Hi I installed turnstile but it’s having zero effect on stopping spam. Are there some settings I’ve missed and should be looking for? Any help would be greatly helpful. We’re a small mental health agency and can use all the help we can get.
bump still hoping for help
I think a bit more information would be useful. Can you post a link to the page where Turnstile is implemented? Is the issue that the Turnstile browser challenges never fail? How have you determined this?
Hey thanks for replying. Here’s the page:
[type or paste code here](https://alphafamilycounseling.net/contact-7/)
I honestly don’t know what the problem is as I’m not very knowledgeable about what could be causing failures. But it seems that no spammer is halted by this implementation. We’re getting the same amount of spam now as before installing the widget.
Any ideas on what we could look into would be greatly appreciated.
Your problem is you aren’t verifying the challenge pass at all (sorry for the few spam submissions to test that, lol).
You need to actually verify the response server-side: Server-side validation · Cloudflare Turnstile docs
As it stands right now, you don’t even need to pass or finish the challenge to Submit the form, and you can do so entirely automated. When the client passes the challenge, it needs to send the token to the backend (as part of the form submission), and the backend needs to verify it.
If you don’t know how to do that/it’s too involved/etc, you could try adding a Managed Challenge or a Interactive Challenge via Custom Rules on that path (
/contact-7/, forcing them to solve it first before they can use the form. Those will use Turnstile if needed (Managed Challenges will pick what challenge to serve: Cloudflare challenges · Cloudflare Fundamentals docs)
thanks for this guidance. I’m looking into it.
We did actually use the Simple Cloudflare Turnstile plugin to install the solution on our site.
The Turnstile settings are currently set to Managed Challenge as seen here:
Shouldn’t it be presenting some kind of challenge to spammers with this setting?
The most obvious problem in the Turnstile settings that you shared is that you have not enabled it on any of your forms! Look for the section labeled Enable Turnstile on your forms. Check the box next to each form that you want to protect.
I would also leverage the option to Disable Submit Button up in the General Settings. Checking that box will prevent the submit button from appearing until the Turnstile challenge has been completed.
Thanks for looking over my post. Actually I’m pretty sure it is enabled because it’s in a codeblock in this layout builder:
And you can see the widget appearing on the page:
I have selected that Disable Submit Button option earlier this morning.
Any other ideas?
I pulled up up the settings in one of my sites that uses Turnstile and I do not have any of the Default WordPress Forms, but I do have a subsequent section for my Gravity Forms that is enabled.
I don’t use Contact Form 7, so I cannot confirm whether it should have a section added to the settings, but the text in the Other Integrations strongly suggests it should.