前言介紹
- 這款 WordPress 外掛「Kitgenix CAPTCHA for Cloudflare Turnstile」是 2025-08-10 上架。
- 目前有 200 個安裝啟用數。
- 上一次更新是 2026-02-19,距離現在已有 6 天。
- 外掛最低要求 WordPress 6.0 以上版本才可以安裝。
- 外掛要求網站主機運作至少需要 PHP 版本 8.1 以上。
- 有 5 人給過評分。
- 論壇上目前有 2 個提問,問題解答率 100% ,不低,算是個很有心解決問題的開發者團隊了!
外掛協作開發者
kitgenix |
外掛標籤
captcha | anti-spam | turnstile | cloudflare | woocommerce |
內容簡介
總結:Kitgenix CAPTCHA for Cloudflare Turnstile將Cloudflare Turnstile整合到WordPress中,保護您的登入、註冊、忘記密碼和評論等功能,以及WooCommerce結帳/驗證表單和常見表單建立者,採用伺服器端驗證、白名單和智能腳本載入,快速、有隱私保護且穩固。
1. 這個WordPress外掛怎麼保護用戶不受垃圾郵件干擾?
- Kitgenix CAPTCHA for Cloudflare Turnstile如何整合Cloudflare Turnstile並提供保護?
- 這個外掛支援的功能有哪些?包括哪些表單和核心功能?
2. 請描述這個外掛的幾個亮點功能。
- 這個外掛的重點特色有哪些方面,以及如何幫助用戶?
3. 這個外掛如何與不同的表單建立者進行整合?
- 哪些表單建立者可以與這個外掛整合?
- 如何在設定中啟用或停用每個整合和每個表單位置?
4. 當用戶提交表單時,外掛的工作流程是什麼?
- 外掛如何安排Cloudflare Turnstile的腳本載入?
- 當表單動態加載時,外掛是如何操作的?
原文外掛簡介
Spam is expensive: it wastes time, clogs inboxes, creates fake accounts, and on stores it can lead to abandoned checkout noise and fraudulent activity. Traditional CAPTCHA solutions can also hurt conversions by adding friction.
Cloudflare Turnstile is a modern, privacy-first CAPTCHA alternative designed to reduce friction for real people while still blocking bots.
Kitgenix CAPTCHA for Cloudflare Turnstile is a production-ready Turnstile integration for WordPress that focuses on reliability in real-world setups:
– Server-side token verification (using Cloudflare’s official endpoint)
– Fast, conditional loading (only where needed)
– Support for dynamic/AJAX forms and modern WooCommerce Blocks / Store API checkout
– Security features: replay protection, proxy-aware IP handling, whitelisting, and developer mode (warn-only)
You can enable/disable each integration (and many per-form toggles), choose auto-injection vs shortcode-only placement, customise display and messaging, and use built-in diagnostics and Site Health checks to troubleshoot.
Supported integrations (where Turnstile can be added)
All integrations are enable-able from settings. Many also support Mode: Auto vs Shortcode.
WordPress Core
– Login
– Registration
– Lost password
– Reset password
– Comments (including safe handling for comment failures/redirects)
WooCommerce (Classic)
– Checkout
– My Account login
– My Account registration
– Lost password
WooCommerce Blocks (Store API / Block Checkout)
– UI rendering inside block-based checkout
– Adds token to Store API requests (header and/or extensions payload when available)
– Server-side validation of Store API checkout requests
– Supports “shortcode-only mode” behaviour so you can control placement
Easy Digital Downloads (EDD)
– Checkout
– Login
– Register
– Profile editor
Form plugins
– Contact Form 7 (CF7)
– WPForms
– Fluent Forms
– Formidable Forms
– Forminator
– Gravity Forms
– JetFormBuilder
– Jetpack Forms
– Kadence Forms
– Elementor Forms (including popups and AJAX submissions)
Community / forums
– bbPress (topic/reply flows where applicable)
– BuddyPress (flows where applicable)
Core features (site-wide)
Turnstile widget rendering
– Uses Cloudflare’s official Turnstile API script
– Widget options:
– Theme: auto / light / dark
– Size: small / medium / large / normal / flexible
– Appearance: stored as Turnstile “appearance” option (defaults to always)
– Language: auto or explicit locale (passed via hl=...)
Settings & admin experience
– Settings page under the shared Kitgenix WP admin menu
– Live “test widget” preview on the settings screen (renders when a Site Key is present)
– Site Key + Secret Key storage (secret not printed in HTML by default)
– “Reveal secret key” (admins only, nonce-protected AJAX action)
Messaging & UX
– Custom error message (admin-configurable, used across integrations)
– Extra message text (optional text displayed alongside/under the widget)
– “Disable submit until completed” option (frontend behaviour via plugin JS)
Replay protection (enabled by default)
– Detects re-used tokens (hash stored in transients) and blocks replays
– TTL is filterable
– Stores hashed token markers under the transient prefix kitgenix_captcha_for_cloudflare_turnstile_ts_
– Sets a short-lived cookie (kitgenix_captcha_for_cloudflare_turnstile_ts_replay, ~120s) when replay is detected (for frontend behaviour/messages)
– Dedicated replay message (filterable)
Developer mode (warn-only)
– Verification failures do not block submissions
– Failures are logged (and emitted via a developer log action)
– Optional inline warning annotation for admins (frontend config)
Whitelisting (skip Turnstile + skip loading API script)
– Whitelist logged-in users
– Whitelist by IP (exact, wildcards, CIDR — including IPv6)
– Whitelist by User-Agent (substring or wildcard matching)
– Filter hook to override whitelist decision
Proxy / real-IP handling
– Optional trust of proxy headers (Cloudflare / X-Forwarded-For style)
– Trusted proxy IP list / trust controls
– Forwarded headers are only honoured when the request originates from a trusted proxy
Performance & resilience
– Conditional script loading only where needed
– Async/strategy-based script loading (depending on WP version)
– Adds resource hints (preconnect / dns-prefetch) for Turnstile domain
– Detects duplicate Turnstile API loaders (if another plugin/theme enqueues api.js):
– Stores detection in the transient kitgenix_turnstile_duplicate_scripts
– Shows admin notice on settings and Plugins screen
– Includes dismiss link (nonce-protected, uses kitgenix_captcha_for_cloudflare_turnstile_ts_dismiss_dupe=1)
Site Health + diagnostics
– Adds a Site Health test: “Cloudflare Turnstile readiness”
– Checks:
– Keys present
– Duplicate API loader transient (kitgenix_turnstile_duplicate_scripts)
– Last verification success/failure snapshot
– Heuristic warning if common optimisation/caching plugins are active
– Stores the last verify outcome (success, time, error codes) for Site Health display
– Tracks privacy-safe counters in kitgenix_captcha_for_cloudflare_turnstile_metrics (checks total/passed/failed)
Manual placement (shortcode)
If you have a custom form or an unsupported plugin, you can manually render the widget:
[kitgenix_turnstile]
Shortcode output includes:
– a nonce field
– a hidden cf-turnstile-response input
– the widget container (with data-sitekey)
– support for passing arbitrary attributes via shortcode attributes
Many supported integrations also offer Shortcode-only mode (you place the shortcode where you want; the plugin validates server-side without auto-injection).
Quick Start
Install and activate the plugin.
Open the Turnstile settings under the Kitgenix hub in wp-admin.
Add your Cloudflare Turnstile Site Key and Secret Key.
Configure widget options (theme/size/appearance/language) and messaging if needed.
Enable the integrations (and per-form toggles) you want.
Save, then test the key user journeys: login, registration, checkout, and your main contact form.
Tip: Start with Developer mode (warn-only) on staging or during rollout. Once you’re satisfied, disable warn-only to enforce blocking.
Performance and caching notes (important for stores)
Turnstile is lightweight, but aggressive optimisation can break rendering or token freshness.
If you use caching/optimisation plugins:
– Allowlist https://challenges.cloudflare.com
– Avoid full-page caching on login/account/checkout pages
– Avoid combining/inlining the Turnstile loader
– Avoid heavily delaying Elementor/form plugin scripts
– Ensure outbound HTTP requests to Cloudflare are not blocked (needed for server-side verification)
Settings Overview
Main settings:
– Site Key
– Secret Key (with “secret present” state, clear/reveal)
– Theme (auto/light/dark)
– Size (small/medium/large/normal/flexible)
– Appearance (Turnstile appearance option)
– Language (auto or specific locale)
– Disable submit until completed
– Custom error message
– Extra message text
Security & advanced:
– Replay protection (on/off)
– Developer mode (warn-only)
– Whitelist logged-in users
– Whitelist IPs (wildcards/CIDR, including IPv6)
– Whitelist user agents
– Proxy trust (enable/disable)
– Trusted proxy IPs / trust controls
Integrations (enable + per-form toggles where available):
– WordPress Core (login/register/lost password/reset password/comments)
– WooCommerce (checkout/login/register/lost password)
– WooCommerce Blocks mode (auto vs shortcode-only)
– Easy Digital Downloads (checkout/login/register/profile)
– Contact Form 7
– WPForms
– Fluent Forms
– Formidable Forms
– Forminator
– Gravity Forms
– Jetpack Forms
– Kadence Forms
– Elementor Forms
– bbPress
– BuddyPress
Developers
Shortcode:
[kitgenix_turnstile]
Server-side verification endpoint:
https://challenges.cloudflare.com/turnstile/v0/siteverify
Filters (script/loading):
– kitgenix_captcha_for_cloudflare_turnstile_script_url( $url, $settings )
– kitgenix_turnstile_freshness_ms
– kitgenix_turnstile_inline_style
Filters (verification / request handling):
– kitgenix_turnstile_siteverify_url
– kitgenix_turnstile_siteverify_timeout
– kitgenix_turnstile_siteverify_sslverify
– kitgenix_turnstile_siteverify_http_args
– kitgenix_turnstile_send_remoteip
– kitgenix_turnstile_remote_ip
– kitgenix_turnstile_token_from_request
– kitgenix_turnstile_error_codes
– kitgenix_turnstile_error_message
– kitgenix_turnstile_replay_message
– kitgenix_captcha_for_cloudflare_turnstile_{context}_turnstile_error_message
Filters (replay protection):
– kitgenix_turnstile_replay_ttl
Filters (whitelist / proxy trust):
– kitgenix_turnstile_is_whitelisted( $is_whitelisted, $details )
– kitgenix_turnstile_trust_headers
– kitgenix_turnstile_trusted_proxies
Internal identifiers (options / transients / cookies / meta):
– Option: kitgenix_captcha_for_cloudflare_turnstile_settings
– Settings group (Settings API): kitgenix_captcha_for_cloudflare_turnstile_settings_group
– Option: kitgenix_captcha_for_cloudflare_turnstile_metrics
– Option: kitgenix_turnstile_last_verify
– Transient: kitgenix_captcha_for_cloudflare_turnstile_do_activation_redirect
– Transient: kitgenix_turnstile_duplicate_scripts
– Transient prefix (replay protection): kitgenix_captcha_for_cloudflare_turnstile_ts_
– Cookie (replay notice): kitgenix_captcha_for_cloudflare_turnstile_ts_replay
– WooCommerce order meta (Blocks/Store API verification): _kitgenix_turnstile_verified
Internal nonces / actions:
– Shortcode/form nonce field name: kitgenix_captcha_for_cloudflare_turnstile_nonce
– Shortcode/form nonce action: kitgenix_captcha_for_cloudflare_turnstile_action
– Settings save nonce field name: kitgenix_captcha_for_cloudflare_turnstile_settings_nonce
– Settings save nonce action: kitgenix_captcha_for_cloudflare_turnstile_settings_save
– Admin AJAX action (reveal saved secret): kitgenix_turnstile_get_secret (WordPress hook: wp_ajax_kitgenix_turnstile_get_secret)
– Admin AJAX nonce action (reveal saved secret): kitgenix_turnstile_reveal_secret
– Duplicate-loader notice dismiss query arg: kitgenix_captcha_for_cloudflare_turnstile_ts_dismiss_dupe
– Duplicate-loader notice dismiss nonce action: kitgenix_captcha_for_cloudflare_turnstile_ts_dismiss
Actions (developer logging):
– kitgenix_turnstile_dev_log
External Services
This plugin uses Cloudflare Turnstile to verify requests and prevent spam and abuse.
The plugin may:
– Load the Turnstile script:
https://challenges.cloudflare.com/turnstile/v0/api.js
– Submit verification requests server-side to:
https://challenges.cloudflare.com/turnstile/v0/siteverify
When verification is enabled, the plugin sends to Cloudflare:
– Your Turnstile secret key
– The Turnstile response token
– The visitor IP address (as the optional remoteip parameter, when enabled)
The plugin does not send the visitor’s browser user agent to Cloudflare as part of the verification payload (the HTTP request itself is made server-side by WordPress).
If proxy trust is enabled, the plugin may read forwarding headers (e.g. CF-Connecting-IP, X-Forwarded-For) to determine the client IP, but only when requests originate from configured trusted proxies.
The plugin does not add tracking cookies itself and does not sell or share personal data.
Cloudflare Turnstile Terms: https://developers.cloudflare.com/turnstile/
Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/
This plugin also includes a shared “Kitgenix hub” component in wp-admin which may fetch publicly available plugin metadata from WordPress.org using the WordPress core plugins_api() function (WordPress.org Plugins API).
When it runs: only in wp-admin (Kitgenix plugin admin pages)
Data sent: plugin slug(s) (no personal data)
Data received: publicly available plugin information (e.g. active installs, ratings)
Caching: responses are cached locally using transients for ~1 day:
kitgenix_hub_wporg_active_installs_v1
kitgenix_hub_wporg_ratings_v1
Trademark Notice
“Cloudflare” and the Cloudflare logo are trademarks of Cloudflare, Inc. This plugin is not affiliated with or endorsed by Cloudflare, Inc.
Support Development
If this plugin helps keep spam away without slowing your site down, you can support ongoing development here:
https://buymeacoffee.com/kitgenix
Credits
Built with ❤︎ by @kitgenix – https://kitgenix.com
各版本下載點
- 方法一:點下方版本號的連結下載 ZIP 檔案後,登入網站後台左側選單「外掛」的「安裝外掛」,然後選擇上方的「上傳外掛」,把下載回去的 ZIP 外掛打包檔案上傳上去安裝與啟用。
- 方法二:透過「安裝外掛」的畫面右方搜尋功能,搜尋外掛名稱「Kitgenix CAPTCHA for Cloudflare Turnstile」來進行安裝。
(建議使用方法二,確保安裝的版本符合當前運作的 WordPress 環境。
1.0.0 | 1.0.1 | 1.0.2 | 1.0.3 | 1.0.4 | 1.0.5 | 1.0.6 | 1.0.7 | 1.0.8 | 1.0.9 | trunk | 1.0.10 | 1.0.11 | 1.0.12 | 1.0.13 | 1.0.14 | 1.0.15 | 1.0.16 | 1.0.17 | 1.0.12.1 |
延伸相關外掛(你可能也想知道)
Simple CAPTCHA Alternative with Cloudflare Turnstile 》輕鬆地將 Cloudflare Turnstile 添加到您的 WordPress 網站中的所有表單中,以保護它們免受垃圾郵件的影響!, 一個用戶友好、保護隱私的 reCAPTCHA 替代方案...。
Easy Spam Filter – Privacy-Friendly CAPTCHA Alternative with Turnstile for Contact Form 7, WPForms, BuddyPress, Elementor 》Cloudflare Turnstile for WordPress、WooCommerce、Contact Form 7、BuddyPress、WPForms 等外掛,是 WordPress 上最佳的 reCAPTCHA 可替代方案。, , “研究...。
Cartpauj Register Captcha 》Cartpauj Register Captcha 的功能非常簡單,但非常有效。它能透過 WordPress 的預設註冊表單防止垃圾郵件註冊。不需要任何配置或設置,只需要啟用插件,就能...。
Integrator for Turnstile and reCAPTCHA. 》★★★★★, , The reCAPTCHA For All Plugin使用隱形的reCaptcha V3 (Google)保護您網站的所有頁面免受機器人(垃圾郵件、駭客、假用戶和其他類型的自動化濫用)...。
Enable Turnstile (Cloudflare) for Gravity Forms 》- Cloudflare Turnstile plugin is a secure solution to protect Gravity Forms from spam and malicious attacks.- It is the latest CAPTCHA advancement ...。
Hizzle CAPTCHA – Protect your forms from spam 》這是一個輕量級的 Google reCAPTCHA WordPress 和 WooCommerce 外掛程式。, ★★★★★, 它允許您保護以下的表單:, , WordPress/WooCommerce 登錄表單。, WordPre...。
Give – Cloudflare Turnstile 》HTML 原始碼如下:, , ```html, <!DOCTYPE html>, <html lang="zh-tw">, , <head>, <meta charset="UTF-8">...。
Bot Protection with Turnstile 》總結:Bot Protection with Turnstile 可以在 WordPress 網站的常見攻擊表面下使用 Cloudflare 的隱私保護、無 CAPTCHA 挑戰。, , 1. 這個外掛可以在 WordPre...。
By MountDev: Cloudflare Turnstile 》以下是文章的總結:, - Cloudflare Turnstile 是一個下一代 CAPTCHA 解決方案,保護您的 WordPress 網站而不影響用戶體驗。, , 接下來是一組問題與答案:, 1....。
BWG CF Turnstile 》總結:BWG CF Turnstile將Cloudflare的Turnstile服務與Gravity Forms整合,提供了一種有效且使用者友善的方式來阻擋垃圾郵件和機器人提交。Turnstile是Cloudf...。
VisualWP Cloudflare Turnstile – Easy Anti-Spam alternative to CAPTCHA 》增加安全性,保護網站免受機器人、垃圾郵件和駭客的攻擊。Cloudflare Turnstile 是一個友善且免費的驗證碼替代方案,為網站訪客提供免受挫敗的體驗。, 使用第...。
BotShield CAPTCHA for Contact Form 7 》### 總結:, BotShield CAPTCHA 是一個強大而簡單的 CAPTCHA 保護外掛,可以在不需要第三方 API 金鑰或服務的情況下對你的 Contact Form 7 表單進行保護,保持...。
Turnstile Pro – Cloudflare CAPTCHA Protection 》### 摘要:, Turnstile Pro 將 Cloudflare 的免費 Turnstile CAPTCHA 保護功能添加到您的 WordPress 網站,無需使用 Google reCAPTCHA。, , ### 問題與答案:...。
SecureGate Captcha Lite 》<html>, <head>, <meta charset="UTF-8">, </head>, <body>, , <p><strong>SecureGate Captcha Lite ...。
Automatic Language Mapper for Simple Cloudflare Turnstile 》總結:這個外掛強制 Cloudflare Turnstile 使用目前的網站語言,而非保存的外掛設定。尤其適用於使用 WPML 的多語言網站,但也能在單語言網站上依賴 WordPres...。