{"id":245569,"date":"2025-08-11T08:17:58","date_gmt":"2025-08-11T08:17:58","guid":{"rendered":"https:\/\/en-gb.wordpress.org\/plugins\/kitgenix-turnstile\/"},"modified":"2026-03-19T10:11:29","modified_gmt":"2026-03-19T10:11:29","slug":"kitgenix-captcha-for-cloudflare-turnstile","status":"publish","type":"plugin","link":"https:\/\/ml.wordpress.org\/plugins\/kitgenix-captcha-for-cloudflare-turnstile\/","author":23310025,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"1.0.18","stable_tag":"1.0.18","tested":"7.0","requires":"6.0","requires_php":"8.1","requires_plugins":null,"header_name":"Kitgenix CAPTCHA for Cloudflare Turnstile","header_author":"Kitgenix","header_description":"Seamlessly integrate Cloudflare Turnstile with WordPress, WooCommerce, and Elementor forms.","assets_banners_color":"d0cae2","last_updated":"2026-03-19 10:11:29","external_support_url":"","external_repository_url":"","donate_link":"https:\/\/donate.stripe.com\/9B65kDgG3fTQ2Kzcmwf7i00","header_plugin_uri":"https:\/\/wordpress.org\/plugins\/kitgenix-captcha-for-cloudflare-turnstile\/","header_author_uri":"https:\/\/kitgenix.com\/","rating":5,"author_block_rating":0,"active_installs":400,"downloads":2720,"num_ratings":5,"support_threads":2,"support_threads_resolved":2,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.0":{"tag":"1.0.0","author":"kitgenix","date":"2025-08-11 08:20:37"},"1.0.1":{"tag":"1.0.1","author":"kitgenix","date":"2025-08-11 12:07:42"},"1.0.10":{"tag":"1.0.10","author":"kitgenix","date":"2025-10-16 08:57:43"},"1.0.11":{"tag":"1.0.11","author":"kitgenix","date":"2025-10-19 11:50:21"},"1.0.12":{"tag":"1.0.12","author":"kitgenix","date":"2025-11-21 18:19:55"},"1.0.12.1":{"tag":"1.0.12.1","author":"kitgenix","date":"2025-11-21 21:50:49"},"1.0.13":{"tag":"1.0.13","author":"kitgenix","date":"2025-11-22 10:56:05"},"1.0.14":{"tag":"1.0.14","author":"kitgenix","date":"2025-12-09 12:52:03"},"1.0.15":{"tag":"1.0.15","author":"kitgenix","date":"2026-01-01 19:20:11"},"1.0.16":{"tag":"1.0.16","author":"kitgenix","date":"2026-01-27 19:10:13"},"1.0.17":{"tag":"1.0.17","author":"kitgenix","date":"2026-02-19 22:09:58"},"1.0.18":{"tag":"1.0.18","author":"kitgenix","date":"2026-03-19 10:11:29"},"1.0.2":{"tag":"1.0.2","author":"kitgenix","date":"2025-08-12 07:25:49"},"1.0.3":{"tag":"1.0.3","author":"kitgenix","date":"2025-08-12 20:40:05"},"1.0.4":{"tag":"1.0.4","author":"kitgenix","date":"2025-08-17 13:50:18"},"1.0.5":{"tag":"1.0.5","author":"kitgenix","date":"2025-09-09 08:32:29"},"1.0.6":{"tag":"1.0.6","author":"kitgenix","date":"2025-09-10 19:02:56"},"1.0.7":{"tag":"1.0.7","author":"kitgenix","date":"2025-10-14 20:24:47"},"1.0.8":{"tag":"1.0.8","author":"kitgenix","date":"2025-10-15 08:19:30"},"1.0.9":{"tag":"1.0.9","author":"kitgenix","date":"2025-10-15 12:54:38"}},"upgrade_notice":{"1.0.18":"

Maintenance and compatibility update. Recommended for all sites.<\/p>"},"ratings":{"1":0,"2":0,"3":0,"4":0,"5":5},"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3465407,"resolution":"128x128","location":"assets","locale":""},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3465407,"resolution":"256x256","location":"assets","locale":""}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3465407,"resolution":"1544x500","location":"assets","locale":""},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3465407,"resolution":"772x250","location":"assets","locale":""}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.0","1.0.1","1.0.10","1.0.11","1.0.12","1.0.12.1","1.0.13","1.0.14","1.0.15","1.0.16","1.0.17","1.0.18","1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3430715,"resolution":"1","location":"assets","locale":""},"screenshot-10.png":{"filename":"screenshot-10.png","revision":3430715,"resolution":"10","location":"assets","locale":""},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3430715,"resolution":"2","location":"assets","locale":""},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3430715,"resolution":"3","location":"assets","locale":""},"screenshot-4.png":{"filename":"screenshot-4.png","revision":3430715,"resolution":"4","location":"assets","locale":""},"screenshot-5.png":{"filename":"screenshot-5.png","revision":3430715,"resolution":"5","location":"assets","locale":""},"screenshot-6.png":{"filename":"screenshot-6.png","revision":3430715,"resolution":"6","location":"assets","locale":""},"screenshot-7.png":{"filename":"screenshot-7.png","revision":3430715,"resolution":"7","location":"assets","locale":""},"screenshot-8.png":{"filename":"screenshot-8.png","revision":3430715,"resolution":"8","location":"assets","locale":""},"screenshot-9.png":{"filename":"screenshot-9.png","revision":3430715,"resolution":"9","location":"assets","locale":""}},"screenshots":{"1":"WordPress login form protected by Cloudflare Turnstile.","2":"WordPress registration form protected.","3":"WooCommerce Classic checkout protected near the Place order area.","4":"WooCommerce Blocks \/ Store API checkout protected inside the block-based checkout UI.","5":"WooCommerce My Account login\/register protected.","6":"Contact Form 7 form protected.","7":"WPForms form protected (AJAX and standard submissions).","8":"Elementor form protected (including popup\/AJAX behaviour).","9":"Settings overview: keys, widget options, integration toggles and security features.","10":"Security\/advanced settings: replay protection, proxy trust configuration and whitelisting rules.","11":"Site Health \u201cCloudflare Turnstile readiness\u201d test view (keys, last verify snapshot, duplicate loader notice)."},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[2656,362,3882,214603,286],"plugin_category":[44,45],"plugin_contributors":[246171],"plugin_business_model":[],"class_list":["post-245569","plugin","type-plugin","status-publish","hentry","plugin_tags-anti-spam","plugin_tags-captcha","plugin_tags-cloudflare","plugin_tags-turnstile","plugin_tags-woocommerce","plugin_category-discussion-and-community","plugin_category-ecommerce","plugin_contributors-kitgenix","plugin_committers-kitgenix","plugin_support_reps-carlfromkitgenix"],"banners":{"banner":"https:\/\/ps.w.org\/kitgenix-captcha-for-cloudflare-turnstile\/assets\/banner-772x250.png?rev=3465407","banner_2x":"https:\/\/ps.w.org\/kitgenix-captcha-for-cloudflare-turnstile\/assets\/banner-1544x500.png?rev=3465407","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/kitgenix-captcha-for-cloudflare-turnstile\/assets\/icon-128x128.png?rev=3465407","icon_2x":"https:\/\/ps.w.org\/kitgenix-captcha-for-cloudflare-turnstile\/assets\/icon-256x256.png?rev=3465407","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/kitgenix-captcha-for-cloudflare-turnstile\/assets\/screenshot-1.png?rev=3430715","caption":"WordPress login form protected by Cloudflare Turnstile."},{"src":"https:\/\/ps.w.org\/kitgenix-captcha-for-cloudflare-turnstile\/assets\/screenshot-2.png?rev=3430715","caption":"WordPress registration form protected."},{"src":"https:\/\/ps.w.org\/kitgenix-captcha-for-cloudflare-turnstile\/assets\/screenshot-3.png?rev=3430715","caption":"WooCommerce Classic checkout protected near the Place order area."},{"src":"https:\/\/ps.w.org\/kitgenix-captcha-for-cloudflare-turnstile\/assets\/screenshot-4.png?rev=3430715","caption":"WooCommerce Blocks \/ Store API checkout protected inside the block-based checkout UI."},{"src":"https:\/\/ps.w.org\/kitgenix-captcha-for-cloudflare-turnstile\/assets\/screenshot-5.png?rev=3430715","caption":"WooCommerce My Account login\/register protected."},{"src":"https:\/\/ps.w.org\/kitgenix-captcha-for-cloudflare-turnstile\/assets\/screenshot-6.png?rev=3430715","caption":"Contact Form 7 form protected."},{"src":"https:\/\/ps.w.org\/kitgenix-captcha-for-cloudflare-turnstile\/assets\/screenshot-7.png?rev=3430715","caption":"WPForms form protected (AJAX and standard submissions)."},{"src":"https:\/\/ps.w.org\/kitgenix-captcha-for-cloudflare-turnstile\/assets\/screenshot-8.png?rev=3430715","caption":"Elementor form protected (including popup\/AJAX behaviour)."},{"src":"https:\/\/ps.w.org\/kitgenix-captcha-for-cloudflare-turnstile\/assets\/screenshot-9.png?rev=3430715","caption":"Settings overview: keys, widget options, integration toggles and security features."},{"src":"https:\/\/ps.w.org\/kitgenix-captcha-for-cloudflare-turnstile\/assets\/screenshot-10.png?rev=3430715","caption":"Security\/advanced settings: replay protection, proxy trust configuration and whitelisting rules."}],"raw_content":"\n

Spam is expensive: it wastes time, clogs inboxes, creates fake accounts, and on stores it can lead to abandoned checkout noise and fraudulent activity. Traditional CAPTCHA solutions can also hurt conversions by adding friction.<\/p>\n\n

Cloudflare Turnstile<\/strong> is a modern, privacy-first CAPTCHA alternative designed to reduce friction for real people while still blocking bots.<\/p>\n\n

Kitgenix CAPTCHA for Cloudflare Turnstile<\/strong> is a production-ready Turnstile integration for WordPress that focuses on reliability in real-world setups:\n- Server-side token verification (using Cloudflare\u2019s official endpoint)\n- Fast, conditional loading (only where needed)\n- Support for dynamic\/AJAX forms and modern WooCommerce Blocks \/ Store API checkout\n- Security features: replay protection, proxy-aware IP handling, whitelisting, and developer mode (warn-only)<\/p>\n\n

You can enable\/disable each integration (and many per-form toggles), choose auto-injection vs shortcode-only placement, customise display and messaging, and use built-in diagnostics and Site Health checks to troubleshoot.<\/p>\n\n

Supported integrations (where Turnstile can be added)<\/h4>\n\n

All integrations are enable-able from settings. Many also support Mode: Auto vs Shortcode<\/strong>.<\/p>\n\n

WordPress Core<\/strong>\n- Login\n- Registration\n- Lost password\n- Reset password\n- Comments (standard WordPress comment forms, including safe handling for comment failures\/redirects)<\/p>\n\n

WooCommerce (Classic)<\/strong>\n- Checkout\n- Product reviews\n- My Account login\n- My Account registration\n- Lost password<\/p>\n\n

WooCommerce Blocks (Store API \/ Block Checkout)<\/strong>\n- UI rendering inside block-based checkout\n- Adds token to Store API requests (header and\/or extensions payload when available)\n- Server-side validation of Store API checkout requests\n- Supports \u201cshortcode-only mode\u201d behaviour so you can control placement<\/p>\n\n

Easy Digital Downloads (EDD)<\/strong>\n- Checkout\n- Login\n- Register\n- Profile editor<\/p>\n\n

Form plugins<\/strong>\n- Contact Form 7 (CF7)\n- WPForms\n- Fluent Forms\n- Formidable Forms\n- Forminator\n- Gravity Forms\n- JetFormBuilder\n- Jetpack Forms\n- Kadence Forms\n- Elementor Forms (including popups and AJAX submissions)<\/p>\n\n

Community \/ forums<\/strong>\n- bbPress (topic\/reply flows where applicable)\n- BuddyPress (flows where applicable)<\/p>\n\n

Core features (site-wide)<\/h4>\n\n

Turnstile widget rendering<\/strong>\n- Uses Cloudflare\u2019s official Turnstile API script\n- Widget options:\n - Theme: auto \/ light \/ dark\n - Size: small \/ medium \/ large \/ normal \/ flexible\n - Appearance: stored as Turnstile \u201cappearance\u201d option (defaults to always)\n - Language: auto or explicit locale (passed via hl=...<\/code>)<\/p>\n\n

Settings & admin experience<\/strong>\n- Settings page under the shared Kitgenix WP admin menu\n- Live \u201ctest widget\u201d preview on the settings screen (renders when a Site Key is present)\n- Site Key + Secret Key storage (secret not printed in HTML by default)\n- \u201cReveal secret key\u201d (admins only, nonce-protected AJAX action)<\/p>\n\n

Messaging & UX<\/strong>\n- Custom error message (admin-configurable, used across integrations)\n- Extra message text (optional text displayed alongside\/under the widget)\n- \u201cDisable submit until completed\u201d option (frontend behaviour via plugin JS)<\/p>\n\n

Replay protection (enabled by default)<\/strong>\n- Detects re-used tokens (hash stored in transients) and blocks replays\n- TTL is filterable\n- Stores hashed token markers under the transient prefix kitgenix_captcha_for_cloudflare_turnstile_ts_<\/code>\n- Sets a short-lived cookie (kitgenix_captcha_for_cloudflare_turnstile_ts_replay<\/code>, ~120s) when replay is detected (for frontend behaviour\/messages)\n- Dedicated replay message (filterable)<\/p>\n\n

Developer mode (warn-only)<\/strong>\n- Verification failures do not<\/strong> block submissions\n- Failures are logged (and emitted via a developer log action)\n- Optional inline warning annotation for admins (frontend config)<\/p>\n\n

Whitelisting (skip Turnstile + skip loading API script)<\/strong>\n- Whitelist logged-in users\n- Whitelist by IP (exact, wildcards, CIDR \u2014 including IPv6)\n- Whitelist by User-Agent (substring or wildcard matching)\n- Filter hook to override whitelist decision<\/p>\n\n

Proxy \/ real-IP handling<\/strong>\n- Optional trust of proxy headers (Cloudflare \/ X-Forwarded-For style)\n- Trusted proxy IP list \/ trust controls\n- Forwarded headers are only honoured when the request originates from a trusted proxy<\/p>\n\n

Performance & resilience<\/strong>\n- Conditional script loading only where needed\n- Async\/strategy-based script loading (depending on WP version)\n- Adds resource hints (preconnect \/ dns-prefetch) for Turnstile domain\n- Detects duplicate Turnstile API loaders (if another plugin\/theme enqueues api.js<\/code>):\n - Stores detection in the transient kitgenix_turnstile_duplicate_scripts<\/code>\n - Shows admin notice on settings and Plugins screen\n - Includes dismiss link (nonce-protected, uses kitgenix_captcha_for_cloudflare_turnstile_ts_dismiss_dupe=1<\/code>)<\/p>\n\n

Site Health + diagnostics<\/strong>\n- Adds a Site Health test: \u201cCloudflare Turnstile readiness\u201d\n- Checks:\n - Keys present\n - Duplicate API loader transient (kitgenix_turnstile_duplicate_scripts<\/code>)\n - Last verification success\/failure snapshot\n - Heuristic warning if common optimisation\/caching plugins are active\n- Stores the last verify outcome (success, time, error codes) for Site Health display\n- Tracks privacy-safe counters in kitgenix_captcha_for_cloudflare_turnstile_metrics<\/code> (checks total\/passed\/failed)<\/p>\n\n

Manual placement (shortcode)<\/h4>\n\n

If you have a custom form or an unsupported plugin, you can manually render the widget:<\/p>\n\n

[kitgenix_turnstile]<\/p>\n\n

Shortcode output includes:\n- a nonce field\n- a hidden cf-turnstile-response<\/code> input\n- the widget container (with data-sitekey<\/code>)\n- support for passing arbitrary attributes via shortcode attributes<\/p>\n\n

Many supported integrations also offer Shortcode-only<\/strong> mode (you place the shortcode where you want; the plugin validates server-side without auto-injection).<\/p>\n\n

Quick Start<\/h4>\n\n
    \n
  1. Install and activate the plugin.<\/li>\n
  2. Open the Turnstile settings under the Kitgenix hub in wp-admin.<\/li>\n
  3. Add your Cloudflare Turnstile Site Key and Secret Key.<\/li>\n
  4. Configure widget options (theme\/size\/appearance\/language) and messaging if needed.<\/li>\n
  5. Enable the integrations (and per-form toggles) you want.<\/li>\n
  6. Save, then test the key user journeys: login, registration, checkout, and your main contact form.<\/li>\n<\/ol>\n\n

    Tip: Start with Developer mode (warn-only)<\/strong> on staging or during rollout. Once you\u2019re satisfied, disable warn-only to enforce blocking.<\/p>\n\n

    Performance and caching notes (important for stores)<\/h4>\n\n

    Turnstile is lightweight, but aggressive optimisation can break rendering or token freshness.<\/p>\n\n

    If you use caching\/optimisation plugins:\n- Allowlist https:\/\/challenges.cloudflare.com\n- Avoid full-page caching on login\/account\/checkout pages\n- Avoid combining\/inlining the Turnstile loader\n- Avoid heavily delaying Elementor\/form plugin scripts\n- Ensure outbound HTTP requests to Cloudflare are not blocked (needed for server-side verification)<\/p>\n\n

    Settings Overview<\/h3>\n\n

    Main settings:\n- Site Key\n- Secret Key (with \u201csecret present\u201d state, clear\/reveal)\n- Theme (auto\/light\/dark)\n- Size (small\/medium\/large\/normal\/flexible)\n- Appearance (Turnstile appearance option)\n- Language (auto or specific locale)\n- Disable submit until completed\n- Custom error message\n- Extra message text<\/p>\n\n

    Security & advanced:\n- Replay protection (on\/off)\n- Developer mode (warn-only)\n- Whitelist logged-in users\n- Whitelist IPs (wildcards\/CIDR, including IPv6)\n- Whitelist user agents\n- Proxy trust (enable\/disable)\n- Trusted proxy IPs \/ trust controls<\/p>\n\n

    Integrations (enable + per-form toggles where available):\n- WordPress Core (login\/register\/lost password\/reset password\/standard comments)\n- WooCommerce (checkout\/product reviews\/login\/register\/lost password)\n- WooCommerce Blocks mode (auto vs shortcode-only)\n- Easy Digital Downloads (checkout\/login\/register\/profile)\n- Contact Form 7\n- WPForms\n- Fluent Forms\n- Formidable Forms\n- Forminator\n- Gravity Forms\n- Jetpack Forms\n- Kadence Forms\n- Elementor Forms\n- bbPress\n- BuddyPress<\/p>\n\n

    Developers<\/h3>\n\n

    Shortcode:\n[kitgenix_turnstile]<\/p>\n\n

    Server-side verification endpoint:\nhttps:\/\/challenges.cloudflare.com\/turnstile\/v0\/siteverify<\/p>\n\n

    Filters (script\/loading):\n- kitgenix_captcha_for_cloudflare_turnstile_script_url( $url, $settings )\n- kitgenix_turnstile_freshness_ms\n- kitgenix_turnstile_inline_style<\/p>\n\n

    Filters (verification \/ request handling):\n- kitgenix_turnstile_siteverify_url\n- kitgenix_turnstile_siteverify_timeout\n- kitgenix_turnstile_siteverify_sslverify\n- kitgenix_turnstile_siteverify_http_args\n- kitgenix_turnstile_send_remoteip\n- kitgenix_turnstile_remote_ip\n- kitgenix_turnstile_token_from_request\n- kitgenix_turnstile_handle_comment_form\n- kitgenix_turnstile_error_codes\n- kitgenix_turnstile_error_message\n- kitgenix_turnstile_replay_message\n- kitgenix_captcha_for_cloudflare_turnstile_{context}_turnstile_error_message<\/p>\n\n

    Filters (replay protection):\n- kitgenix_turnstile_replay_ttl<\/p>\n\n

    Filters (whitelist \/ proxy trust):\n- kitgenix_turnstile_is_whitelisted( $is_whitelisted, $details )\n- kitgenix_turnstile_trust_headers\n- kitgenix_turnstile_trusted_proxies<\/p>\n\n

    Internal identifiers (options \/ transients \/ cookies \/ meta):\n- Option: kitgenix_captcha_for_cloudflare_turnstile_settings\n- Settings group (Settings API): kitgenix_captcha_for_cloudflare_turnstile_settings_group\n- Option: kitgenix_captcha_for_cloudflare_turnstile_metrics\n- Option: kitgenix_turnstile_last_verify\n- Transient: kitgenix_captcha_for_cloudflare_turnstile_do_activation_redirect\n- Transient: kitgenix_turnstile_duplicate_scripts\n- Transient prefix (replay protection): kitgenix_captcha_for_cloudflare_turnstile_ts_\n- Cookie (replay notice): kitgenix_captcha_for_cloudflare_turnstile_ts_replay\n- WooCommerce order meta (Blocks\/Store API verification): _kitgenix_turnstile_verified<\/p>\n\n

    Internal nonces \/ actions:\n- Shortcode\/form nonce field name: kitgenix_captcha_for_cloudflare_turnstile_nonce\n- Shortcode\/form nonce action: kitgenix_captcha_for_cloudflare_turnstile_action\n- Settings save nonce field name: kitgenix_captcha_for_cloudflare_turnstile_settings_nonce\n- Settings save nonce action: kitgenix_captcha_for_cloudflare_turnstile_settings_save\n- Admin AJAX action (reveal saved secret): kitgenix_turnstile_get_secret (WordPress hook: wp_ajax_kitgenix_turnstile_get_secret)\n- Admin AJAX nonce action (reveal saved secret): kitgenix_turnstile_reveal_secret\n- Duplicate-loader notice dismiss query arg: kitgenix_captcha_for_cloudflare_turnstile_ts_dismiss_dupe\n- Duplicate-loader notice dismiss nonce action: kitgenix_captcha_for_cloudflare_turnstile_ts_dismiss<\/p>\n\n

    Actions (developer logging):\n- kitgenix_turnstile_dev_log<\/p>\n\n

    External Services<\/h3>\n\n

    This plugin uses Cloudflare Turnstile<\/strong> to verify requests and prevent spam and abuse.<\/p>\n\n

    The plugin may:\n- Load the Turnstile script:\n https:\/\/challenges.cloudflare.com\/turnstile\/v0\/api.js\n- Submit verification requests server-side to:\n https:\/\/challenges.cloudflare.com\/turnstile\/v0\/siteverify<\/p>\n\n

    When verification is enabled, the plugin sends to Cloudflare:\n- Your Turnstile secret key\n- The Turnstile response token\n- The visitor IP address (as the optional remoteip<\/code> parameter, when enabled)<\/p>\n\n

    The plugin does not send the visitor's browser user agent to Cloudflare as part of the verification payload (the HTTP request itself is made server-side by WordPress).<\/p>\n\n

    If proxy trust is enabled, the plugin may read forwarding headers (e.g. CF-Connecting-IP<\/code>, X-Forwarded-For<\/code>) to determine the client IP, but only when requests originate from configured trusted proxies.<\/p>\n\n

    The plugin does not add tracking cookies itself and does not sell or share personal data.<\/p>\n\n

    Cloudflare Turnstile Terms: https:\/\/developers.cloudflare.com\/turnstile\/\nCloudflare Privacy Policy: https:\/\/www.cloudflare.com\/privacypolicy\/<\/p>\n\n

    This plugin also includes a shared \u201cKitgenix hub\u201d component in wp-admin which may fetch publicly available plugin metadata from WordPress.org using the WordPress core plugins_api()<\/code> function (WordPress.org Plugins API).<\/p>\n\n

      \n
    • When it runs: only in wp-admin (Kitgenix plugin admin pages)<\/li>\n
    • Data sent: plugin slug(s) (no personal data)<\/li>\n
    • Data received: publicly available plugin information (e.g. active installs, ratings)<\/li>\n
    • Caching: responses are cached locally using transients for ~1 day:\n\n
        \n
      • kitgenix_hub_wporg_active_installs_v1<\/code><\/li>\n
      • kitgenix_hub_wporg_ratings_v1<\/code><\/li>\n<\/ul><\/li>\n<\/ul>\n\n

        Trademark Notice<\/h3>\n\n

        \u201cCloudflare\u201d and the Cloudflare logo are trademarks of Cloudflare, Inc. This plugin is not affiliated with or endorsed by Cloudflare, Inc.<\/p>\n\n

        Support Development<\/h3>\n\n

        If this plugin helps keep spam away without slowing your site down, you can support ongoing development here:\nhttps:\/\/donate.stripe.com\/9B65kDgG3fTQ2Kzcmwf7i00<\/p>\n\n

        Credits<\/h3>\n\n

        Built with \u2764\ufe0e by @kitgenix - https:\/\/kitgenix.com<\/p>\n\n\n

          \n
        1. Go to Plugins \u2192 Add New.<\/li>\n
        2. Search for \u201cKitgenix Turnstile\u201d and click Install Now.<\/li>\n
        3. Activate the plugin.<\/li>\n
        4. Open the settings under the Kitgenix hub.<\/li>\n
        5. Enter your Site Key and Secret Key from Cloudflare Turnstile.<\/li>\n
        6. Enable your integrations and save.<\/li>\n<\/ol>\n\n\n
          \n

          Do I need a Cloudflare account?<\/h3><\/dt>\n

          Yes. You need Turnstile keys from Cloudflare. A free account is enough.<\/p><\/dd>\n

          Is Cloudflare Turnstile a reCAPTCHA alternative?<\/h3><\/dt>\n

          Yes. Turnstile is widely used as a privacy-first alternative to Google reCAPTCHA and typically offers a smoother experience for real users.<\/p><\/dd>\n

          Do you verify tokens on the server?<\/h3><\/dt>\n

          Yes. Tokens are verified server-side using Cloudflare\u2019s official siteverify<\/code> endpoint (for supported forms\/integrations).<\/p><\/dd>\n

          Does this plugin support WooCommerce checkout?<\/h3><\/dt>\n

          Yes. It supports WooCommerce Classic checkout, WooCommerce product reviews<\/strong>, and WooCommerce Blocks \/ Store API checkout<\/strong>.<\/p><\/dd>\n

          What is \u201cAuto vs Shortcode-only\u201d mode?<\/h3><\/dt>\n

          Auto mode injects the widget automatically (and avoids duplicates if it detects existing shortcode\/widget markers). Shortcode-only mode requires you to place [kitgenix_turnstile]<\/code> manually.<\/p><\/dd>\n

          What is replay protection?<\/h3><\/dt>\n

          Replay protection blocks re-used tokens (a common bot technique). It\u2019s enabled by default and can be tuned via a filter.<\/p><\/dd>\n

          I\u2019m behind Cloudflare \/ a reverse proxy. Is IP handling correct?<\/h3><\/dt>\n

          Yes. The plugin supports proxy-aware IP detection and lets you configure trusted proxies so forwarded headers are only honoured safely.<\/p><\/dd>\n

          Can I whitelist logged-in users or certain IPs\/User-Agents?<\/h3><\/dt>\n

          Yes. You can whitelist logged-in users, IPs (CIDR\/wildcards, including IPv6), and user agents. Developers can also filter whitelist behaviour.<\/p><\/dd>\n

          The widget isn\u2019t showing. What should I check?<\/h3><\/dt>\n

          Check your Site Key, confirm the relevant integration and per-form toggle are enabled, clear caches, and review optimisation settings. If scripts are heavily delayed, allowlist Cloudflare\u2019s Turnstile domain.<\/p><\/dd>\n

          Users keep seeing verification errors. Why?<\/h3><\/dt>\n

          Common causes include cached form pages (token expiry), aggressive script delay\/defer, blocked outbound requests to Cloudflare, duplicate Turnstile loaders, or misconfigured proxy trust settings. Developer mode (warn-only) can help diagnose without blocking users.<\/p><\/dd>\n\n<\/dl>\n\n\n

          1.0.18 (19 March 2026)<\/h4>\n\n

          Update: Improved the Kitgenix admin header layout for better alignment and less clutter.\nUpdate: Social links in admin headers now render as compact icon buttons (with accessible labels).\nUpdate: Added responsive header helpers so titles\/description and actions\/links lay out consistently.\nUpdate: Admin tables inside Kitgenix pages now use Kitgenix styling for a more consistent branded look.\nFix: Admin notices now display above the Kitgenix header using the WordPress standard notice area.\nFix: Removed custom notice moving\/styling so core WordPress notices keep their default appearance.\nFix: Added defensive notice normalization to prevent notices being relocated into the header by other scripts.\nFix: Normalised settings page card spacing so it matches other Kitgenix plugins.\nFix: Added spacing between adjacent action links\/buttons (e.g., Edit\/Delete).\nImprovement: Validate Store API POSTs early via a single REST pre-dispatch path; token accepted from X-Turnstile-Token header or canonical extensions payload (WooCommerce Blocks).\nCleanup: Normalised nonce verification and request handling across admin and validation flows for WordPress.org review compliance.\nMaintenance: Updated the plugin Author URI to the public Kitgenix WordPress.org profile and replaced the old custom admin-menu icon CSS with the native Dashicons icon.\nNew: Added a dedicated WooCommerce Product Reviews integration toggle so store reviews can be protected independently of standard WordPress comments.\nFix: Split standard WordPress comments from WooCommerce product reviews so enabling blog comments protection no longer captures product review submissions unless the WooCommerce reviews toggle is enabled.\nImprovement: WooCommerce product reviews now follow the WooCommerce Classic injection mode and error-message context while still using the shared comment form hooks internally.\nDocs: Updated the bundled documentation and package readme to describe the new WooCommerce Product Reviews coverage and the kitgenix_turnstile_handle_comment_form<\/code> routing filter.<\/p>\n\n

          1.0.17 (18 February 2026)<\/h4>\n\n
            \n
          • New: Added JetFormBuilder integration (auto-inject and shortcode-only modes).<\/li>\n
          • New: JetFormBuilder server-side validation during submission handling (AJAX compatible).<\/li>\n
          • New: Added JetFormBuilder toggle + injection mode to the settings page.<\/li>\n
          • Improvement: JetFormBuilder auto-inject places the widget near the submit button row and avoids multi-step next\/prev actions.<\/li>\n
          • Fix: Support tab \u201cYour site impact\u201d metrics now update as Turnstile checks run (total\/passed\/failed).<\/li>\n
          • UI: Added Stock Sync for WooCommerce to the Kitgenix hub cards.<\/li>\n
          • Docs: Overhauled readme.txt.<\/li>\n
          • Docs: Updated WordPress.org screenshots.<\/li>\n
          • Docs: JetFormBuilder includes its own Turnstile\/CAPTCHA option; use one Turnstile provider per form to avoid duplicates.<\/li>\n
          • Dev: Regenerated \/languages\/kitgenix-captcha-for-cloudflare-turnstile.pot translation template.<\/li>\n<\/ul>\n\n

            1.0.16 (27 January 2026)<\/h4>\n\n
              \n
            • Improvement: Small admin UI tweaks and performance refinements.<\/li>\n
            • Change: Declared PHP requirement as 8.1.<\/li>\n
            • Cleanup: Minor compatibility and stability fixes, plus i18n\/translation updates.<\/li>\n
            • Cleanup: PHPCS\/i18n\/security fixes across admin and core files (output escaping, translator comments, optional nonce checks).<\/li>\n
            • Fix: Hardened admin asset enqueues to prefer $_GET['page'] with a fallback to hook-suffix so assets load reliably on existing installs.<\/li>\n
            • Fix: Localized admin JS now exposes AJAX action and nonce for the reveal-secret flow to securely fetch stored secret keys.<\/li>\n<\/ul>\n\n

              1.0.15 (01 January 2026)<\/h4>\n\n
                \n
              • New: Added Easy Digital Downloads integration (checkout, login, registration, and profile editor) with per-form toggles and a dedicated mode setting (Auto vs Shortcode-only).<\/li>\n
              • New: Added a shared Kitgenix top-level wp-admin menu + hub page, and moved Turnstile settings to Kitgenix \u2192 Cloudflare Turnstile (activation redirect + \u201cSettings\u201d link updated accordingly).<\/li>\n
              • Security: Secret key is no longer printed into the settings page HTML by default; \u201cReveal secret key\u201d now fetches it on-demand via authenticated AJAX + nonce.<\/li>\n
              • Improvement: bbPress integration now avoids duplicate widget output on themes that fire multiple hooks, adds support for the forum form, and validates forum creation flows.<\/li>\n
              • Improvement: Fluent Forms rendering is now more resilient when the Turnstile API loads late (prevents \u201cstuck rendering\u201d states and allows clean retries).<\/li>\n
              • Improvement: Standardized internal widget owner attribute + dynamic-render event naming, reducing render misses in dynamic\/AJAX contexts.<\/li>\n
              • Improvement: WordPress comments widget placement is now consistently injected above the submit button across themes; comment widget now has a stable ID for easier targeting.<\/li>\n
              • Fix: Replay protection setting now persists correctly when you disable it (checkbox omission on save no longer forces it back on).<\/li>\n
              • UI: Updated Kitgenix branding (admin + public CSS tokens), added shared hub stylesheet, refreshed plugin banners, and added Kitgenix logo assets.<\/li>\n
              • Cleanup: Removed onboarding strings and updated translations; plugin headers\/requirements updated (Tested up to 6.9, requires PHP 8.0).<\/li>\n<\/ul>\n\n

                1.0.14 (09 December 2025)<\/h4>\n\n
                  \n
                • UI: Split WooCommerce settings into two blocks \u2014 \u201cWooCommerce Classic\u201d and \u201cWooCommerce Blocks (Store API)\u201d \u2014 with separate injection mode controls and clearer guidance.<\/li>\n
                • UI: Modernized settings page with sidebar navigation (icons), status overview card, accessible collapsible sections, and improved layout. Kept the floating \u201cUnsaved changes\u201d bar.<\/li>\n
                • UI: Added a copy button next to [kitgenix_turnstile] in the settings for easy manual placement.<\/li>\n
                • UI: Updated brand colors across admin and public CSS to main #4f2a9a and accent #f364dd.<\/li>\n
                • Improvement: Public JS detects data-kitgenix-captcha-for-cloudflare-turnstile-owner=\"woocommerce-blocks\" and performs an immediate render, then falls back to visibility guard for other owners.<\/li>\n
                • Fix: WooCommerce Blocks checkout widget now renders reliably even when Classic Checkout is disabled. The renderer no longer waits for the container to be visible before calling turnstile.render() for Blocks, preventing missed render windows.<\/li>\n
                • Change: Respect Shortcode-only \u2014 when Blocks is set to \u201cShortcode only\u201d, auto-rendering is suppressed and server-side validation only enforces when a token is present (i.e. when you place the shortcode). Without a shortcode\/token, checkout proceeds without Turnstile.<\/li>\n
                • Change: Clarification \u2014 unchecking \u201cCheckout Form (Classic)\u201d does not affect Blocks Checkout; disable Blocks auto-injection via its \u201cShortcode only\u201d mode if desired.<\/li>\n
                • Cleanup: Removed Export\/Import Settings feature \u2014 UI removed and handlers disabled (class-settings-transfer.php no longer registers actions). Any old direct Import\/Export URLs are no-ops.<\/li>\n
                • Cleanup: Removed the Simple\/Advanced mode toggle from the settings UI and scripts.<\/li>\n
                • Dev: Dropped the unused kitgenix_turnstile_validate_keys AJAX nonce localization from admin scripts.<\/li>\n
                • Preparation: Placement \u2014 ensures the widget is injected directly above the \u201cPlace order\u201d area in WooCommerce Blocks checkout (handles submit button, text node, and actions wrapper variants).<\/li>\n
                • Preparation: Stability \u2014 keeps existing behaviour for Classic, core, and form plugins; no changes to validation flows or token forwarding (header + Store API extensions).<\/li>\n<\/ul>\n\n

                  1.0.13 (22 November 2025)<\/h4>\n\n
                    \n
                  • Security: Critical validation bypass in Elementor Pro Forms and Forminator Forms where missing tokens were incorrectly allowing form submissions instead of blocking them.<\/li>\n
                  • Security: Audit confirmed all other integrations (Contact Form 7, Gravity Forms, Formidable Forms, WPForms, Fluent Forms, Jetpack Forms, Kadence Forms, WooCommerce, WordPress core, bbPress, BuddyPress) correctly validate and fail when tokens are missing.<\/li>\n
                  • Security: This update fixes a vulnerability where forms could be submitted without completing CAPTCHA verification. Update immediately.<\/li>\n
                  • Fix: Elementor Pro Forms now properly fail validation when the Turnstile token is missing or empty (previously skipped validation entirely).<\/li>\n
                  • Fix: Forminator Forms now properly fail validation when the Turnstile token is missing or empty (previously skipped validation entirely).<\/li>\n
                  • Fix: Removed the wp_kses_post() wrapper from Forminator submit button HTML that could strip required attributes.<\/li>\n<\/ul>\n\n

                    1.0.12.1 (22 November 2025)<\/h4>\n\n
                      \n
                    • Fix: Reverted to 1.0.11 until the security update was released.<\/li>\n<\/ul>\n\n

                      1.0.12 (21 November 2025)<\/h4>\n\n
                        \n
                      • New: Global shortcode [kitgenix_turnstile] to render the Turnstile widget manually inside custom HTML fields, form content, or page templates.<\/li>\n
                      • Improvement: Auto-inject vs Shortcode behavior is now mutually exclusive and consistent across integrations.<\/li>\n
                      • Improvement: Ensured Shortcode-only mode works across all supported form plugins via defensive do_shortcode() passthroughs and field-level filters, while Auto mode detection ignores literal shortcode tokens.<\/li>\n
                      • UI: Only show the global Shortcode guidance card when at least one supported forms integration is present. Removed Auto\/Shortcode radio controls from the WordPress Core card; core forms use the Enable checkbox and per-form toggles only.<\/li>\n
                      • Dev: Reworked temporary shortcode removal logic to guarantee re-registration after do_shortcode(). Fixed edge-case uninitialised variable and parse issues.<\/li>\n
                      • Dev: Standardised detection and injection semantics and added comments and guards for missing site keys, filters, and plugin version differences.<\/li>\n
                      • Fix: CF7 shortcode rendering in Shortcode-only mode \u2014 Contact Form 7 form HTML is now passed through do_shortcode() when the integration is set to Shortcode-only.<\/li>\n
                      • Change: Added includes\/core\/class-turnstile-shortcode.php with a robust shortcode renderer and recursive detection helper has_shortcode_in() that detects literal shortcodes and rendered widget markers (class=\"cf-turnstile\", data-kitgenix-shortcode, or hidden name=\"cf-turnstile-response\").<\/li>\n
                      • Change: Integration adapters now use the new helper and treat literal shortcode text separately from rendered markup so Auto mode is not blocked by leftover shortcode tokens.<\/li>\n
                      • Change: When an integration needs to run do_shortcode() in Auto mode, it temporarily removes the plugin shortcode, runs do_shortcode(), then immediately re-registers the shortcode so it is never left unregistered.<\/li>\n
                      • Docs: Note \u2014 the stored mode_wp_core setting is retained for compatibility but no longer exposed in the UI. It can be removed in a future release if needed.<\/li>\n<\/ul>\n\n

                        1.0.11 (19 October 2025)<\/h4>\n\n
                          \n
                        • Fix: Elementor AJAX regression \u2014 prevented a brief layout \u201cbump\u201d where Interaction Only lost .kitgenix-ts-collapsed during the * AJAX send; the container now stays collapsed unless a visible challenge is explicitly required.<\/li>\n<\/ul>\n\n

                          1.0.10 (16 October 2025)<\/h4>\n\n
                            \n
                          • Improvement: Event-driven rendering \u2014 added kitgenix:turnstile-containers-added event from injectors; public script listens and re-initializes rendering automatically for dynamically added containers.<\/li>\n
                          • Improvement: Stability and UX \u2014 defensive re-render guards, explicit data-rendered attribute for CSS control, and safer visibility checks to avoid rendering inside hidden containers.<\/li>\n
                          • Fix: Elementor Popups \u2014 reliably initializes the Turnstile challenge when a popup opens (even if the widget was inserted while hidden). Clears stale render flags, resets hidden iframes, and triggers a fresh render on show.<\/li>\n
                          • Fix: Hidden input \u2014 always ensures input[name=\"cf-turnstile-response\"] exists for Elementor forms (including popups) so the token is properly captured and validated.<\/li>\n
                          • Fix: Interaction Only empty gaps \u2014 placeholders are now fully collapsed until the widget actually renders (via data-rendered). After successful AJAX submits, the container is collapsed\/hidden to prevent any blank space.<\/li>\n
                          • Fix: Multiple forms on a page \u2014 consistent collapsed behavior across instances; prevents duplicate containers in Elementor popups and re-renders only when needed.<\/li>\n<\/ul>\n\n

                            1.0.9 (15 October 2025)<\/h4>\n\n
                              \n
                            • Improvement: Proactive reveal for Interaction Only \u2014 if auto-verification doesn\u2019t complete after a short period (~5s), the widget is surfaced and the challenge is triggered so users aren\u2019t left waiting.<\/li>\n
                            • Improvement: Streamlined inline messaging to align with Cloudflare\u2019s own phrasing; reduced redundant prompts to let Cloudflare\u2019s UI lead the experience.<\/li>\n
                            • Improvement: Submit-time guards \u2014 for regular forms and Elementor AJAX; when no token is present, we halt that submission, reveal the widget, scroll it into view, and start a fresh challenge.<\/li>\n
                            • Dev: Standardized render locks and defensive pre-render cleanup across remaining integrations to prevent duplicate iframes and race conditions.<\/li>\n
                            • Fix: \u201cDisable Submit Button\u201d now respects \u201cInteraction Only\u201d \u2014 submit stays enabled when Turnstile can verify invisibly, and is disabled only if a visible challenge is actually required (unsupported\/timeout\/error). Applies to Elementor, WordPress core forms, WooCommerce, Gravity Forms, Formidable, Forminator, Jetpack, Fluent Forms, and Kadence.<\/li>\n<\/ul>\n\n

                              1.0.8 (15 October 2025)<\/h4>\n\n
                                \n
                              • Improvement: Deferred render \u2014 widgets now render when their container is visible (Elementor + generic paths), reducing layout thrash and improving perceived load times across dynamic UIs.<\/li>\n
                              • Dev: Simplified collapse logic by removing the previous mutation-based watcher and relying on Turnstile callbacks + visibility checks.<\/li>\n
                              • Fix: Elementor popup \u2014 reliably renders Turnstile when popups open after page load (e.g., delayed by timer); if a widget initialized while hidden, it is reset and re-rendered on open.<\/li>\n
                              • Fix: Elementor popup duplicates \u2014 de-duplicated popup\/form event listeners and centralized rendering to avoid multiple widget instances; idempotent guards ensure one render per container.<\/li>\n
                              • Fix: Interaction Only placeholder stays collapsed (no gap\/shadow) after invisible validation; it only expands when UI is truly required (via unsupported\/timeout\/error callbacks or actual visible challenge).<\/li>\n
                              • Fix: Prevent duplicate renders on Gravity Forms, Formidable, Forminator, and Jetpack by adding per-element render locks and pre-render cleanup.<\/li>\n
                              • Fix: Prevent loader overlay \u2014 no spinner is injected for Interaction Only while the API loads; collapsed state fully hides any inner spinner and spinners never intercept clicks.<\/li>\n<\/ul>\n\n

                                1.0.7 (14 October 2025)<\/h4>\n\n
                                  \n
                                • New: Added \u201cFlexible (100% width)\u201d widget size (Cloudflare Turnstile data-size=\"flexible\") for fully responsive, container-width layouts.<\/li>\n
                                • New: Interaction Only UX refinement \u2014 collapses the initial blank gap (no more 50+px empty space) until the user interacts or the widget needs to expand.<\/li>\n
                                • Improvement: Consistent collapsed\/expand logic across Elementor, Gravity Forms, Formidable, Forminator, Jetpack, Fluent Forms, Kadence, WPForms, and core render paths.<\/li>\n
                                • Improvement: CSS enhancements for flexible width + reduced gap state (.kitgenix-ts-collapsed).<\/li>\n
                                • Improvement: Unified size handling in JS (flexible passes straight through; existing custom sizes still map to Cloudflare equivalents).<\/li>\n
                                • Preparation: Foundation laid for upcoming modal\/delayed form robustness (MutationObserver structure ready for attribute watching & visibility checks in a future release).<\/li>\n
                                • Dev: Sanitization now allows flexible; admin settings UI updated with help text.<\/li>\n<\/ul>\n\n

                                  1.0.6 (10 September 2025)<\/h4>\n\n
                                    \n
                                  • Improvement: Updated plugin assets (banners, icons, screenshots with clearer cropping\/labels).<\/li>\n
                                  • Improvement: Updated readme.txt \u2014 full integrations list, screenshot captions, Support Development section, improved tags\/short description, and clarified WooCommerce Blocks\/Store API notes.<\/li>\n<\/ul>\n\n

                                    1.0.5 (10 September 2025)<\/h4>\n\n
                                      \n
                                    • Improvement: More reliable widget injection and cleanup on AJAX\/dynamic DOM events; tighter re-render\/reset behavior.<\/li>\n
                                    • Security: Replay protection enabled by default (TTL filterable via kitgenix_turnstile_replay_ttl).<\/li>\n
                                    • Fix: Admin: detect duplicate Turnstile API loader and show a dismissible notice on Settings and Plugins screens.<\/li>\n
                                    • Fix: Contact Form 7 injects once and resets cleanly on CF7 validation\/error events.<\/li>\n
                                    • Fix: Exposed window.KitgenixCaptchaForCloudflareTurnstile so Cloudflare onload can reliably call renderWidgets() (prevents \u201cno widget \u2192 no token\u201d).<\/li>\n
                                    • Fix: Guard Elementor script enqueue to avoid PHP warnings in REST\/AJAX or early hooks.<\/li>\n
                                    • Fix: Guarded \u201crender once\u201d logic to prevent duplicate widget rendering across core, WooCommerce, and form plugins.<\/li>\n
                                    • Fix: Prevent Turnstile overlapping submit buttons for Gravity Forms and WPForms; adjusted spacing and placement heuristics.<\/li>\n
                                    • Fix: Sanitization & import\/export hardening \u2014 preserve CIDR & wildcard IP patterns.<\/li>\n
                                    • Fix: \u201cDisable Submit Until Verified\u201d now disables buttons on render and re-enables only after a valid token callback.<\/li>\n
                                    • Fix: Token handling \u2014 canonical token channel, auto-create hidden cf-turnstile-response input, getLastToken() helper, and kitgenixcaptchaforcloudflareturnstile:token-updated event.<\/li>\n
                                    • Fix: WooCommerce login\/checkout placement (Classic & Blocks \/ Store API), including correct \u201cPlace order\u201d positioning.<\/li>\n<\/ul>\n\n

                                      1.0.4 (17 August 2025)<\/h4>\n\n
                                        \n
                                      • Fix: Added spacing so Turnstile no longer overlaps the WPForms submit button.<\/li>\n
                                      • Fix: Positioned Turnstile above the WooCommerce reviews submit button.<\/li>\n
                                      • Fix: Prevented Turnstile from rendering inline with the submit button on Gravity Forms.<\/li>\n<\/ul>\n\n

                                        1.0.3 (12 August 2025)<\/h4>\n\n
                                          \n
                                        • Fix: Fixed the \u201cSave Settings\u201d button not working after a few attempts.<\/li>\n<\/ul>\n\n

                                          1.0.2 (12 August 2025)<\/h4>\n\n
                                            \n
                                          • New: Added advanced fields: respect_proxy_headers and trusted_proxy_ips (legacy), plus trust_proxy and trusted_proxies (current).<\/li>\n
                                          • New: Developer Mode (warn-only) \u2014 Turnstile failures are logged and annotated inline for admins but do not block submissions (useful for staging\/troubleshooting).<\/li>\n
                                          • New: Replay protection \u2014 caches recent Turnstile tokens (hashed) for ~10 minutes and rejects re-use. Enabled by default; duration filterable via kitgenix_turnstile_replay_ttl.<\/li>\n
                                          • Improvement: Added canonical token channel (getLastToken() helper and kitgenixcaptchaforcloudflareturnstile:token-updated event dispatched on each token change). Hidden cf-turnstile-response input is auto-created in forms that don\u2019t already have it.<\/li>\n
                                          • Improvement: Added preconnect\/dns-prefetch resource hints for https:\/\/challenges.cloudflare.com to speed up first paint.<\/li>\n
                                          • Improvement: Added Site Health test (\u201cCloudflare Turnstile readiness\u201d) reporting keys presence, duplicate loader detection, last verification snapshot, and possible JS delay\/defer from optimization plugins (with guidance).<\/li>\n
                                          • Improvement: Admin CSS fully scoped to the settings wrapper, compact modern fields, focus-visible styles, and reduced-motion fallback.<\/li>\n
                                          • Improvement: Checkout protected via woocommerce_checkout_process and woocommerce_after_checkout_validation (WooCommerce Classic).<\/li>\n
                                          • Improvement: Consistent widget + validation across checkout\/login\/register\/lost password (WooCommerce Classic).<\/li>\n
                                          • Improvement: Ensure hidden input + container are present; don\u2019t inject a container if no site key is available (Elementor).<\/li>\n
                                          • Improvement: Export \/ Import JSON for settings (merge\/replace). Optional inclusion of Secret Key (explicitly allowed).<\/li>\n
                                          • Improvement: Guardrails and housekeeping \u2014 centralized render flow, lightweight MutationObserver to catch dynamically added forms, and safer class\/existence guards.<\/li>\n
                                          • Improvement: Include token in Elementor Pro AJAX payloads; re-render in popups and dynamic forms; reset widget on submit\/errors.<\/li>\n
                                          • Improvement: Improved Disable Submit Button behavior \u2014 submit buttons are disabled immediately on render and re-enabled only after a valid token callback (previously disabled only on error\/expired).<\/li>\n
                                          • Improvement: Inject container next to the \u201cPlace order\u201d area via render_block_woocommerce\/checkout-actions-block (WooCommerce Blocks).<\/li>\n
                                          • Improvement: Late alignment helpers for consistent widget placement on login\/admin.<\/li>\n
                                          • Improvement: Preserve CIDR and wildcard IP patterns instead of stripping them; sanitize lines while keeping valid patterns.<\/li>\n
                                          • Improvement: Public CSS greatly reduced in scope (fewer global !importants), small min-height to prevent CLS, better RTL + reduced-motion support, and per-integration spacing.<\/li>\n
                                          • Improvement: Reliable widget injection before submit, spinner cleanup, and re-render on each plugin\u2019s AJAX\/DOM events.<\/li>\n
                                          • Improvement: Server-side validation hook support (elementor_pro\/forms\/validation).<\/li>\n
                                          • Improvement: Server-side validation mapped to each plugin\u2019s native API.<\/li>\n
                                          • Improvement: \u201cTest widget\u201d is rendered only via a tight inline onload callback (prevents double-render \/ undefined globals).<\/li>\n
                                          • Improvement: Token freshness & UX \u2014 idle timer and token-age timer auto-reset widgets after ~150s (filterable via kitgenix_turnstile_freshness_ms), plus a gentle inline \u201cExpired \/ Verification error \u2014 please verify again.\u201d message beside the widget.<\/li>\n
                                          • Improvement: Validate Store API POSTs early via REST auth filter; token accepted from X-Turnstile-Token header or extensions (WooCommerce Blocks).<\/li>\n
                                          • Improvement: Widget injection and validation improvements across WooCommerce Blocks and Classic flows.<\/li>\n
                                          • Security: Added Cloudflare\/Proxy-aware client IP handling with Trust Cloudflare\/Proxy headers + Trusted Proxy IPs\/CIDRs settings. Only honors CF-Connecting-IP \/ X-Forwarded-For when the request comes from a trusted proxy; otherwise falls back to REMOTE_ADDR.<\/li>\n
                                          • Security: Validator accepts token from POST, X-Turnstile-Token header, or custom filter; memoized siteverify; robust HTTP args; remote IP + URL + timeouts filterable; friendly error mapping; last verify snapshot stored for diagnostics.<\/li>\n
                                          • Security: Whitelist supports logged-in bypass, IPs with exact\/wildcard\/CIDR (IPv4\/IPv6), and UA wildcards; decision cached per request and filterable via kitgenix_turnstile_is_whitelisted.<\/li>\n
                                          • Fix: Added widget render on resetpass_form and proper validation via validate_password_reset; lost password now validates via lostpassword_post.<\/li>\n
                                          • Fix: Contact Form 7 integrates cleanly (single injection, resets on CF7 error events).<\/li>\n
                                          • Fix: Duplicate Turnstile API loader detection with a dismissible admin notice (surfaces on the Settings page and Plugins screen).<\/li>\n
                                          • Fix: Exposed the public module globally as window.KitgenixCaptchaForCloudflareTurnstile so the Cloudflare API onload callback can call renderWidgets() (prevents \u201cno widget \u2192 no token\u201d failures).<\/li>\n
                                          • Fix: Guarded \u201crender once\u201d logic so widgets don\u2019t duplicate across hooks (core + WooCommerce + form plugins).<\/li>\n
                                          • Fix: Reintroduced inline centering on wp-login.php \/ wp-admin to stabilize layout across all auth screens.<\/li>\n
                                          • Fix: Run Turnstile validation only on POST submissions for core forms (login, register, lost password, reset password, comments). Prevents the \u201cPlease complete the Turnstile challenge\u201d message on refresh or wrong password.<\/li>\n
                                          • Fix: WooCommerce login handles both modern woocommerce_process_login_errors and legacy woocommerce_login_errors.<\/li>\n<\/ul>\n\n

                                            1.0.1 (11 August 2025)<\/h4>\n\n
                                              \n
                                            • Change: Overhauled includes\/core\/class-script-handler.php to use the modern Script API (async strategy on WP 6.3+, attribute helpers on 5.7\u20136.2) and eliminated raw output.<\/li>\n
                                            • Docs: Expanded readme and updated links.<\/li>\n
                                            • Dev: Added filter kitgenix_captcha_for_cloudflare_turnstile_script_url for advanced control.<\/li>\n
                                            • Dev: Public\/admin assets now use filemtime() for cache-busting.<\/li>\n
                                            • Fix: Centered Cloudflare Turnstile on all wp-login.php variants (login, lost password, reset, register) and across wp-admin.<\/li>\n<\/ul>\n\n

                                              1.0.0 (11 August 2025)<\/h4>\n\n
                                                \n
                                              • New: Initial Release<\/li>\n
                                              • New: Admin Notices and Settings Errors<\/li>\n
                                              • New: Admin UI (Modern)<\/li>\n
                                              • New: AJAX and Dynamic Form Rendering Support<\/li>\n
                                              • New: Caching, AJAX, and Dynamic Forms Optimizations<\/li>\n
                                              • New: Conditional Script Loading for Performance<\/li>\n
                                              • New: Contact Form 7 Integration<\/li>\n
                                              • New: CSRF Protection (Nonce Fields)<\/li>\n
                                              • New: Custom Error and Fallback Messages<\/li>\n
                                              • New: Elementor Forms Integration<\/li>\n
                                              • New: Error Handling and User Feedback<\/li>\n
                                              • New: Fluent Forms Integration<\/li>\n
                                              • New: Formidable Forms Integration<\/li>\n
                                              • New: Forminator Forms Integration<\/li>\n
                                              • New: GDPR-friendly (No Cookies or Tracking)<\/li>\n
                                              • New: Gravity Forms Integration<\/li>\n
                                              • New: IP \/ User Agent \/ Logged-in User Whitelisting<\/li>\n
                                              • New: Jetpack Forms Integration<\/li>\n
                                              • New: Kadence Forms Integration<\/li>\n
                                              • New: Language Selection for Widget<\/li>\n
                                              • New: Multisite Support<\/li>\n
                                              • New: Optional Plugin Badge<\/li>\n
                                              • New: Per-Form and Per-Integration Enable\/Disable<\/li>\n
                                              • New: Plugin Translations\/Localization<\/li>\n
                                              • New: Server-Side Validation for All Supported Forms<\/li>\n
                                              • New: Site Key & Secret Key Management<\/li>\n
                                              • New: Widget Appearance Customization<\/li>\n
                                              • New: Widget Options (Size, Theme, Appearance)<\/li>\n
                                              • New: WooCommerce Checkout Integration<\/li>\n
                                              • New: WooCommerce Login Integration<\/li>\n
                                              • New: WooCommerce Lost Password Integration<\/li>\n
                                              • New: WooCommerce Registration Integration<\/li>\n
                                              • New: Works With Elementor Element Cache<\/li>\n
                                              • New: WPForms Integration<\/li>\n
                                              • New: WordPress Comment Integration<\/li>\n
                                              • New: WordPress Login Integration<\/li>\n
                                              • New: WordPress Lost Password Integration<\/li>\n
                                              • New: WordPress Registration Integration<\/li>\n
                                              • New: \u201cDefer Scripts\u201d and \u201cDisable Submit\u201d Logic<\/li>\n
                                              • New: No Impact on Core Web Vitals<\/li>\n<\/ul>","raw_excerpt":"Add Cloudflare Turnstile CAPTCHA to WordPress, WooCommerce, Elementor, and popular form plugins with privacy-first server-side verification.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ml.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/245569","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ml.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/ml.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/ml.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=245569"}],"author":[{"embeddable":true,"href":"https:\/\/ml.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/kitgenix"}],"wp:attachment":[{"href":"https:\/\/ml.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=245569"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/ml.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=245569"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/ml.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=245569"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/ml.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=245569"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/ml.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=245569"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/ml.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=245569"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}