ActiveLayer Anti-Spam
Anti-Spam Protection Without CAPTCHAs ActiveLayer is an intelligent anti-spam solution that stops contact form spam, comment spam, and registration spam without CAPTCHAs, puzzles, or extra steps for your visitors. Your forms stay fast and frictionless while unwanted messages get caught automatically. Your time and attention are expensive — stop spending them on spam. ActiveLayer protects popular form builders like WPForms, Contact Form 7, Gravity Forms, Elementor Forms, Fluent Forms, WS Form, and FunnelKit Funnel Builder, plus native WordPress comments, WooCommerce (product reviews and customer registration), Easy Digital Downloads (store reviews and customer registration), AffiliateWP, MemberPress, and BuddyPress / BuddyBoss signup forms, all from a single plugin. With 18 integrations, you manage all your spam protection from one settings page. Create a free account and get started Zero Friction Spam Filtering Most anti-spam tools either show visitors a CAPTCHA or make every form wait while the check runs. ActiveLayer takes a different approach. Async integrations complete immediately while background checks run through Action Scheduler; registration and inline-blocking integrations can run a synchronous check when spam must be stopped before an account, entry, or affiliate record is created. This keeps normal form workflows fast while still allowing high-risk signup flows to block spam inline. If a submission is clean, notifications are sent as normal. If it is flagged, notifications are suppressed or the signup is blocked depending on the integration. Intelligent Spam Detection ActiveLayer analyzes submission patterns, content reputation, behavioral signals, and environment data to catch both automated bots and human bad actors with high accuracy. Unlike simple honeypot or keyword-blocklist approaches, ActiveLayer uses multiple signals to make smarter decisions about every submission. Optional behavioral tracking monitors how users interact with your forms — keystrokes, mouse movements, touch events, and scroll patterns. Environment detection identifies headless browsers and automated tools. These client-side signals are sent alongside form data for deeper analysis. Per-Form Control and Sync Mode You decide exactly which forms to protect. ActiveLayer protects all supported forms and WooCommerce surfaces by default after your API key is connected — you can disable protection per form if needed. This gives you granular control over every contact form, registration form, or comment section on your site. Sync Mode lets supported integrations wait for the API verdict before the submission completes, so spam can be blocked inline. By default, ActiveLayer runs checks asynchronously for maximum speed. Turn Sync Mode on when you prefer inline blocking and can tolerate a small added latency on submissions. Fail-Safe by Design If the ActiveLayer API is temporarily unavailable, your forms keep working. ActiveLayer is designed to fail open — it restores provider defaults, preserves every submission, and retries background checks automatically when connectivity returns. No lost submissions, no blocked emails, no broken forms. Automatic retries handle transient failures. A built-in watchdog checks queue health every 15 minutes and shows admin notices when pending items build up or Action Scheduler is unavailable. You always know the status of your protection. Full Visibility Dashboard See exactly what is happening with your form protection at a glance. The ActiveLayer dashboard shows submission totals, spam caught, accuracy rates, queue health, and integration status — all in one place. Filter submissions by status or provider, and use bulk actions to recheck, mark as clean or junk, or trash items you no longer need. Every submission is logged in a custom database table. You can review verdicts, recheck past submissions with a fresh API call, and override any decision. Debug logging (opt-in, PII-redacted) gives you even deeper insight when troubleshooting. Who Is ActiveLayer For? Small Business Websites Protect your contact forms and inquiry forms without adding friction for potential customers. Async form submissions from real visitors go through instantly while junk gets caught behind the scenes. Bloggers and Publishers Stop comment spam on your posts without requiring readers to solve CAPTCHAs or prove they are human. ActiveLayer checks comments in the background and can auto-approve clean ones or auto-mark detected spam. Agencies Managing Multiple Sites One plugin covers WPForms, Contact Form 7, Gravity Forms, Elementor Forms, Fluent Forms, Formidable Forms, WooCommerce, and more — every integration managed from one settings page. No need to configure separate anti-spam tools for each form builder or WooCommerce surface your clients use. E-commerce and Service Businesses Keep inquiry and support forms clean while maintaining a fast, professional user experience. Async checks keep contact forms moving quickly, while registration gates can block spam accounts inline. WooCommerce stores get dedicated protection for product reviews and My Account customer registration — and the checkout itself is never gated, so spam protection can’t get in the way of a sale. Membership Sites and Online Communities Running a community on BuddyPress or BuddyBoss Platform? ActiveLayer hooks the public signup form and blocks spam registrations before they create fake accounts — no extra CAPTCHA in front of your real members, no manual moderation queue to babysit. The integration covers both free BuddyPress and BuddyBoss Platform with a dedicated admin toggle for each. Full ActiveLayer Feature List Async processing – Background queue via Action Scheduler for supported async integrations No CAPTCHA required – Invisible protection with zero friction for visitors WPForms integration – Per-form enable, async checks with email replay, optional sync-save strategy Contact Form 7 integration – Synchronous checks, field mapping via activelayer:* tags, per-form control Gravity Forms integration – Entry-based spam detection with per-form control and notification management Elementor Forms integration – Protect Elementor Pro form widgets with per-form spam filtering Fluent Forms integration – Per-form spam detection with email notification handling Formidable Forms integration – Notification interception and replay, sync fallback option Forminator integration – Form submission interception with per-form toggles and notification management Ninja Forms integration – Email action capture, clean verdict replay, spam suppression SureForms integration – Spam protection for SureForms with per-form control WS Form integration – Synchronous spam blocking before WS Form saves entries or runs actions, with per-form control WordPress Comments protection – Auto-approve clean comments, auto-spam detected ones, fail-open restore WooCommerce Reviews protection – Score every product review on submission, with optional verified-owner bypass, logged-in-user bypass, and high-confidence auto-delete WooCommerce Registration protection – Block bot signups on the My Account registration form before the account is created (the checkout flow is never gated, so it can’t block a purchase) BuddyPress signup protection – Block spam registrations on the public /register/ page; sync check fires after BuddyPress’s own validation and writes the block message next to the username field BuddyBoss Platform signup protection – Same sync gate against the BuddyBoss Platform signup form, with automatic xprofile-name fallback because BuddyBoss auto-generates the username from the email AffiliateWP registration protection – Block bot affiliate signups before the affiliate and WordPress user are created; sync check fires after AffiliateWP’s own validation MemberPress registration protection – Block bot membership signups before the account is created; free, free-trial, and fully-discounted signups are gated by default, while paid checkouts are never blocked (opt in to gate those too) FunnelKit Funnel Builder integration – Synchronous spam blocking for opt-in forms before FunnelKit runs email, CRM contact, and webhook actions, with per-form control Easy Digital Downloads integration – Spam protection for product reviews and the standalone customer registration form; the EDD checkout is never gated, so it can’t block a purchase Silent discard for high-confidence spam – Optional hard-delete of comments and WooCommerce reviews that exceed a configurable spam score threshold (default 95), skipping spam-folder storage entirely Per-form toggles – Protection enabled by default per form; disable on individual forms as needed Sync Mode – Optional synchronous spam checks for inline blocking on supported integrations Dashboard analytics – Submission totals, spam caught, accuracy rates, queue health at a glance Submissions management – Filter by status and provider, bulk recheck, mark clean or spam, trash Fail-open architecture – Forms keep working if the API is temporarily unavailable Automatic retries – Failed submissions are re-queued and retried automatically Queue watchdog – 15-minute health checks with admin notices for stalled queues Behavioral signal collection – Keystroke, mouse, touch, and scroll tracking for deeper analysis Environment detection – Identifies headless browsers and automated submission tools Debug logging – Opt-in ring buffer (last 200 entries), PII-redacted, view and clear in admin Bulk recheck – Re-queue past submissions for fresh API verdicts anytime Default protection – Forms protected by default after API connection; disable per form if needed. Sanitized logging, masked secrets, hashed emails Integrations WPForms (Lite and Pro) Contact Form 7 Gravity Forms Elementor Forms (Pro) Fluent Forms Formidable Forms Forminator Ninja Forms SureForms WS Form WordPress Comments (built-in) WooCommerce (product reviews and customer registration) BuddyPress (public signup form) BuddyBoss Platform (public signup form) AffiliateWP (affiliate registration form) MemberPress (membership registration form) FunnelKit Funnel Builder (opt-in forms) Easy Digital Downloads (product reviews and customer registration) External services This plugin connects to the ActiveLayer API to analyze form submissions and comments for spam. It is the core service that powers all spam detection — without it, the plugin cannot classify submissions. ActiveLayer API What it does: Provides spam detection verdicts (clean or spam) for form submissions and comments. When data is sent: Each time a protected form submission, comment, review, or registration is checked, the submission data is sent to the API for analysis. Depending on the integration, this can happen through the background queue or during a synchronous inline-blocking check. What data is sent: * Submission content (name, email, message, URL if provided) * IP address and user agent of the submitter * Form metadata (form ID, form name, provider name) * Site URL and WordPress locale * Behavioral and environment signals (if enabled in settings) Service provider: ActiveLayer (activelayer.com) * Terms of Service * Privacy Policy
Top keywords
- form37×2.37%
- spam34×2.18%
- forms33×2.11%
- activelayer19×1.22%
- protection19×1.22%
- integration17×1.09%
- registration17×1.09%
- submission14×0.90%
- per-form11×0.70%
- submissions11×0.70%
- api10×0.64%
- checks10×0.64%
Kitgenix CAPTCHA for Cloudflare Turnstile
Spam is expensive: it wastes time, clogs inboxes, creates fake accounts, and on stores it can lead to abandoned checkout noise and fraudulent activity. Traditional CAPTCHA solutions can also hurt conversions by adding friction. Cloudflare Turnstile is a modern, privacy-first CAPTCHA alternative designed to reduce friction for real people while still blocking bots. Kitgenix CAPTCHA for Cloudflare Turnstile is a production-ready Turnstile integration for WordPress that focuses on reliability in real-world setups: – Server-side token verification (using Cloudflare’s official endpoint) – Fast, conditional loading (only where needed) – Support for dynamic/AJAX forms and modern WooCommerce Blocks / Store API checkout – Security features: replay protection, proxy-aware IP handling, whitelisting, and developer mode (warn-only) You can enable/disable each integration (and many per-form toggles), choose auto-injection vs shortcode-only placement, customise display and messaging, and use built-in diagnostics and Site Health checks to troubleshoot. The plugin also includes a real setup-verification gate for sensitive flows, a Portability tab for JSON export/import, a Support tab with active protection alerts, per-integration analytics, CSV exports, privacy-safe metrics, and recent verification events, and support for defining keys through wp-config.php constants or environment variables. Supported integrations (where Turnstile can be added) All integrations are enable-able from settings. Many also support Mode: Auto vs Shortcode. WordPress Core – Login – Custom login screens rendered with wp_login_form() – Registration – Lost password – Reset password – Comments (standard WordPress comment forms, including safe handling for comment failures/redirects) WooCommerce (Classic) – Checkout – Product reviews – My Account login – My Account registration – Lost password WooCommerce Blocks (Store API / Block Checkout) – UI rendering inside block-based checkout – Adds token to Store API requests (header and/or extensions payload when available) – Server-side validation of Store API checkout requests – Supports “shortcode-only mode” behaviour so you can control placement Easy Digital Downloads (EDD) – Checkout – Login – Register – Profile editor Form plugins – Contact Form 7 (CF7) – WPForms – Fluent Forms – Formidable Forms – Forminator – Gravity Forms – JetFormBuilder – Jetpack Forms – Kadence Forms – Elementor Forms (including popups and AJAX submissions) Membership / community / newsletters – Ultimate Member (login, registration, password reset) – MemberPress (signup / checkout) – Paid Memberships Pro (checkout / registration) – MailPoet forms – wpDiscuz comment forms Community / forums – bbPress (topic/reply flows where applicable) – BuddyPress (flows where applicable) Core features (site-wide) Turnstile widget rendering – Uses Cloudflare’s official Turnstile API script – Widget options: – Theme: auto / light / dark – Size: normal / compact / flexible – Appearance: stored as Turnstile “appearance” option (defaults to always) – Language: auto or explicit locale (passed via hl=...) Settings & admin experience – Settings page under the shared Kitgenix WP admin menu – Live “test widget” preview on the settings screen (renders when a Site Key is present) – Setup verification gate helps confirm the widget works before auth-sensitive integrations are relied on – Site Key + Secret Key storage (secret not printed in HTML by default) – “Reveal secret key” (admins only, nonce-protected AJAX action) Messaging & UX – Custom error message (admin-configurable, used across integrations) – Extra message text (optional text displayed alongside/under the widget) – “Disable submit until completed” option (frontend behaviour via plugin JS) Replay protection (enabled by default) – Detects re-used tokens (hash stored in transients) and blocks replays – TTL is filterable – Stores hashed token markers under the transient prefix kitgenix_captcha_for_cloudflare_turnstile_ts_ – Sets a short-lived cookie (kitgenix_captcha_for_cloudflare_turnstile_ts_replay, ~120s) when replay is detected (for frontend behaviour/messages) – Dedicated replay message (filterable) Developer mode (warn-only) – Verification failures do not block submissions – Failures are logged (and emitted via a developer log action) – Optional inline warning annotation for admins (frontend config) Whitelisting (skip Turnstile + skip loading API script) – Whitelist logged-in users – Whitelist by IP (exact, wildcards, CIDR — including IPv6) – Whitelist by User-Agent (substring or wildcard matching) – Filter hook to override whitelist decision Proxy / real-IP handling – Optional trust of proxy headers (Cloudflare / X-Forwarded-For style) – Trusted proxy IP list / trust controls – Forwarded headers are only honoured when the request originates from a trusted proxy Performance & resilience – Conditional script loading only where needed – Async/strategy-based script loading (depending on WP version) – Adds resource hints (preconnect / dns-prefetch) for Turnstile domain – Detects duplicate Turnstile API loaders (if another plugin/theme enqueues api.js): – Stores detection in the transient kitgenix_turnstile_duplicate_scripts – Shows admin notice on settings and Plugins screen – Includes dismiss link (nonce-protected, uses kitgenix_captcha_for_cloudflare_turnstile_ts_dismiss_dupe=1) Site Health + diagnostics – Adds a Site Health test: “Cloudflare Turnstile readiness” – Checks: – Keys present – Duplicate API loader transient (kitgenix_turnstile_duplicate_scripts) – Last verification success/failure snapshot – Heuristic warning if common optimisation/caching plugins are active – Stores the last verify outcome (success, time, error codes) for Site Health display – Tracks privacy-safe counters in kitgenix_captcha_for_cloudflare_turnstile_metrics (checks total/passed/failed/retries plus per-integration breakdowns) – Raises automatic admin and Site Health alerts when recent verification failures spike or Cloudflare siteverify requests start failing at the HTTP layer – Shows per-integration analytics in the Support tab so admins can compare passes, failures, retries, and friction by protected flow – Shows active protection alerts in the Support tab for verification spikes, blocked API requests, and duplicate loader conflicts – Exports per-integration analytics and the recent diagnostic log as CSV from the Support tab – Shows a recent diagnostic log in the Support tab so admins can review the last verification events without storing raw IPs or URLs Portability and rollout Export settings to JSON and import them into another site from the Portability tab. Choose whether exported settings include your Turnstile keys. Import settings in a controlled way for repeatable deployments. Define KITGENIX_CAPTCHA_FOR_CLOUDFLARE_TURNSTILE_SITE_KEY and KITGENIX_CAPTCHA_FOR_CLOUDFLARE_TURNSTILE_SECRET_KEY in wp-config.php or your environment when you want keys managed outside the database. Manual placement (shortcode) If you have a custom form or an unsupported plugin, you can manually render the widget: [kitgenix_turnstile] Shortcode output includes: – a nonce field – a hidden cf-turnstile-response input – the widget container (with data-sitekey) – support for passing arbitrary attributes via shortcode attributes Many supported integrations also offer Shortcode-only mode (you place the shortcode where you want; the plugin validates server-side without auto-injection). Quick Start Install and activate the plugin. Open the Turnstile settings under the Kitgenix hub in wp-admin. Add your Cloudflare Turnstile Site Key and Secret Key. Configure widget options (theme/size/appearance/language) and messaging if needed. Enable the integrations (and per-form toggles) you want. Save, then test the key user journeys: login, registration, checkout, and your main contact form. Tip: Start with Developer mode (warn-only) on staging or during rollout. Once you’re satisfied, disable warn-only to enforce blocking. Performance and caching notes (important for stores) Turnstile is lightweight, but aggressive optimisation can break rendering or token freshness. If you use caching/optimisation plugins: – Allowlist https://challenges.cloudflare.com – Avoid full-page caching on login/account/checkout pages – Avoid combining/inlining the Turnstile loader – Avoid heavily delaying Elementor/form plugin scripts – Ensure outbound HTTP requests to Cloudflare are not blocked (needed for server-side verification) Settings Overview Main settings: – Site Key – Secret Key (with “secret present” state, clear/reveal) – Theme (auto/light/dark) – Size (normal/compact/flexible) – Appearance (Turnstile appearance option) – Language (auto or specific locale) – Disable submit until completed – Custom error message – Extra message text Security & advanced: – Replay protection (on/off) – Developer mode (warn-only) – Whitelist logged-in users – Whitelist IPs (wildcards/CIDR, including IPv6) – Whitelist user agents – Proxy trust (enable/disable) – Trusted proxy IPs / trust controls – Setup verification before sensitive rollouts Portability & operations: – Export settings to JSON – Import settings from JSON – Optionally include or exclude site keys during transfer – Support KITGENIX_CAPTCHA_FOR_CLOUDFLARE_TURNSTILE_SITE_KEY and KITGENIX_CAPTCHA_FOR_CLOUDFLARE_TURNSTILE_SECRET_KEY as constants or environment-variable overrides for keys Integrations (enable + per-form toggles where available): – WordPress Core (login/register/lost password/reset password/standard comments) – WooCommerce (checkout/product reviews/login/register/lost password) – WooCommerce Blocks mode (auto vs shortcode-only) – Easy Digital Downloads (checkout/login/register/profile) – Contact Form 7 – WPForms – Fluent Forms – Formidable Forms – Forminator – Gravity Forms – Jetpack Forms – Kadence Forms – Elementor Forms – bbPress – BuddyPress Developers Shortcode: [kitgenix_turnstile] Server-side verification endpoint: https://challenges.cloudflare.com/turnstile/v0/siteverify Filters (script/loading): – kitgenix_captcha_for_cloudflare_turnstile_script_url( $url, $settings ) – kitgenix_turnstile_freshness_ms – kitgenix_turnstile_inline_style Filters (verification / request handling): – kitgenix_turnstile_siteverify_url – kitgenix_turnstile_siteverify_timeout – kitgenix_turnstile_siteverify_sslverify – kitgenix_turnstile_siteverify_http_args – kitgenix_turnstile_send_remoteip – kitgenix_turnstile_remote_ip – kitgenix_turnstile_token_from_request – kitgenix_turnstile_handle_comment_form – kitgenix_turnstile_error_codes – kitgenix_turnstile_error_message – kitgenix_turnstile_replay_message – kitgenix_captcha_for_cloudflare_turnstile_{context}_turnstile_error_message Filters (replay protection): – kitgenix_turnstile_replay_ttl Filters (operational alerts): – kitgenix_turnstile_alert_window_seconds – kitgenix_turnstile_alert_failure_spike_min_failures – kitgenix_turnstile_alert_failure_spike_failure_rate – kitgenix_turnstile_alert_http_error_min_failures Filters (whitelist / proxy trust): – kitgenix_turnstile_is_whitelisted( $is_whitelisted, $details ) – kitgenix_turnstile_trust_headers – kitgenix_turnstile_trusted_proxies Internal identifiers (options / transients / cookies / meta): – Option: kitgenix_captcha_for_cloudflare_turnstile_settings – Settings group (Settings API): kitgenix_captcha_for_cloudflare_turnstile_settings_group – Option: kitgenix_captcha_for_cloudflare_turnstile_metrics – Option: kitgenix_turnstile_recent_event_log – Option: kitgenix_turnstile_last_verify – Transient: kitgenix_captcha_for_cloudflare_turnstile_do_activation_redirect – Transient: kitgenix_turnstile_duplicate_scripts – Transient prefix (replay protection): kitgenix_captcha_for_cloudflare_turnstile_ts_ – Cookie (replay notice): kitgenix_captcha_for_cloudflare_turnstile_ts_replay – WooCommerce order meta (Blocks/Store API verification): _kitgenix_turnstile_verified Internal nonces / actions: – Shortcode/form nonce field name: kitgenix_captcha_for_cloudflare_turnstile_nonce – Shortcode/form nonce action: kitgenix_captcha_for_cloudflare_turnstile_action – Settings save nonce field name: kitgenix_captcha_for_cloudflare_turnstile_settings_nonce – Settings save nonce action: kitgenix_captcha_for_cloudflare_turnstile_settings_save – Admin AJAX action (reveal saved secret): kitgenix_turnstile_get_secret (WordPress hook: wp_ajax_kitgenix_turnstile_get_secret) – Admin AJAX nonce action (reveal saved secret): kitgenix_turnstile_reveal_secret – Admin-post action (analytics exports): kitgenix_turnstile_export_analytics – Admin-post nonce action (analytics exports): kitgenix_turnstile_export_analytics – Duplicate-loader notice dismiss query arg: kitgenix_captcha_for_cloudflare_turnstile_ts_dismiss_dupe – Duplicate-loader notice dismiss nonce action: kitgenix_captcha_for_cloudflare_turnstile_ts_dismiss Actions (developer logging): – kitgenix_turnstile_dev_log External Services This plugin uses Cloudflare Turnstile to verify requests and prevent spam and abuse. The plugin may: – Load the Turnstile script: https://challenges.cloudflare.com/turnstile/v0/api.js – Submit verification requests server-side to: https://challenges.cloudflare.com/turnstile/v0/siteverify When verification is enabled, the plugin sends to Cloudflare: – Your Turnstile secret key – The Turnstile response token – The visitor IP address (as the optional remoteip parameter, when enabled) The plugin does not send the visitor’s browser user agent to Cloudflare as part of the verification payload (the HTTP request itself is made server-side by WordPress). If proxy trust is enabled, the plugin may read forwarding headers (e.g. CF-Connecting-IP, X-Forwarded-For) to determine the client IP, but only when requests originate from configured trusted proxies. The plugin does not add tracking cookies itself and does not sell or share personal data. Cloudflare Turnstile Terms: https://developers.cloudflare.com/turnstile/ Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/ This plugin also includes a shared “Kitgenix hub” component in wp-admin which may fetch publicly available plugin metadata from WordPress.org using the WordPress core plugins_api() function (WordPress.org Plugins API). When it runs: only in wp-admin (Kitgenix plugin admin pages) Data sent: plugin slug(s) (no personal data) Data received: publicly available plugin information (e.g. active installs, ratings) Caching: responses are cached locally using transients for ~1 day: kitgenix_hub_wporg_active_installs_v1 kitgenix_hub_wporg_ratings_v1 Trademark Notice “Cloudflare” and the Cloudflare logo are trademarks of Cloudflare, Inc. This plugin is not affiliated with or endorsed by Cloudflare, Inc. Support Development If this plugin helps keep spam away without slowing your site down, you can support ongoing development here: https://buymeacoffee.com/kitgenix Credits Built with ❤︎ by @kitgenix – https://kitgenix.com