Does Bot Protection with Turnstile have any unpatched vulnerabilities?

No. All known vulnerabilities in Bot Protection with Turnstile have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Bot Protection with Turnstile compatible with WordPress 6.9.4?

According to WordPress.org data, Bot Protection with Turnstile 1.1.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Bot Protection with Turnstile compatible with PHP 7.4+?

Bot Protection with Turnstile requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Bot Protection with Turnstile updated?

Bot Protection with Turnstile was last updated on Nov 29, 2025. Frequent updates are generally a positive security signal.

What is Bot Protection with Turnstile's security score?

Bot Protection with Turnstile has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Bot Protection with Turnstile Security & Risk Analysis

wordpress.org/plugins/bot-protection-turnstile

A lightweight plugin that protects core WordPress forms and selected third‑party plugins from spam and bot attacks using Cloudflare Turnstile CAPTCHA.

70 active installs v1.1.1 PHP 7.4+ WP 6.5+ Updated Nov 29, 2025

captchacloudflaresecurityspam-protectionturnstile

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Bot Protection with Turnstile Safe to Use in 2026?

Generally Safe

Score 100/100

Bot Protection with Turnstile has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 4mo ago

Risk Assessment

The "bot-protection-turnstile" plugin, version 1.1.1, demonstrates a generally strong security posture based on the provided static analysis and vulnerability history. The absence of any known CVEs, unpatched vulnerabilities, or critical/high severity taint flows is highly encouraging. The code adheres to several good security practices, including the complete use of prepared statements for SQL queries and a significant majority of output being properly escaped. The plugin also incorporates nonce and capability checks, which are vital for preventing common attack vectors.

However, a few areas warrant attention. The presence of an external HTTP request, while not inherently a vulnerability, represents an attack surface that could be exploited if the external service is compromised or if the request is not handled securely. While the static analysis reports no critical taint flows, the percentage of unescaped outputs, though high, is not perfect and could potentially lead to cross-site scripting (XSS) vulnerabilities if the unescaped data is user-controlled or sensitive. The lack of a large attack surface is a positive sign, but the mere presence of an external HTTP request introduces a dependency that could indirectly impact security.

In conclusion, this plugin appears to be well-developed with a focus on security. The excellent track record of no known vulnerabilities and the good coding practices observed are significant strengths. The main points of caution revolve around the external HTTP request and the remaining percentage of unescaped output, which, while not posing an immediate critical threat based on the data, are areas where further hardening could be beneficial.

Key Concerns

External HTTP request present
18% of outputs not properly escaped

Vulnerabilities

None known

Bot Protection with Turnstile Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Bot Protection with Turnstile Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

134 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

82% escaped163 total outputs

Data Flows

All sanitized

Data Flow Analysis

3 flows

cft_api_settings_postbox_content (admin\menu-pages\class-bpcft-settings-menu.php:66)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Bot Protection with Turnstile Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 67

actionadmin_print_scriptsadmin\class-bpcft-admin-init.php:15

actionadmin_print_stylesadmin\class-bpcft-admin-init.php:16

actionadmin_menuadmin\class-bpcft-admin-init.php:17

actionplugins_loadedbp-turnstile-core.php:23

actioninitbp-turnstile-core.php:25

actionlogin_enqueue_scriptsbp-turnstile-core.php:30

actionwp_enqueue_scriptsbp-turnstile-core.php:31

filterplugin_action_linksbp-turnstile.php:39

filterasp_ng_pp_data_readyclasses\integrations\class-bpcft-integration-asp.php:16

actionasp_ng_pp_output_add_stylesclasses\integrations\class-bpcft-integration-asp.php:17

actionasp_ng_pp_output_add_scriptsclasses\integrations\class-bpcft-integration-asp.php:18

filterasp_ng_pp_output_before_buttonsclasses\integrations\class-bpcft-integration-asp.php:19

actionasp_ng_before_api_pre_submission_validationclasses\integrations\class-bpcft-integration-asp.php:20

filterasp_hide_captcha_disabled_warning_notice_in_adminclasses\integrations\class-bpcft-integration-asp.php:23

filterbbp_get_wp_login_actionclasses\integrations\class-bpcft-integration-bbpress.php:15

actionlogin_formclasses\integrations\class-bpcft-integration-bbpress.php:19

actionauthenticateclasses\integrations\class-bpcft-integration-bbpress.php:20

actionregister_formclasses\integrations\class-bpcft-integration-bbpress.php:25

actionregistration_errorsclasses\integrations\class-bpcft-integration-bbpress.php:26

actionlogin_formclasses\integrations\class-bpcft-integration-bbpress.php:31

actionlostpassword_postclasses\integrations\class-bpcft-integration-bbpress.php:32

actionbbp_theme_before_topic_form_submit_wrapperclasses\integrations\class-bpcft-integration-bbpress.php:37

actionbbp_new_topic_pre_extrasclasses\integrations\class-bpcft-integration-bbpress.php:38

actionbbp_theme_before_reply_form_submit_wrapperclasses\integrations\class-bpcft-integration-bbpress.php:43

actionbbp_new_reply_pre_extrasclasses\integrations\class-bpcft-integration-bbpress.php:44

actionwpcf7_initclasses\integrations\class-bpcft-integration-cf7.php:16

actionwpcf7_admin_initclasses\integrations\class-bpcft-integration-cf7.php:17

filterwpcf7_form_elementsclasses\integrations\class-bpcft-integration-cf7.php:22

filterwpcf7_validateclasses\integrations\class-bpcft-integration-cf7.php:23

filterwpcf7_display_messageclasses\integrations\class-bpcft-integration-cf7.php:85

filteremember_captchaclasses\integrations\class-bpcft-integration-emember.php:15

filteremember_captcha_varifyclasses\integrations\class-bpcft-integration-emember.php:16

filteremember_captcha_loginclasses\integrations\class-bpcft-integration-emember.php:21

filteremember_captcha_varify_loginclasses\integrations\class-bpcft-integration-emember.php:22

filteremember_captcha_pass_resetclasses\integrations\class-bpcft-integration-emember.php:27

filteremember_captcha_varify_pass_resetclasses\integrations\class-bpcft-integration-emember.php:28

filtersdm_before_download_buttonclasses\integrations\class-bpcft-integration-sdm.php:16

actionsdm_download_via_direct_postclasses\integrations\class-bpcft-integration-sdm.php:17

actionsdm_hd_process_download_requestclasses\integrations\class-bpcft-integration-sdm.php:20

filtersdm_sf_before_download_buttonclasses\integrations\class-bpcft-integration-sdm.php:25

actionsdm_sf_download_form_submittedclasses\integrations\class-bpcft-integration-sdm.php:26

actionwoocommerce_login_formclasses\integrations\class-bpcft-integration-woocommerce.php:16

actionauthenticateclasses\integrations\class-bpcft-integration-woocommerce.php:17

actionwoocommerce_register_formclasses\integrations\class-bpcft-integration-woocommerce.php:22

actionwoocommerce_register_postclasses\integrations\class-bpcft-integration-woocommerce.php:24

actionwoocommerce_lostpassword_formclasses\integrations\class-bpcft-integration-woocommerce.php:30

actionlostpassword_postclasses\integrations\class-bpcft-integration-woocommerce.php:31

actionwoocommerce_loadedclasses\integrations\class-bpcft-integration-woocommerce.php:36

actionwoocommerce_review_order_before_submitclasses\integrations\class-bpcft-integration-woocommerce.php:37

filterrender_block_woocommerce/checkout-actions-blockclasses\integrations\class-bpcft-integration-woocommerce.php:38

actionwoocommerce_checkout_processclasses\integrations\class-bpcft-integration-woocommerce.php:39

actionwoocommerce_store_api_checkout_update_order_from_requestclasses\integrations\class-bpcft-integration-woocommerce.php:40

actionlogin_formclasses\integrations\class-bpcft-integration-wp.php:16

actionauthenticateclasses\integrations\class-bpcft-integration-wp.php:17

actionregister_formclasses\integrations\class-bpcft-integration-wp.php:22

actionregistration_errorsclasses\integrations\class-bpcft-integration-wp.php:23

actionlostpassword_formclasses\integrations\class-bpcft-integration-wp.php:28

actionlostpassword_postclasses\integrations\class-bpcft-integration-wp.php:29

actioncomment_form_submit_buttonclasses\integrations\class-bpcft-integration-wp.php:34

actionpre_comment_on_postclasses\integrations\class-bpcft-integration-wp.php:35

actionwpec_before_full_discount_checkout_buttonclasses\integrations\class-bpcft-integration-wpec.php:18

actionwpec_before_manual_checkout_submit_buttonclasses\integrations\class-bpcft-integration-wpec.php:23

actionwpec_url_payment_box_before_head_closeclasses\integrations\class-bpcft-integration-wpec.php:27

actionwpec_process_paymentclasses\integrations\class-bpcft-integration-wpec.php:28

actionwpec_process_manual_checkoutclasses\integrations\class-bpcft-integration-wpec.php:29

actionwpsc_before_manual_checkout_form_submitclasses\integrations\class-bpcft-integration-wpsc.php:15

actionwpsc_manual_payment_checkoutclasses\integrations\class-bpcft-integration-wpsc.php:16

Maintenance & Trust

Bot Protection with Turnstile Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedNov 29, 2025

PHP min version7.4

Downloads824

Community Trust

Rating0/100

Number of ratings0

Active installs70

Alternatives

Bot Protection with Turnstile Alternatives

CAPTCHA 4WP – Antispam CAPTCHA solution for WordPress

advanced-nocaptcha-recaptcha

Use CAPTCHA to stop spam and allow customers & users to interact with your website easily. Block fake accounts and orders. Avoid false positives.

100K 1 CVE

DoLogin Security

dologin

Easy Login. 2FA login. Passwordless login. Cloudflare Turnstile reCAPTCHA. GeoLocation (Continent/Country/City)/IP range to limit login attempts.

7K 4 CVEs

Enable Turnstile (Cloudflare) for Gravity Forms

enable-turnstile-cloudflare-for-gravity-forms

100

A lightweight plugin to enable Cloudflare's Turnstile alternative CAPTCHA on your Gravity Forms.

500 No CVEs

BWG CF Turnstile

bwg-cf-turnstile

100

Add Cloudflare Turnstile protection to your Gravity Forms to prevent spam and bot submissions.

20 No CVEs

CubeMage Login Guard

cubemage-login-guard

100

Integrates Cloudflare Turnstile, Limits Login Attempts, and Disables XML-RPC to protect WordPress forms.

0 No CVEs

Developer Profile

Bot Protection with Turnstile Developer Profile

mra13

15 plugins · 210K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

629 days

View full developer profile

Detection Fingerprints

How We Detect Bot Protection with Turnstile

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/bot-protection-turnstile/css/bpcft-admin-styles.css

Version Parameters

bot-protection-turnstile/css/bpcft-admin-styles.css?ver=

HTML / DOM Fingerprints

CSS Classes

bpcft-admin-css

FAQ