pixelopen / magento-cloudflare-turnstile
pixelopen/magento-cloudflare-turnstile
Protect your store from spam messages and spam user accounts with Cloudflare Turnstile
Magento Cloudflare Turnstile
Presentation
Turnstile is Cloudflare's smart CAPTCHA alternative. The module allows Turnstile to protect your Magento OpenSource or Adobe Commerce forms.
[image: Cloudflare Turnstile]
Frontend Forms
- Contact
- Login
- Register
- Reset password
- Review
- Send product to friend
- Newsletter
Admin Forms
- Login
- Reset password
Requirements
- Magento >= 2.4.4
- PHP >= 8.0
Installation
composer require pixelopen/magento-cloudflare-turnstile
Configuration
Disable all Magento Captcha
Stores > Configuration > Customers > Customer Configuration > CAPTCHA
- Enable CAPTCHA on Storefront: no
Stores > Configuration > Security > Google reCAPTCHA Storefront > Storefront
- Enable for Customer Login: no
- Enable for Forgot Password: no
- Enable for Create New Customer Account: no
- Enable for Contact Us: no
- Enable for Product Review: no
Stores > Configuration > Security > Google reCAPTCHA Admin Panel > Admin Panel
- Enable for Login: no
- Enable for Forgot Password: no
Enable Cloudflare Turnstile
Stores > Configuration > Services > Cloudflare Turnstile
Settings
- Sitekey: the sitekey given for the site in your Cloudflare dashboard
- Secret key: the secret key given for the site in your Cloudflare dashboard
Storefront
- Enabled: enable Cloudflare Turnstile
- Theme: the Turnstile theme (auto, light or dark)
- Size: the widget size (compact, normal, or flexible)
- Forms to validate: the frontend forms where a Turnstile validation is required
Admin Panel
- Enabled: enable Cloudflare Turnstile
- Theme: the Turnstile theme (auto, light or dark)
- Size: the widget size (compact, normal, or flexible)
- Forms to validate: the admin forms where a Turnstile validation is required
Override default config
You can specifically change theme and size values for a form in the layout:
<?xml version="1.0"?>
<!-- layout/customer_account_login.xml -->
<page xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:View/Layout/etc/page_configuration.xsd">
<body>
<referenceContainer name="form.additional.info">
<block name="pixel.open.cloudflare.turnstile.login">
<action method="setSize">
<argument name="size" xsi:type="string">compact</argument>
</action>
<action method="setTheme">
<argument name="theme" xsi:type="string">dark</argument>
</action>
</block>
</referenceContainer>
</body>
</page>
Command line configuration
Settings
bin/magento config:set pixel_open_cloudflare_turnstile/settings/secret_key {secret_key}
bin/magento config:set pixel_open_cloudflare_turnstile/settings/sitekey {sitekey}
Frontend
bin/magento config:set pixel_open_cloudflare_turnstile/frontend/enabled {1|0}
bin/magento config:set pixel_open_cloudflare_turnstile/frontend/theme {auto|light|dark}
bin/magento config:set pixel_open_cloudflare_turnstile/frontend/size {normal|compact|flexible}
bin/magento config:set pixel_open_cloudflare_turnstile/frontend/forms contact,register,login,login-ajax,password
Admin
bin/magento config:set pixel_open_cloudflare_turnstile/adminhtml/enabled {1|0}
bin/magento config:set pixel_open_cloudflare_turnstile/adminhtml/theme {auto|light|dark}
bin/magento config:set pixel_open_cloudflare_turnstile/adminhtml/size {normal|compact|flexible}
bin/magento config:set pixel_open_cloudflare_turnstile/adminhtml/forms login,password
Testing
Use the following sitekeys and secret keys for testing purposes:
Sitekey
| Sitekey | Description |
|---|---|
| 1x00000000000000000000AA | Always passes |
| 2x00000000000000000000AB | Always blocks |
| 3x00000000000000000000FF | Forces an interactive challenge |
Secret key
| Secret key | Description |
|---|---|
| 1x0000000000000000000000000000000AA | Always passes |
| 2x0000000000000000000000000000000AA | Always fails |
| 3x0000000000000000000000000000000AA | Yields a "token already spent" error |
Definitely remove re-captcha
To remove all native re-captcha modules, add all modules in the "replace" node of the composer.json.
{
"replace": {
"magento/module-re-captcha-admin-ui": "*",
"magento/module-re-captcha-checkout": "*",
"magento/module-re-captcha-checkout-sales-rule": "*",
"magento/module-re-captcha-contact": "*",
"magento/module-re-captcha-customer": "*",
"magento/module-re-captcha-frontend-ui": "*",
"magento/module-re-captcha-gift-card": "*",
"magento/module-re-captcha-invitation": "*",
"magento/module-re-captcha-migration": "*",
"magento/module-re-captcha-multiple-wishlist": "*",
"magento/module-re-captcha-newsletter": "*",
"magento/module-re-captcha-paypal": "*",
"magento/module-re-captcha-review": "*",
"magento/module-re-captcha-send-friend": "*",
"magento/module-re-captcha-store-pickup": "*",
"magento/module-re-captcha-ui": "*",
"magento/module-re-captcha-user": "*",
"magento/module-re-captcha-validation": "*",
"magento/module-re-captcha-validation-api": "*",
"magento/module-re-captcha-version-2-checkbox": "*",
"magento/module-re-captcha-version-2-invisible": "*",
"magento/module-re-captcha-version-3-invisible": "*",
"magento/module-re-captcha-webapi-api": "*",
"magento/module-re-captcha-webapi-graph-ql": "*",
"magento/module-re-captcha-webapi-rest": "*",
"magento/module-re-captcha-webapi-ui": "*"
}
}
100.3.0
- Allow adding a captcha to the native newsletter subscription block (2)
100.2.8
- Fix multiple widget renderer on ajax login
- Fix ajax login event when cart is not subscribed
100.2.7
- Added "flexible" size option (@MikeWilkie)
100.2.6
- Widget added during checkout login when email exists (14)
100.2.5
- Fix redirect URI error when no referer
100.2.4
- Fix configuration scope (@Igmar95)
100.2.3
- Avoid PHP error when module action class does not exist
100.2.2
- Invalid response message updated
- Send product to friend form protection
100.2.1
- Fix review form persistence
- Simpler way to add an action to validate
- New data persistor interface
100.2.0
- Admin "login" and "reset password" forms validation
- Validation added on guest checkout login form
- Widget size configuration
- French translation
- Fix API request on each page with authentication popup
- Fix widget resetting on ajax call
100.1.2
- Config path updated
- CSP Whitelist added
- Fix form validator when Turnstile is disabled
100.1.1
- Fix review data persistor
- Do not use deprecated inheritance in controllers
- Module dependencies updated
100.1.0
- First stable release
| Version | Stability | QA Status | Compatibility | Released |
|---|---|---|---|---|
| 100.3.0 | stable | Fail | Magento 2.4.7-2.4.9 Details | 2025-10-03 13:29:46 |
| 100.2.8 | stable | Not tested | Not yet tested Details | 2025-07-18 12:56:58 |
| 100.2.7 | stable | Not tested | Not yet tested Details | 2025-04-10 14:32:08 |
| 100.2.6 | stable | Not tested | Not yet tested Details | 2024-06-27 08:38:15 |
| 100.2.5 | stable | Not tested | Not yet tested Details | 2024-03-26 14:00:47 |
| 100.2.4 | stable | Not tested | Not yet tested Details | 2024-02-20 20:49:47 |
| 100.2.3 | stable | Not tested | Not yet tested Details | 2023-12-22 13:57:57 |
| 100.2.2 | stable | Not tested | Not yet tested Details | 2023-12-21 09:05:10 |
| 100.2.1 | stable | Not tested | Not yet tested Details | 2023-12-15 09:57:04 |
| 100.2.0 | stable | Not tested | Not yet tested Details | 2023-12-12 10:41:59 |
| 100.1.2 | stable | Not tested | Not yet tested Details | 2023-04-13 09:20:35 |
| 100.1.1 | stable | Not tested | Not yet tested Details | 2022-11-04 21:41:44 |
| 100.1.0 | stable | Not tested | Not yet tested Details | 2022-11-04 13:42:56 |
Requires 3
| Package | Constraint |
|---|---|
| php | ^8 |
| magento/module-config | * |
| magento/framework | * |
Compatibility
Each Magento release line is installed on its supported PHP versions, then the module is built (DI compilation + static-content deploy) and its unit and integration suites are run. The matrix shows the lines and PHP versions the module is confirmed to install and run on. Code-quality results further down (phpstan, phpcs, …) are reported separately and never affect compatibility.
Code Quality
Advisory checks against the module's source. Static analysis runs once across the whole module; PHPStan re-runs per Magento + PHP version because resolvable symbols differ between releases. These NEVER affect the Compatibility badge — a phpcs finding can't make a module incompatible.
Static analysis
Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module.
PHPStan
Type-checks the module's PHP against a real Magento install at the configured gate level. Re-runs per Magento and PHP version because resolvable symbols differ between releases. Cell → details modal.
Tests
Unit and integration suites, run for each applicable Magento and PHP version. A test failure speaks to the module's behaviour, not its compatibility with a Magento line, so it is reported here separately and never reddens the compatibility matrix.
Unit tests
| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | N/A | N/A | ||
| 2.4.8 | N/A | N/A | ||
| 2.4.9 | N/A | N/A |
Integration tests
| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | N/A | N/A | ||
| 2.4.8 | N/A | N/A | ||
| 2.4.9 | N/A | N/A |
Security
Security checks run directly against the module: an audit of its declared dependencies for known vulnerabilities (composer audit) and a scan of its source for malware and web-shell signatures. Each runs once. A malware detection fails the version outright.
Turn an existing module into recurring revenue.
If you already maintain a Magento 2 module on GitHub or GitLab, listing it on Packagento takes about five minutes. We mirror your tags, handle distribution signing, and route paid licenses through Stripe Connect, so you can keep shipping the way you already do.