Comparing Cloudflare Turnstile vs reCAPTHA — Why I switched for web form spam prevention

Which one should you have protecting you from spam on your webmail forms; reCAPTCHA or Turnstile?

Recently, I published Eliminate web form spam: honeypot, image captcha, math quiz or reCAPTCHA with GDPR compliance retention where Google’s reCAPTCHA was the strongest method covered. Since then, I delved more deeply into Cloudflare’s Turnstile. Even though I do not currently use any other service from Cloudflare on any of the websites I manage, I have already installed Turnstile on several websites, where in some, it replaced reCAPTHA. Ahead, I’ll compare the two solutions, regarding invasiveness, cost and the internaut’s perception (including a privacy perspective). I’ll also cover Turnstile’s integration with Solid Security, an amazing plugin I first covered in August 2023 in Passwordless logins for your website: Are you using Passkeys or Magic Links?. Finally, I’ll cover Turnstile’s language behavior compared with reCAPTCHA’s.

Avoid publishing a naked email address on your website

Even though I have published it in prior articles, I must continue to remind longtime readers (and inform new ones) that for several reasons, the best practice indicates that it is best not to publish any naked email address on your website. The only exception is in a very special case covered in this article:

Apple shocks authors/content producers with new website requirements to continue selling in Europe (illustrated above) since Apple forced us to publish a naked email address on our website (and a naked phone number too). I covered how to encode the naked email address to avoid it being harvested by spambots, despite its other disadvantages.

Invasiveness of Turnstile versus reCAPTHA

reCAPTHA as I covered in this article in January 2024 adds additional cookies and apparently even Google fonts to a website. That version of reCAPTCHA also requires the visitor to click on the box saying «I am not a robot». On the other hand, Turnstile does not add or use cookies or additional fonts. Although both Turnstile and that version of reCAPTHA require a plugin on WordPress sites to function, if the website uses the Solid Security Pro plugin for other reasons, then the Solid Security Pro plugin also handles the Cloudflare Turnstile by itself, saving the need for an additional plugin. I first covered the Solid Security Pro plugin in August 2023 in Passwordless logins for your website: Are you using Passkeys or Magic Links?. Ahead in this article, there will be more details about that.

Above, you will see an animated GIF created by Cloudflare to demonstrate how the Turnstile message would likely appear to your visitors. (The above GIF is an example in English.)

Cost

Although when I published that article on January 22, 2024, Google’s reCAPTHA was free up to a million assessments, on January 29th, I received an automated email from Google stating that starting April 1, 2024, there would be fees associated for a much lower amount of assessments, except for the newly named reCAPTHA Lite which would continue to offer no-cost service for up to 10,000 assessments per month. Google says that it will continue to provide 1 million no-cost reCAPTCHA Enterprise assessments per month to eligible nonprofits, charities, and libraries. On the other hand, Cloudflare’s Turnstile remains free.

Internaut perception (including a privacy perspective)

The version of Google reCAPTURE I covered on January 22, 2024 requires the visitor to your website to click on a box to indicate that s/he is not a robot. On the other hand, in most cases, Cloudflare’s Turnstile does not ask the user to click on anything. In most cases, Turnstile simply shows that it successfully approved the visitor. Only in rare cases — when Turnstile suspects something unusual — does it ask the internaut to click a box.

In addition, privacy-oriented visitors know that Google is an advertising company which uses our information for that purpose. Even more informed privacy-oriented visitors know that Google (as well as AOL, Apple, Microsoft, Skype, Yahoo and YouTube) officially participate in PRISM (aka SIGAD US-984XN). PRISM is a program under which the United States National Security Agency (NSA) continually collects Internet communications from various U.S. Internet companies.

On the other hand, Cloudflare is a privacy and security company. Mathew Prince — co-founder & CEO of Cloudflare, states:

«At CloudFlare, we have never been approached to participate in PRISM or any other similar program. We do, from time to time, receive subpoenas and court orders. A human being on our team reviews each of these requests manually. When we determine that a request is too broad, we push back to limit the scope of the request. Whenever possible, we disclose to all affected customers the fact that we have received a subpoena or court order and allow them an opportunity to challenge it before we respond.»

Source: here.

Integration with Solid Security

As covered in detail in my Passwordless logins for your website: Are you using Passkeys or Magic Links?, Solid Security Pro (a premium/paid plugin, available at a substantial discount from TecnoTur) together with Imunify360 (free with all hosting accounts at TecnoTur) allows for strong security together with passwordless logins via either Passkeys or Magic Links.

Now that Solid Security Pro has direct integration with Cloudflare Turnstile, Solid Security Pro can save us a plugin while being even more certain that they can work together even more seamlessly. To quote them:

«If you activate Passkeys or Magic Links and Turnstile in Solid Security Pro, you won’t just have a very secure site — you’ll never again need to enter a password or answer a CAPTCHA challenge! This is a wonderful step forward and the future for online security.»

For more information, see my WordPress security + multi-backups.

Language behavior

Since TecnoTur develops and maintains many websites that are either in Castilian-only (castellano), in English-only or bilingual websites, I have observed contrasting behavior between Turnstile and reCAPTHA:

If your visitor’s browser is set with English as the primary language, above is how s/he will likely see Turnstile.

If your visitor’s browser is set with Castilian (aka «Spanish») as the primary language, above is how s/he will likely see Turnstile.

Cloudflare’s Turnstile displays its message in whatever language is set as the primary language as set in the visitor’s browser (regardless of the language of a particular website). On the other hand, Google’s reCAPTHA displays its message in the website’s designated language (regardless of the browser setting). Neither one is a dealbreaker. It’s just interesting to note.

Conclusions

For nearly any website where spam via the contact form has become an issue, Cloudflare’s Turnstile is a powerful solution with much less «baggage» than Google’s reCAPTCHA. In addition, Turnstile can also protect your login page and when visitors comment (if your website allows for that) and its integration with Solid Security can save us a plugin.

Lee este artículo en castellano

Comparemos Turnstile con reCAPTCHA. Ambos compiten para eliminar spam procedente de tu sitio web.

FTC Disclosure

None of the companies mentioned has paid for this article. Allan Tépper is the director of TecnoTur LLC. Some of the manufacturers listed above have contracted Tépper and/or TecnoTur LLC to carry out consulting and/or translations/localizations/transcreations. Links to third parties listed in this article and/or on this web page may indirectly benefit TecnoTur LLC via affiliate programs. Allan Tépper’s opinions are his own. Allan Tépper is not liable for misuse or misunderstanding of information he shares.