Cloudflare Turnstile for Magento 2

Turnstile is Cloudflare's smart CAPTCHA alternative. The module allows Turnstile to protect your Magento or Adobe Commerce forms: contact, login, register, reset password, reset password and review

Last updated: 2023-12-22

Cloudflare Turnstile for Magento 2




>= 2.4.4


>= 8.0.0



What is Cloudflare Turnstile?

Cloudflare Turnstile is a new real alternative to Google Re-Captcha. Actually, approximately 97% of the most visited websites use Google Captcha systems.

However, Re-Captcha is known to complicate UX and have poor privacy. John Graham-Cumming, the CTO of Cloudflare said:

"The biggest issue with CAPTCHA is that user experience is terrible. As computers have gotten better at solving them, the user experience has only gotten worse."

With Turnstile, Cloudflare tries to simplify the form validation with a study of the browser environments to detect a real user versus spambots, without visual tests that a user with visual disabilities can't solve.

At pixel open we have been successfully testing Turnstile for several weeks.

Turnstile on Magento

We no longer use official reCaptcha modules on Magento (26 modules on Adobe Commerce). The most painful thing with reCaptcha is always throwing exceptions during failures, polluting error tracking applications like Sentry or New Relic.

The Turnstile module is simple to use and understand. It is now fully compatible with Luma, but not yet with Hyvä (we work on it!). The module actually protects:

  • Login on admin and frontend forms (with authentication popup and login in guest checkout)
  • Reset password on admin and frontend forms
  • Register form
  • Contact form
  • Product review form
  • Send product to friend

We try to achieve the integration with less code as possible without too mush abstraction to simplify understanding.


composer require pixelopen/magento-cloudflare-turnstile

Get the module documentation on the module repository: Magento Cloudflare Turnstile



  • Avoid PHP error when module action class does not exist


  • Invalid response message updated

  • Send product to friend form protection


  • Fix review form persistence

  • Simpler way to add an action to validate

  • New data persistor interface


  • Admin "login" and "reset password" forms validation

  • Validation added on guest checkout login form

  • Widget size configuration

  • French translation

  • Fix API request on each page with authentication popup

  • Fix widget resetting on ajax call


  • Config path updated

  • CSP Whitelist added

  • Fix form validator when Turnstile is disabled


  • Fix review data persistor

  • Do not use deprecated inheritance in controllers

  • Module dependencies updated


  • First stable release