In September 2025 we had a concrete problem: 850 new account registrations per month, of which 94% were bots. Contact forms flooded with automated spam messages. Product reviews containing phishing URLs. Nothing new for any store with real traffic. What was new was how much bots had improved.
This is the exact record of what we did, with the before and after numbers.
The starting point: reCAPTCHA v2 + honeypot, and it wasn’t enough
We’d been running reCAPTCHA v2 on the contact form and a honeypot field on the registration form for two years. By late 2024 the spam volume started growing steadily. In July 2025 we documented 850 bot registrations in a single month.
We reviewed the logs. 60% of bots were solving reCAPTCHA v2 without any problem. CAPTCHA-solving services that operate with human labor farms charge €0.001 per image. At that price, an actor who wants to mass-spam a store can solve 10,000 CAPTCHAs for €10.
The honeypot was still working for the simplest bots, but the more sophisticated ones ignored it: they fill in only visible fields and detect hidden CSS fields.
We tried enabling reCAPTCHA v3 with a score threshold of 0.7. Result: 18% false positives on real customers from shared mobile carrier IPs (several customers share the same outbound IP from the carrier). Too much to leave in production.
Why we chose Turnstile
The main criterion wasn’t technical — it was legal. Our legal team had already flagged the use of reCAPTCHA as a point to address in the record of processing activities. With Schrems II and European data protection authority guidelines, continuing to use reCAPTCHA required documenting a solid legal basis for the US transfer.
Turnstile solved both problems: no declared cross-site tracking, processing on European edge nodes, and — based on prior testing across other projects — very low false positive rates even on shared carrier IPs.
The cost factor was irrelevant: the 1M monthly challenges free tier covers our scale easily.
The setup: 15 minutes of actual configuration
We created the site in the Cloudflare dashboard, obtained both keys (Site Key and Secret Key), and installed the module in the PrestaShop Back Office. Total time from scratch: 14 minutes.
Configuration chosen:
- Widget mode: Managed — Cloudflare decides whether to present a challenge based on its signals
- Action on fail: Block — reject the request if the token is invalid
- API timeout: 4 seconds — if Cloudflare’s API doesn’t respond within 4s, we let the request through (fail open) so we don’t block legitimate customers during an infrastructure issue
- Log enabled: Yes — record all attempts with IP, user-agent, and result
- Hostname restriction: enabled in the Cloudflare dashboard — the token is only valid if it comes from our domain
One thing not in the original documentation that we discovered in the logs: some bots attempt to reuse tokens obtained on other sites that also use Turnstile. The hostname-mismatch error blocks them automatically. In the first month we saw 2,847 attempts of this type.
First month results
Data for the October vs. September 2025 period:
| Metric | Sep 2025 (pre-Turnstile) | Oct 2025 (post-Turnstile) | Change |
|---|---|---|---|
| Total new registrations | 905 | 118 | -87% |
| Confirmed bot registrations | 850 | 70 | -92% |
| Real customer registrations | 55 | 48 | -13% (seasonal) |
| False positives | 0* | 1 | — |
| Contact form spam messages | 312 | 9 | -97% |
| Spam reviews | 47 | 2 | -96% |
*reCAPTCHA v3 generated ~10% false positives in our previous configuration with threshold 0.7. With v2 we didn’t measure false positives because the widget was visible and customers could try again.
The single false positive of the month was a customer with a very restrictive browsing environment (JavaScript partially blocked by privacy extensions). After reloading the page with extensions disabled, the form worked fine.
Log analysis: what types of bots we blocked
The module records Cloudflare’s error-codes for each failed verification. Distribution for the first month:
invalid-input-response(malformed token or no token): 38% of blocked attempts. Bots that don’t even try to obtain a valid token.hostname-mismatch(token from another domain): 31%. Token reuse across sites.timeout-or-duplicate(expired or already-used token): 21%. Bots that solve the challenge but wait too long before submitting, or attempt to reuse the same token multiple times.invalid-input-response(failed challenge): 10%. Bots that attempt to solve the challenge but don’t pass Cloudflare’s tests.
The 92% reduction in bot registrations doesn’t mean the remaining 8% is legitimate traffic getting through. It means 8% of the previous month’s bots are still finding a way past the challenge: primarily bots operating in real browsers with residential IPs, which are indistinguishable from human users for any verification system.
For that 8%, the only solution is post-registration behavior detection (anomalous usage patterns, active email verification, activity analysis in the first 24h). Turnstile isn’t the last line of defense, but it eliminates the noise that makes working at that level of detail impossible.
The collateral improvement we didn’t expect
When we removed the reCAPTCHA script from the head of the contact page, load time on that page dropped by 110ms at median (measured with WebPageTest from Frankfurt, simulated 4G connection). reCAPTCHA loads three scripts from different Google domains totaling ~180KB. The Turnstile script is 45KB from a Cloudflare CDN.
It’s not the main reason to choose Turnstile, but it’s a real benefit.
The configuration we recommend for most stores
After three months running the system in production, this is the setup we’d use on a new store:
- Managed mode (not invisible) — the Cloudflare badge visible in the form acts as a deterrent signal for simple bots
- Action on fail: block — except on stores with technical audiences where false positives are a real concern
- API timeout: 5 seconds — 99.9% of Cloudflare verifications respond in under 500ms; a 5s timeout covers any one-off anomaly
- Logging: always enabled — data from the first months is valuable for understanding the bot profile attacking your specific store
- Hostname restriction in Cloudflare: always — eliminates 31% of token reuse attempts at no additional cost
If you’re facing a similar situation in your PrestaShop 8 store — spam on registration, contact form as an attack vector, automated reviews — the Zeyvro Turnstile module implements everything described in this article with a Back Office configuration interface and complete logging. Open a ticket and we’ll help with the specific setup for your store.
If you’re not yet sure whether Turnstile is what you need, start with the informational article on reCAPTCHA vs Turnstile and come back here when you have the full context.