google, it allows you to use the familiar Gmail interface to send and receive emails.

However, if you’ll be sending a lot of emails, then we recommend using Sendinblue, Amazon SES, or any of the reliable SMTP service providers.

Next, you need to connect your email service to WordPress so that all your WordPress form notifications are sent using your secure email connection.

To do that, you need to install and activate the WP Mail SMTP plugin. It works with any SMTP email service and allows you to easily send WordPress emails securely.

WP Mail SMTP

For detailed instructions, see our guide on how to set up WP Mail SMTP in WordPress.

Securing WordPress Forms Against Spam and DDoS Attacks

Your website forms are publicly accessible. This means anyone can access and fill them. We’ll cover restricting form access to specific users in the next step, but for this step we will address public forms.

When your form is accessible by anyone on the internet, it can become a target for spammers and hackers. While spammers try to use your form for fraudulent activities, hackers may try to use it to gain access to your website or even bring it down.

Luckily, WPForms comes with several spam-prevention features. It also automatically enables honeypot anti-spam technique on all forms.

Honeypot anti-spam technique enabled by default

Honeypot basically obscures form fields from automated spambots. However, it is not the most effective way to protect online forms.

If you suspect that your forms are abused or under attack, then you can deploy the following spam protection tools.

1. Enable Google reCAPTCHA in Your Forms

WPForms comes with Google reCAPTCHA support. Simply go to WPForms » Settings page and click on the reCAPTCHA tab.

Adding reCAPTCHA to your contact form

Google offers three types of reCAPTCHA tools. We recommend using checkbox reCAPTCHA v2 because it is more user-friendly.

You’ll need site key and secret key to enable reCAPTCHA on your site. Simply go to the reCAPTCHA website and click on the ‘Admin Console’ button at the top.

reCAPTCHA admin console

Next, you can go ahead and your website details. Provide a label for your site and then choose reCAPTCHA v2 with ‘I am not a robot’ checkbox.

reCAPTCHA settings

Click on the Submit button to continue and you’ll see the API keys.

API keys

Go ahead and copy these keys and paste them in WPForms settings page. Don’t forget to click on the ‘Save Settings’ button to store your changes.

You can now edit your form and add the reCAPTCHA field to your form.

Adding recaptcha field to your form

You’ll see a notification that reCAPTCHA is now enabled for your form. You can go ahead and save your form.

If you haven’t already added form to your website, then you can simply edit the post or page where you want to display the form and add the WPForms block to the content area.

Adding a WPForms block to your page

Simply select your form in the drop down menu and WPForms will load a preview of your form. You can now save your post or page and visit it in a new browser tab to see your form with the reCAPTCHA field in action.

Contact form preview

2. Enable Custom Captcha for Your WordPress Forms

If you don’t want to use Google reCAPTCHA, then you can use your own math quiz or questions with WPForms Custom Captcha addon.

Note: You’ll need pro version of the plugin to access custom captcha addon.

Simply head over to WPForms » Addons page to install and activate the Custom Captcha addon.

Install custom captcha addon

After that, you can edit your contact form and add the Captcha field to your form.

Custom captcha field

By default, it adds a random math question. You can change that to add your own custom captcha by changing the captcha type to text.

Captcha type

You can now save your form, and it to a post or page using the WPForms block.

Adding a WPForms block to your page

You can now visit your post or page to see the custom captcha in action.

Restricting WordPress Forms Access to Certain Users

Another way to protect your WordPress forms is to restrict access to logged-in members, or through a unique form password.

WPForms comes with a Form Locker addon that lets you enable various form permissions and access control rules.

With form locker you can:

  • Password Protect Forms – this requires users to enter a password to submit the form. This added protection helps decrease the number of unwanted form submission.
  • Close Form Submissions After Specific Date / Time – this is great for any kind of application forms or other time-sensitive forms.
  • Limit the number of total submissions – this is great for contests or giveaways. Once the max number of entries are in, the WPForms will automatically close the form.
  • Limit one entry per person – if you want to avoid duplicate submissions, then you will love this option. This is very useful for scholarship applications, giveaways, etc.
  • Restrict Forms to Members Only – you can restrict your forms to logged-in users of your WordPress site. This is great for membership sites or businesses who want to restrict support to paid customers only.

You can access the Form Locker settings inside the Form Builder Settings panel:

Enabling password protecting using Form Locker

Keeping Your WordPress Site Secure

The security of your WordPress forms depends on the security of your entire WordPress website. With some simple steps, you can strengthen your WordPress website security.

We recommend using Sucuri, as the best WordPress security plugin on the market. It comes with a website firewall that blocks any suspicious activity even before it reaches your website.

For more practical tips, see our complete WordPress security guide for beginners.

We hope this article helped you create a secure contact form in WordPress. You may also want to see our guide on how to create an email newsletter and our list of must have WordPress plugins.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post How to Create a Secure Contact Form in WordPress appeared first on WPBeginner.