Session log — A “you are human” check on the register page

InternalView platform →
← All session logs

Session log — A “you are human” check on the register page

2 May 2026 · Hasmukh with Claude · Hasmukh wanted a button on the s2l.online register page that confirms the visitor is a human, to stop bot sign-ups. Two options were weighed (Google reCAPTCHA versus Cloudflare Turnstile), Hasmukh chose Turnstile for the lighter, more privacy-friendly experience, and the tickbox plus matching server-side check went live on /register the same day.

What happened, in order

  1. The brief
  2. reCAPTCHA or Turnstile
  3. Install, on the live page
  4. Verifying it took
  5. Going forward
Brief

1. The brief

HasmukhCan we add a button to the register page that confirms the person is a human, so we get fewer bot sign-ups?

Bot sign-ups had been creeping up. They are not catastrophic but they pollute the user table and inflate the newsletter list. A friction-free human check on the register form was the obvious lever.

Step 1

2. reCAPTCHA or Turnstile

Two options on the table. Google reCAPTCHA is the familiar tickbox, free, very effective, but it sends some visitor data to Google. Cloudflare Turnstile is the quieter alternative, usually verifies visitors silently, and is more privacy-friendly.

Hasmukh first leaned toward reCAPTCHA on familiarity, then changed his mind: Turnstile’s lighter footprint and weaker data trail fit the s2l audience better. Decision: Turnstile. He created the keys at Cloudflare and shared them.

One small but durable choice: the keys go inside the EP Membership settings rather than being baked into the plugin file. They can be rotated at any time without touching code.

Step 2

3. Install, on the live page

Backed up the EP Membership plugin file before any change, with the original kept as plugin.php.bak.20260502-turnstile next to the live one. Saved both Turnstile keys (site key and secret key) into the EP Membership settings. Added the Turnstile widget to the register page, sitting just below the newsletter opt-in and just above the Register button. Added the matching server-side check, so any registration submitted without a passed Turnstile token is rejected with a friendly message rather than a stack trace.

Step 3

4. Verifying it took

Loaded the live /register page after the change and confirmed the Turnstile script and widget are present, with the correct site key. Checked the server error log: no new PHP errors after the change. Closed out cleanly.

OutcomeThe register form now requires a passed Turnstile token before a sign-up is accepted. Bots get rejected before they ever reach the user table.
Going forward

5. Going forward

Hasmukh to do a real sign-up on the live page from a phone and a desktop to confirm it feels right on both. If we ever need to roll back, the original plugin file is preserved as a timestamped backup in the EP Membership folder.