Turnstile allowing tons of spam through

What is the name of the domain?

What is the issue you’re encountering

Turnstile allowing tons of spam through

What steps have you taken to resolve the issue?

We’re using invisible Turnstile with Gravity Forms, and spam form submissions have been flooding in over the past few days, starting about the 4th of July. We’re seeing this across dozens of sites that we manage. We were getting some spam before this, but it really ramped up over the past week. Are there any solutions? Is the Managed or Non-Interactive version better? We’d prefer not to have to ask the user to do anything, if possible, but not at the cost of all of this spam.

What are the steps to reproduce the issue?

Use the invisible version of Turnstile with Gravity Forms. Get spam.

The managed/interactive version might stop or reduce the frequency of the attack.

I would advice making a ticket and sharing your experience there, engineers might be able to look at it and analyze the situation.

1 Like

@jnperamo Does it appear that the Turnstile widget is actually loading on the front-end of the site? There are entries added to the console in the browser’s dev tools (e.g. “Request for the Private Access Token challenge.”) – you should be able to compare the experience on the front-end with that when loading the Turnstile settings page in the Gravity Forms settings.

I am seeing a similar issue using Gravity Forms, and have just submitted a ticket to their support team. The Turnstile widget loads fine through their settings page, but not on the front-end when a form containing the Turnstile field is loaded.

1 Like

Having the same issues across multiple Gravity Forms websites over the last several days, whether using Turnstile in Managed mode or otherwise. Hopefully Cloudflare can resolve this soon.

Gravity Forms support responded with the following:

This is an issue we became aware of yesterday. It appears Cloudflare has modified the Turnstile API, the endpoint the add-on uses to determine if the keys are valid when preparing the form markup now returns a 404 not found error for some sites. Our product team have an issue for this on their to-do list. We’ll let you know as soon as a fix is available.

Hopefully, they’ll have a plugin update to address the Cloudflare change very soon!


Nice. Thanks to everyone else here who reached out to Gravity Forms!

1 Like

Latest update from support:

We have released an update for the Turnstile add-on (version 1.2.0) that should resolve the issue you’re experiencing. Please apply the update at your convenience, then be sure to purge any caching plugins, CDNs, Cloudflare, etc that may be in place.

My limited testing thus far shows things working as expected once again.

1 Like