CWeb Form Protection with Turnstile for Elementor Forms
| 开发者 | alexandreminem |
|---|---|
| 更新时间 | 2026年6月20日 20:17 |
| PHP版本: | 7.4 及以上 |
| WordPress版本: | 7.0 |
| 版权: | GPLv2 or later |
| 版权网址: | 版权信息 |
详情介绍:
- Per-form Turnstile field for Elementor Pro Forms — drag it into the forms you choose.
- Optional "all Elementor Pro forms" switch — protect every Elementor Pro form at once, without adding the field to each one (off by default).
- Optional protection for the built-in WordPress forms:
- Login
- Registration
- Lost password
- Comments
- Optional protection for WooCommerce forms (one toggle each):
- Checkout (classic shortcode checkout)
- Login (My account, and the checkout "returning customer" login)
- Registration (My account)
- Account details
- One-click import of keys and settings from the "Simple Cloudflare Turnstile" plugin (no need to recreate your Cloudflare keys).
- Global widget appearance settings (theme, size, visibility, language).
- Strict server-side token verification (single-use tokens, 5-minute validity).
- Secure-by-default behaviour: missing/invalid tokens are always blocked; the behaviour when Cloudflare itself is unreachable is configurable.
- Write-only secret key (never displayed or sent to the browser).
- Lightweight: in the default per-form mode, the Cloudflare script loads only on pages that actually show a widget. (The optional "all forms" mode loads it across the front end so late-loaded forms are covered.)
- The Elementor field requires Elementor Pro (the Forms widget is a Pro feature). Without Elementor Pro, the WordPress form integrations still work.
- A free Cloudflare Turnstile site key and secret key.
- When a protected form is displayed, the visitor's browser loads
https://challenges.cloudflare.com/turnstile/v0/api.jsfrom Cloudflare. - When a protected form is submitted, your server sends a request to
https://challenges.cloudflare.com/turnstile/v0/siteverifycontaining: the Turnstile token from the widget (cf-turnstile-response), your secret key, and — unless disabled with thecwebts_remoteipfilter — the visitor's IP address (REMOTE_ADDR). The secret key is never sent to the browser. - Cloudflare Turnstile: https://www.cloudflare.com/products/turnstile/
- Terms of Service: https://www.cloudflare.com/website-terms/
- Privacy Policy: https://www.cloudflare.com/privacypolicy/
安装:
- Upload the plugin to
/wp-content/plugins/or install it from the Plugins screen. - Activate it.
- Go to Settings → CWeb Form Protection and enter your Cloudflare site key and secret key.
- (Elementor) Edit a form, add the Cloudflare Turnstile field where you want the widget, then save.
- (WordPress forms) Enable the toggles for login, registration, lost password and/or comments.
- (WooCommerce) Enable the toggles under WooCommerce forms for the checkout, login, registration and/or account-details forms.
屏幕截图:
常见问题:
Does it protect every Elementor form automatically?
By default, no — and that is the point. You add the Turnstile field only to the forms you want to protect, and forms without the field are left untouched. If you prefer, turn on Settings → CWeb Form Protection → Elementor Pro forms → "All Elementor Pro forms" to protect every Elementor Pro form automatically, without adding the field to each one.
Does it work without Elementor Pro?
The Elementor field needs Elementor Pro (Forms is a Pro module). The WordPress login, registration, lost password and comment integrations work on any WordPress site.
Which WooCommerce forms are protected?
Under Settings → CWeb Form Protection → WooCommerce forms you can protect the classic checkout, the login form (My account and the checkout "returning customer" login), the registration form and the account-details form — each with its own toggle. The lost-password form uses the existing "Lost password form" toggle, and product reviews use the "Comment form" toggle. This version protects the classic (shortcode) checkout. The newer WooCommerce Checkout Block (the Gutenberg block) is not covered yet, and the Pay for order and Add payment method forms are out of scope. Account creation during checkout is protected by the Checkout toggle (not the Registration toggle).
Is the secret key safe?
Yes. The secret key is stored server-side, is never printed in the page, and is never sent to the browser. The settings screen never displays it back.
I already use "Simple Cloudflare Turnstile". Do I have to recreate my keys?
No. If that plugin's settings are present, the Settings → CWeb Form Protection page shows an "Import keys & settings" button that copies your site key, secret key, appearance options and form toggles over. Your existing Cloudflare keys keep working — nothing is regenerated, and the other plugin is left untouched.
What happens if Cloudflare can't be reached?
Missing or invalid tokens are always rejected. If Cloudflare's verification endpoint is unreachable (network error or timeout), the "If Cloudflare is unreachable" setting decides whether to block (default, more secure) or allow (more available) the submission.
更新日志:
- New: protect WooCommerce forms, with one opt-in toggle each (all off by default) under a new "WooCommerce forms" section — Checkout (classic shortcode checkout), Login (My account and the checkout "returning customer" login), Registration (My account), and Account details.
- The checkout widget sits right before the "Place order" button. WooCommerce reloads that area via AJAX when the customer changes shipping or payment, so the widget is re-rendered immediately afterwards to keep a valid token at submit time.
- Registration is validated on the scoped
woocommerce_process_registration_errorshook; account creation during checkout is covered by the Checkout toggle instead, so enabling Registration alone never blocks a checkout. - Scope: the classic (shortcode) checkout only. The WooCommerce Checkout Block (Gutenberg) is not protected in this version; the lost-password form keeps its existing toggle and product reviews keep the comment toggle.
- Fix: replying to a comment from the WordPress admin (the
replyto-commentAJAX action) was blocked when "Protect comments" was enabled. WordPress builds those replies server-side with no Turnstile widget, so no token is ever sent. Moderators now skip the check in the admin AJAX context; the public comment form stays protected. - Fix: a widget hitting a persistent render error (for example a site key restricted to another domain) retried forever, flooding Cloudflare with failed requests and flickering. It now retries a couple of times to recover from a transient network glitch, then stops; a successful challenge clears the counter. No change to server-side verification.
- New: optional "Protect all Elementor Pro forms" setting (off by default). When enabled, the Turnstile widget is added to every Elementor Pro form automatically — including forms loaded in popups or via AJAX — without adding the per-form field. The per-form field remains the default.
- Fix: the Cloudflare Turnstile widget now renders on the WooCommerce "Lost password" form (/my-account/lost-password/). Previously the widget did not appear and every password reset was rejected.
- Initial release: per-form Turnstile field for Elementor Pro; WordPress login, registration, lost password and comment integrations; global appearance settings; strict server-side verification.