# pixelopen/magento-cloudflare-turnstile > Protect your store from spam messages and spam user accounts with Cloudflare Turnstile `composer require pixelopen/magento-cloudflare-turnstile` Canonical URL: https://packagento.com/pixelopen/magento-cloudflare-turnstile ## At a glance - **Vendor**: pixelopen (https://packagento.com/pixelopen.md) - **Latest version**: 100.3.0 — released 2025-10-03 - **Pricing**: Free - **Package type**: Magento 2 module - **Status**: active, accepting new buyers ## Installation Packagento is licence-gated, so even free packages need a licence on a project before Composer can resolve them. 1. **Sign in or create an account** at https://packagento.com/customer/account/. 2. **Add the package to your account.** Open https://packagento.com/pixelopen/magento-cloudflare-turnstile and complete the free checkout. A licence is minted automatically. 3. **Create or pick a project, then activate the licence on it.** - Projects represent the Magento installs you deploy to. Manage them at https://packagento.com/projects/. - Activate the new licence on the project you'll deploy this package to. Activation is what generates the Composer credentials scoped to that project. 4. **Add the project credentials to your Magento codebase.** Grab the project's public + private key from https://packagento.com/projects/ (open the project, then its Credentials tab), and add them to `auth.json`: ```json { "http-basic": { "packagento.com": { "username": "ppk_live_...", "password": "psk_live_..." } } } ``` Add the Packagento Composer repository to `composer.json`: ```json { "repositories": [ { "type": "composer", "url": "https://packagento.com" } ] } ``` 5. **Install and apply.** ```bash composer require pixelopen/magento-cloudflare-turnstile:* bin/magento setup:upgrade bin/magento setup:di:compile bin/magento cache:flush ``` ## What it does Protect your store from spam messages and spam user accounts with Cloudflare Turnstile ## README [![Minimum PHP Version](https://img.shields.io/badge/php-%3E%3D%208.0-green)](https://php.net/) [![Minimum Magento Version](https://img.shields.io/badge/magento-%3E%3D%202.4.4-green)](https://business.adobe.com/products/magento/magento-commerce.html) [![GitHub release](https://img.shields.io/github/v/release/Pixel-Open/magento-cloudflare-turnstile)](https://github.com/Pixel-Open/magento-cloudflare-turnstile/releases) ### Presentation [Turnstile](https://developers.cloudflare.com/turnstile/) is Cloudflare's smart CAPTCHA alternative. The module allows Turnstile to protect your Magento OpenSource or Adobe Commerce forms. ![Cloudflare Turnstile](screenshot.png) #### Frontend Forms - Contact - Login - Register - Reset password - Review - Send product to friend - Newsletter #### Admin Forms - Login - Reset password ### Requirements - Magento >= 2.4.4 - PHP >= 8.0 ### Installation ``` composer require pixelopen/magento-cloudflare-turnstile ``` ### Configuration #### Disable all Magento Captcha *Stores > Configuration > Customers > Customer Configuration > CAPTCHA* - **Enable CAPTCHA on Storefront**: no *Stores > Configuration > Security > Google reCAPTCHA Storefront > Storefront* - **Enable for Customer Login**: no - **Enable for Forgot Password**: no - **Enable for Create New Customer Account**: no - **Enable for Contact Us**: no - **Enable for Product Review**: no *Stores > Configuration > Security > Google reCAPTCHA Admin Panel > Admin Panel* - **Enable for Login**: no - **Enable for Forgot Password**: no #### Enable Cloudflare Turnstile *Stores > Configuration > Services > Cloudflare Turnstile* **Settings** - **Sitekey**: the sitekey given for the site in your Cloudflare dashboard - **Secret key**: the secret key given for the site in your Cloudflare dashboard **Storefront** - **Enabled**: enable Cloudflare Turnstile - **Theme**: the Turnstile theme (auto, light or dark) - **Size**: the widget size (compact, normal, or flexible) - **Forms to validate**: the frontend forms where a Turnstile validation is required **Admin Panel** - **Enabled**: enable Cloudflare Turnstile - **Theme**: the Turnstile theme (auto, light or dark) - **Size**: the widget size (compact, normal, or flexible) - **Forms to validate**: the admin forms where a Turnstile validation is required #### Override default config You can specifically change theme and size values for a form in the layout: ```xml compact dark ``` #### Command line configuration ##### Settings ```shell bin/magento config:set pixel_open_cloudflare_turnstile/settings/secret_key {secret_key} bin/magento config:set pixel_open_cloudflare_turnstile/settings/sitekey {sitekey} ``` ##### Frontend ```shell bin/magento config:set pixel_open_cloudflare_turnstile/frontend/enabled {1|0} bin/magento config:set pixel_open_cloudflare_turnstile/frontend/theme {auto|light|dark} bin/magento config:set pixel_open_cloudflare_turnstile/frontend/size {normal|compact|flexible} bin/magento config:set pixel_open_cloudflare_turnstile/frontend/forms contact,register,login,login-ajax,password ``` ##### Admin ```shell bin/magento config:set pixel_open_cloudflare_turnstile/adminhtml/enabled {1|0} bin/magento config:set pixel_open_cloudflare_turnstile/adminhtml/theme {auto|light|dark} bin/magento config:set pixel_open_cloudflare_turnstile/adminhtml/size {normal|compact|flexible} bin/magento config:set pixel_open_cloudflare_turnstile/adminhtml/forms login,password ``` #### Testing Use the following sitekeys and secret keys for testing purposes: **Sitekey** | Sitekey | Description | |--------------------------|---------------------------------| | 1x00000000000000000000AA | Always passes | | 2x00000000000000000000AB | Always blocks | | 3x00000000000000000000FF | Forces an interactive challenge | **Secret key** | Secret key | Description | |-------------------------------------|--------------------------------------| | 1x0000000000000000000000000000000AA | Always passes | | 2x0000000000000000000000000000000AA | Always fails | | 3x0000000000000000000000000000000AA | Yields a "token already spent" error | #### Definitely remove re-captcha To remove all native re-captcha modules, add all modules in the "replace" node of the `composer.json`. _(README truncated for .md surface. Full README on https://packagento.com/pixelopen/magento-cloudflare-turnstile.)_ ## Changelog - Allow adding a captcha to the native newsletter subscription block ([2](https://github.com/Pixel-Open/magento-cloudflare-turnstile/issues/2)) ### 100.2.8 - Fix multiple widget renderer on ajax login - Fix ajax login event when cart is not subscribed ### 100.2.7 - Added "flexible" size option ([@MikeWilkie](https://github.com/MikeWilkie)) ### 100.2.6 - Widget added during checkout login when email exists ([14](https://github.com/Pixel-Open/magento-cloudflare-turnstile/issues/14)) ### 100.2.5 - Fix redirect URI error when no referer ### 100.2.4 - Fix configuration scope ([@Igmar95](https://github.com/Igmar95)) ### 100.2.3 - Avoid PHP error when module action class does not exist ### 100.2.2 - Invalid response message updated - Send product to friend form protection ### 100.2.1 - Fix review form persistence - Simpler way to add an action to validate - New data persistor interface ### 100.2.0 - Admin "login" and "reset password" forms validation - Validation added on guest checkout login form - Widget size configuration - French translation - Fix API request on each page with authentication popup - Fix widget resetting on ajax call ### 100.1.2 - Config path updated - CSP Whitelist added - Fix form validator when Turnstile is disabled ### 100.1.1 - Fix review data persistor - Do not use deprecated inheritance in controllers - Module dependencies updated ### 100.1.0 - First stable release ## Recent Versions | Version | Released | |---|---| | 100.3.0 | 2025-10-03 | | 100.2.8 | 2025-07-18 | | 100.2.7 | 2025-04-10 | | 100.2.6 | 2024-06-27 | | 100.2.5 | 2024-03-26 | | 100.2.4 | 2024-02-20 | | 100.2.3 | 2023-12-22 | | 100.2.2 | 2023-12-21 | | 100.2.1 | 2023-12-15 | | 100.2.0 | 2023-12-12 | Showing 10 of 13 versions. Full release history on https://packagento.com/pixelopen/magento-cloudflare-turnstile. ## Dependencies ### Require | Package | Constraint | |---|---| | magento/framework | * | | magento/module-config | * | | php | ^8 | ## Quality Latest release (100.3.0) fails the Packagento QA pipeline. Verdicts below are per-cell (Magento line × PHP version) for the matrixed tools, and run-once for the static / security tiers. ### Compatibility Each Magento line is installed on its supported PHP versions, then the module is built (DI compile + static-content deploy). Cells show passed / failed / untested; staircase gaps render as `–`. | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | Pass | Pass | – | – | | 2.4.8 | – | Pass | Pass | – | | 2.4.9 | – | – | Pass | Pass | ### Code Quality Advisory checks against the module's source. Never affect the Compatibility verdict — a phpcs finding can't make a module incompatible. #### Static Analysis Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module. | Tool | Status | Findings | Summary | |---|---|---|---| | PHPCS | Fail | 32 | 3 errors, 29 warnings (ruleset: Magento2) | | PHPMD | Pass | 0 | | | Cpd | Pass | 0 | | | Composer validate | Info | 4 | valid; 4 advisory notes (composer validate --strict) | #### PHPStan Type-checks the module against a real Magento install. Re-runs per Magento + PHP version because resolvable symbols differ between releases. | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | 1 | 1 | – | – | | 2.4.8 | – | 1 | 1 | – | | 2.4.9 | – | – | 1 | 1 | ### Tests Unit and integration suites run per Magento + PHP cell. Test failures speak to the module's behaviour, not its compatibility with a line, so they're reported here separately. #### Unit Tests | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | N/A | N/A | – | – | | 2.4.8 | – | N/A | N/A | – | | 2.4.9 | – | – | N/A | N/A | #### Integration Tests | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | N/A | N/A | – | – | | 2.4.8 | – | N/A | N/A | – | | 2.4.9 | – | – | N/A | N/A | ### Security Dependency-advisory audit (composer audit) plus a source malware scan. A malware detection fails the version outright. | Tool | Status | Findings | Summary | |---|---|---|---| | Composer audit | Pass | 0 | | | Malware scan | Pass | 0 | | ## Licence and pricing Free. A licence is still minted on checkout and bound to your project for Composer access — no payment step. Refundable within 14 days of first purchase via https://packagento.com/account/refunds/. ## Install via Claude Code or any MCP client The Packagento MCP server can run the licence + project + Composer steps above in one tool call: ``` purchase_and_install_packages( composer_names=["pixelopen/magento-cloudflare-turnstile"], project_id="proj_xxx" ) ``` This handles cart, checkout, licence minting, project activation, and writes auth.json credentials. Connect a client with `claude mcp add packagento https://mcp.packagento.com`. Full setup at https://packagento.com/docs/mcp-setup. ## Vendor pixelopen is a Magento 2 vendor on Packagento. See https://packagento.com/pixelopen.md for their full catalogue.