Cloudflare has just recently unveiled a privacy-focused, non-intrusive, and free-to-use replacement to CAPTCHA, and the WordPress plugin community is gradually adding support for the new alternative.
However, not all plugin developers are rushing to add Turnstile functionality, and some have given reasons that could make other developers hesitant.
What Is The Cloudflare Turnstile?
Turnstile is a privacy-centric method of preventing spam submissions to any form a user might fill out, including but not limited to those for contacting the site’s administrators, registering for an account, or logging in.
In addition to the fact that it does not track users, another plus is that it blends in seamlessly with the background, making for a smooth and hassle-free experience for site visitors.
After implementing Turnstile, one website owner found that only one visitor out of 127 was actually challenged by it.
Turnstile is a privacy-conscious option because no user data is collected or stored.
“In June, we announced an effort with Apple to use Private Access Tokens.
Visitors using operating systems that support these tokens, including the upcoming versions of macOS or iOS, can now prove they’re human without completing a CAPTCHA or giving up personal data.
By collaborating with third parties like device manufacturers, who already have the data that would help us validate a device, we are able to abstract portions of the validation process, and confirm data without actually collecting, touching, or storing that data ourselves. Rather than interrogating a device directly, we ask the device vendor to do it for us.
Private Access Tokens are built directly into Turnstile.
While Turnstile has to look at some session data (like headers, user agent, and browser characteristics) to validate users without challenging them, Private Access Tokens allow us to minimize data collection by asking Apple to validate the device for us.
Does Integration With WordPress Exist?
Although a plugin for integrating Turnstile into WordPress sites was not mentioned in Cloudflare’s launch of Turnstile, a Cloudflare representative was quoted by TechCrunch as claiming that one is in the works:
“Cloudflare says it’s working on plugins for major platforms like WordPress to make Turnstile easier to deploy…”
Some WordPress plugins have already begun incorporating Turnstile into their software to make it a simple option for users.
- On October 4, 2022, the developers of the WS Form WordPress plugin integrated support for Turnstile into their product, giving users who were interested in trying out the service a second option.
- On October 7, 2022, the developers of the Fluent Forms WordPress plugin released an informative guide on how to integrate Turnstile into the plugin’s already robust feature set.
- On October 11, 2022, support for Turnstile was introduced to the Site Reviews plugin, which is used by more than 40,000 WordPress authors at now.
Over 5 million WordPress sites utilize Contact Form 7, yet the developer of the popular form has not yet implemented Turnstile support.
In order to incorporate Turnstile into Contact Form 7, a publisher who requested assistance with the plugin highlighted that official support is required:
“…The migration instruction provided by Cloudflare is more likely for a static page/website.
You have to migrate differently with WordPress and CF7, which will involve …modifying the CF7 reCaptcha module files and even the contact template.
So I guess it is will easier to check CF7’s source code and build a new module.”
There is a request for integration with Contact Form 7 made in GitHub but the publisher of the contact form answered and indicated they would not be adding support for it at this time:
“For now, I’m not interested in natively supporting Turnstile.
Cloudflare has not yet provided sufficient ground that supports Turnstile is greater than reCAPTCHA in privacy terms.
Also it’s still in the open beta stage.”
The publisher claimed that Cloudflare had not given “adequate foundation” for moving away from reCAPTCHA for privacy reasons. Someone in the Contact Form 7 GitHub feature request replied:
“I think the fact that Google’s business is advertising (which benefits from analytics about the users who are their product that they sell to advertisers) and Cloudflare’s business is selling services to people and companies who pay them is a good basis for the difference in their motivations and their different approach to protecting privacy.
An example of this is how Mozilla has partnered with Cloudflare because of this commitment to privacy that they have and their lack of a conflict of interests between user privacy and their business (which differs from Google). (Disclosure, I work at Mozilla)”
The publisher replied by:
“Maybe I would reject the PRs. Turnstile is not that attractive to me. I would suggest creating it as an independent plugin.”
Turnstile Is In Beta Testing
The publisher of Contact Form 7 has a good reason for not allowing Turnstile integration right now.
When a product is in beta, it has reached the point of being ready for use but still has to be tested because it may have bugs.
Thus, everyone who deploys Turnstile serves as an unofficial beta tester for Cloudflare.
People are excited about Turnstile because Cloudflare is a well-known, reliable brand that is known for providing privacy, security, and high-quality solutions that help publishers speed up their websites.
— Adam J. Humphreys (@Making8) October 11, 2022
It’s possible that the number of plugins that can be integrated with WordPress will increase, giving administrators of WordPress sites more tools to keep spammers away.