Kitgenix CAPTCHA for Cloudflare Turnstile

1.0.18 (19 March 2026)

Update: Improved the Kitgenix admin header layout for better alignment and less clutter.
Update: Social links in admin headers now render as compact icon buttons (with accessible labels).
Update: Added responsive header helpers so titles/description and actions/links lay out consistently.
Update: Admin tables inside Kitgenix pages now use Kitgenix styling for a more consistent branded look.
Fix: Admin notices now display above the Kitgenix header using the WordPress standard notice area.
Fix: Removed custom notice moving/styling so core WordPress notices keep their default appearance.
Fix: Added defensive notice normalization to prevent notices being relocated into the header by other scripts.
Fix: Normalised settings page card spacing so it matches other Kitgenix plugins.
Fix: Added spacing between adjacent action links/buttons (e.g., Edit/Delete).
Improvement: Validate Store API POSTs early via a single REST pre-dispatch path; token accepted from X-Turnstile-Token header or canonical extensions payload (WooCommerce Blocks).
Cleanup: Normalised nonce verification and request handling across admin and validation flows for WordPress.org review compliance.
Maintenance: Updated the plugin Author URI to the public Kitgenix WordPress.org profile and replaced the old custom admin-menu icon CSS with the native Dashicons icon.
New: Added a dedicated WooCommerce Product Reviews integration toggle so store reviews can be protected independently of standard WordPress comments.
Fix: Split standard WordPress comments from WooCommerce product reviews so enabling blog comments protection no longer captures product review submissions unless the WooCommerce reviews toggle is enabled.
Improvement: WooCommerce product reviews now follow the WooCommerce Classic injection mode and error-message context while still using the shared comment form hooks internally.
Docs: Updated the bundled documentation and package readme to describe the new WooCommerce Product Reviews coverage and the kitgenix_turnstile_handle_comment_form routing filter.

1.0.17 (18 February 2026)

• New: Added JetFormBuilder integration (auto-inject and shortcode-only modes).
• New: JetFormBuilder server-side validation during submission handling (AJAX compatible).
• New: Added JetFormBuilder toggle + injection mode to the settings page.
• Improvement: JetFormBuilder auto-inject places the widget near the submit button row and avoids multi-step next/prev actions.
• Fix: Support tab “Your site impact” metrics now update as Turnstile checks run (total/passed/failed).
• UI: Added Stock Sync for WooCommerce to the Kitgenix hub cards.
• Docs: Overhauled readme.txt.
• Docs: Updated WordPress.org screenshots.
• Docs: JetFormBuilder includes its own Turnstile/CAPTCHA option; use one Turnstile provider per form to avoid duplicates.
• Dev: Regenerated /languages/kitgenix-captcha-for-cloudflare-turnstile.pot translation template.

1.0.16 (27 January 2026)

• Improvement: Small admin UI tweaks and performance refinements.
• Change: Declared PHP requirement as 8.1.
• Cleanup: Minor compatibility and stability fixes, plus i18n/translation updates.
• Cleanup: PHPCS/i18n/security fixes across admin and core files (output escaping, translator comments, optional nonce checks).
• Fix: Hardened admin asset enqueues to prefer $_GET[‘page’] with a fallback to hook-suffix so assets load reliably on existing installs.
• Fix: Localized admin JS now exposes AJAX action and nonce for the reveal-secret flow to securely fetch stored secret keys.

1.0.15 (01 January 2026)

• New: Added Easy Digital Downloads integration (checkout, login, registration, and profile editor) with per-form toggles and a dedicated mode setting (Auto vs Shortcode-only).
• New: Added a shared Kitgenix top-level wp-admin menu + hub page, and moved Turnstile settings to Kitgenix → Cloudflare Turnstile (activation redirect + “Settings” link updated accordingly).
• Security: Secret key is no longer printed into the settings page HTML by default; “Reveal secret key” now fetches it on-demand via authenticated AJAX + nonce.
• Improvement: bbPress integration now avoids duplicate widget output on themes that fire multiple hooks, adds support for the forum form, and validates forum creation flows.
• Improvement: Fluent Forms rendering is now more resilient when the Turnstile API loads late (prevents “stuck rendering” states and allows clean retries).
• Improvement: Standardized internal widget owner attribute + dynamic-render event naming, reducing render misses in dynamic/AJAX contexts.
• Improvement: WordPress comments widget placement is now consistently injected above the submit button across themes; comment widget now has a stable ID for easier targeting.
• Fix: Replay protection setting now persists correctly when you disable it (checkbox omission on save no longer forces it back on).
• UI: Updated Kitgenix branding (admin + public CSS tokens), added shared hub stylesheet, refreshed plugin banners, and added Kitgenix logo assets.
• Cleanup: Removed onboarding strings and updated translations; plugin headers/requirements updated (Tested up to 6.9, requires PHP 8.0).

1.0.14 (09 December 2025)

• UI: Split WooCommerce settings into two blocks — “WooCommerce Classic” and “WooCommerce Blocks (Store API)” — with separate injection mode controls and clearer guidance.
• UI: Modernized settings page with sidebar navigation (icons), status overview card, accessible collapsible sections, and improved layout. Kept the floating “Unsaved changes” bar.
• UI: Added a copy button next to [kitgenix_turnstile] in the settings for easy manual placement.
• UI: Updated brand colors across admin and public CSS to main #4f2a9a and accent #f364dd.
• Improvement: Public JS detects data-kitgenix-captcha-for-cloudflare-turnstile-owner=”woocommerce-blocks” and performs an immediate render, then falls back to visibility guard for other owners.
• Fix: WooCommerce Blocks checkout widget now renders reliably even when Classic Checkout is disabled. The renderer no longer waits for the container to be visible before calling turnstile.render() for Blocks, preventing missed render windows.
• Change: Respect Shortcode-only — when Blocks is set to “Shortcode only”, auto-rendering is suppressed and server-side validation only enforces when a token is present (i.e. when you place the shortcode). Without a shortcode/token, checkout proceeds without Turnstile.
• Change: Clarification — unchecking “Checkout Form (Classic)” does not affect Blocks Checkout; disable Blocks auto-injection via its “Shortcode only” mode if desired.
• Cleanup: Removed Export/Import Settings feature — UI removed and handlers disabled (class-settings-transfer.php no longer registers actions). Any old direct Import/Export URLs are no-ops.
• Cleanup: Removed the Simple/Advanced mode toggle from the settings UI and scripts.
• Dev: Dropped the unused kitgenix_turnstile_validate_keys AJAX nonce localization from admin scripts.
• Preparation: Placement — ensures the widget is injected directly above the “Place order” area in WooCommerce Blocks checkout (handles submit button, text node, and actions wrapper variants).
• Preparation: Stability — keeps existing behaviour for Classic, core, and form plugins; no changes to validation flows or token forwarding (header + Store API extensions).

1.0.13 (22 November 2025)

• Security: Critical validation bypass in Elementor Pro Forms and Forminator Forms where missing tokens were incorrectly allowing form submissions instead of blocking them.
• Security: Audit confirmed all other integrations (Contact Form 7, Gravity Forms, Formidable Forms, WPForms, Fluent Forms, Jetpack Forms, Kadence Forms, WooCommerce, WordPress core, bbPress, BuddyPress) correctly validate and fail when tokens are missing.
• Security: This update fixes a vulnerability where forms could be submitted without completing CAPTCHA verification. Update immediately.
• Fix: Elementor Pro Forms now properly fail validation when the Turnstile token is missing or empty (previously skipped validation entirely).
• Fix: Forminator Forms now properly fail validation when the Turnstile token is missing or empty (previously skipped validation entirely).
• Fix: Removed the wp_kses_post() wrapper from Forminator submit button HTML that could strip required attributes.

1.0.12.1 (22 November 2025)

• Fix: Reverted to 1.0.11 until the security update was released.

1.0.12 (21 November 2025)

• New: Global shortcode [kitgenix_turnstile] to render the Turnstile widget manually inside custom HTML fields, form content, or page templates.
• Improvement: Auto-inject vs Shortcode behavior is now mutually exclusive and consistent across integrations.
• Improvement: Ensured Shortcode-only mode works across all supported form plugins via defensive do_shortcode() passthroughs and field-level filters, while Auto mode detection ignores literal shortcode tokens.
• UI: Only show the global Shortcode guidance card when at least one supported forms integration is present. Removed Auto/Shortcode radio controls from the WordPress Core card; core forms use the Enable checkbox and per-form toggles only.
• Dev: Reworked temporary shortcode removal logic to guarantee re-registration after do_shortcode(). Fixed edge-case uninitialised variable and parse issues.
• Dev: Standardised detection and injection semantics and added comments and guards for missing site keys, filters, and plugin version differences.
• Fix: CF7 shortcode rendering in Shortcode-only mode — Contact Form 7 form HTML is now passed through do_shortcode() when the integration is set to Shortcode-only.
• Change: Added includes/core/class-turnstile-shortcode.php with a robust shortcode renderer and recursive detection helper has_shortcode_in() that detects literal shortcodes and rendered widget markers (class=”cf-turnstile”, data-kitgenix-shortcode, or hidden name=”cf-turnstile-response”).
• Change: Integration adapters now use the new helper and treat literal shortcode text separately from rendered markup so Auto mode is not blocked by leftover shortcode tokens.
• Change: When an integration needs to run do_shortcode() in Auto mode, it temporarily removes the plugin shortcode, runs do_shortcode(), then immediately re-registers the shortcode so it is never left unregistered.
• Docs: Note — the stored mode_wp_core setting is retained for compatibility but no longer exposed in the UI. It can be removed in a future release if needed.

1.0.11 (19 October 2025)

• Fix: Elementor AJAX regression — prevented a brief layout “bump” where Interaction Only lost .kitgenix-ts-collapsed during the * AJAX send; the container now stays collapsed unless a visible challenge is explicitly required.

1.0.10 (16 October 2025)

• Improvement: Event-driven rendering — added kitgenix:turnstile-containers-added event from injectors; public script listens and re-initializes rendering automatically for dynamically added containers.
• Improvement: Stability and UX — defensive re-render guards, explicit data-rendered attribute for CSS control, and safer visibility checks to avoid rendering inside hidden containers.
• Fix: Elementor Popups — reliably initializes the Turnstile challenge when a popup opens (even if the widget was inserted while hidden). Clears stale render flags, resets hidden iframes, and triggers a fresh render on show.
• Fix: Hidden input — always ensures input[name=”cf-turnstile-response”] exists for Elementor forms (including popups) so the token is properly captured and validated.
• Fix: Interaction Only empty gaps — placeholders are now fully collapsed until the widget actually renders (via data-rendered). After successful AJAX submits, the container is collapsed/hidden to prevent any blank space.
• Fix: Multiple forms on a page — consistent collapsed behavior across instances; prevents duplicate containers in Elementor popups and re-renders only when needed.

1.0.9 (15 October 2025)

• Improvement: Proactive reveal for Interaction Only — if auto-verification doesn’t complete after a short period (~5s), the widget is surfaced and the challenge is triggered so users aren’t left waiting.
• Improvement: Streamlined inline messaging to align with Cloudflare’s own phrasing; reduced redundant prompts to let Cloudflare’s UI lead the experience.
• Improvement: Submit-time guards — for regular forms and Elementor AJAX; when no token is present, we halt that submission, reveal the widget, scroll it into view, and start a fresh challenge.
• Dev: Standardized render locks and defensive pre-render cleanup across remaining integrations to prevent duplicate iframes and race conditions.
• Fix: “Disable Submit Button” now respects “Interaction Only” — submit stays enabled when Turnstile can verify invisibly, and is disabled only if a visible challenge is actually required (unsupported/timeout/error). Applies to Elementor, WordPress core forms, WooCommerce, Gravity Forms, Formidable, Forminator, Jetpack, Fluent Forms, and Kadence.

1.0.8 (15 October 2025)

• Improvement: Deferred render — widgets now render when their container is visible (Elementor + generic paths), reducing layout thrash and improving perceived load times across dynamic UIs.
• Dev: Simplified collapse logic by removing the previous mutation-based watcher and relying on Turnstile callbacks + visibility checks.
• Fix: Elementor popup — reliably renders Turnstile when popups open after page load (e.g., delayed by timer); if a widget initialized while hidden, it is reset and re-rendered on open.
• Fix: Elementor popup duplicates — de-duplicated popup/form event listeners and centralized rendering to avoid multiple widget instances; idempotent guards ensure one render per container.
• Fix: Interaction Only placeholder stays collapsed (no gap/shadow) after invisible validation; it only expands when UI is truly required (via unsupported/timeout/error callbacks or actual visible challenge).
• Fix: Prevent duplicate renders on Gravity Forms, Formidable, Forminator, and Jetpack by adding per-element render locks and pre-render cleanup.
• Fix: Prevent loader overlay — no spinner is injected for Interaction Only while the API loads; collapsed state fully hides any inner spinner and spinners never intercept clicks.

1.0.7 (14 October 2025)

• New: Added “Flexible (100% width)” widget size (Cloudflare Turnstile data-size=”flexible”) for fully responsive, container-width layouts.
• New: Interaction Only UX refinement — collapses the initial blank gap (no more 50+px empty space) until the user interacts or the widget needs to expand.
• Improvement: Consistent collapsed/expand logic across Elementor, Gravity Forms, Formidable, Forminator, Jetpack, Fluent Forms, Kadence, WPForms, and core render paths.
• Improvement: CSS enhancements for flexible width + reduced gap state (.kitgenix-ts-collapsed).
• Improvement: Unified size handling in JS (flexible passes straight through; existing custom sizes still map to Cloudflare equivalents).
• Preparation: Foundation laid for upcoming modal/delayed form robustness (MutationObserver structure ready for attribute watching & visibility checks in a future release).
• Dev: Sanitization now allows flexible; admin settings UI updated with help text.

1.0.6 (10 September 2025)

• Improvement: Updated plugin assets (banners, icons, screenshots with clearer cropping/labels).
• Improvement: Updated readme.txt — full integrations list, screenshot captions, Support Development section, improved tags/short description, and clarified WooCommerce Blocks/Store API notes.

1.0.5 (10 September 2025)

• Improvement: More reliable widget injection and cleanup on AJAX/dynamic DOM events; tighter re-render/reset behavior.
• Security: Replay protection enabled by default (TTL filterable via kitgenix_turnstile_replay_ttl).
• Fix: Admin: detect duplicate Turnstile API loader and show a dismissible notice on Settings and Plugins screens.
• Fix: Contact Form 7 injects once and resets cleanly on CF7 validation/error events.
• Fix: Exposed window.KitgenixCaptchaForCloudflareTurnstile so Cloudflare onload can reliably call renderWidgets() (prevents “no widget → no token”).
• Fix: Guard Elementor script enqueue to avoid PHP warnings in REST/AJAX or early hooks.
• Fix: Guarded “render once” logic to prevent duplicate widget rendering across core, WooCommerce, and form plugins.
• Fix: Prevent Turnstile overlapping submit buttons for Gravity Forms and WPForms; adjusted spacing and placement heuristics.
• Fix: Sanitization & import/export hardening — preserve CIDR & wildcard IP patterns.
• Fix: “Disable Submit Until Verified” now disables buttons on render and re-enables only after a valid token callback.
• Fix: Token handling — canonical token channel, auto-create hidden cf-turnstile-response input, getLastToken() helper, and kitgenixcaptchaforcloudflareturnstile:token-updated event.
• Fix: WooCommerce login/checkout placement (Classic & Blocks / Store API), including correct “Place order” positioning.

1.0.4 (17 August 2025)

• Fix: Added spacing so Turnstile no longer overlaps the WPForms submit button.
• Fix: Positioned Turnstile above the WooCommerce reviews submit button.
• Fix: Prevented Turnstile from rendering inline with the submit button on Gravity Forms.

1.0.3 (12 August 2025)

• Fix: Fixed the “Save Settings” button not working after a few attempts.

1.0.2 (12 August 2025)

• New: Added advanced fields: respect_proxy_headers and trusted_proxy_ips (legacy), plus trust_proxy and trusted_proxies (current).
• New: Developer Mode (warn-only) — Turnstile failures are logged and annotated inline for admins but do not block submissions (useful for staging/troubleshooting).
• New: Replay protection — caches recent Turnstile tokens (hashed) for ~10 minutes and rejects re-use. Enabled by default; duration filterable via kitgenix_turnstile_replay_ttl.
• Improvement: Added canonical token channel (getLastToken() helper and kitgenixcaptchaforcloudflareturnstile:token-updated event dispatched on each token change). Hidden cf-turnstile-response input is auto-created in forms that don’t already have it.
• Improvement: Added preconnect/dns-prefetch resource hints for https://challenges.cloudflare.com to speed up first paint.
• Improvement: Added Site Health test (“Cloudflare Turnstile readiness”) reporting keys presence, duplicate loader detection, last verification snapshot, and possible JS delay/defer from optimization plugins (with guidance).
• Improvement: Admin CSS fully scoped to the settings wrapper, compact modern fields, focus-visible styles, and reduced-motion fallback.
• Improvement: Checkout protected via woocommerce_checkout_process and woocommerce_after_checkout_validation (WooCommerce Classic).
• Improvement: Consistent widget + validation across checkout/login/register/lost password (WooCommerce Classic).
• Improvement: Ensure hidden input + container are present; don’t inject a container if no site key is available (Elementor).
• Improvement: Export / Import JSON for settings (merge/replace). Optional inclusion of Secret Key (explicitly allowed).
• Improvement: Guardrails and housekeeping — centralized render flow, lightweight MutationObserver to catch dynamically added forms, and safer class/existence guards.
• Improvement: Include token in Elementor Pro AJAX payloads; re-render in popups and dynamic forms; reset widget on submit/errors.
• Improvement: Improved Disable Submit Button behavior — submit buttons are disabled immediately on render and re-enabled only after a valid token callback (previously disabled only on error/expired).
• Improvement: Inject container next to the “Place order” area via render_block_woocommerce/checkout-actions-block (WooCommerce Blocks).
• Improvement: Late alignment helpers for consistent widget placement on login/admin.
• Improvement: Preserve CIDR and wildcard IP patterns instead of stripping them; sanitize lines while keeping valid patterns.
• Improvement: Public CSS greatly reduced in scope (fewer global !importants), small min-height to prevent CLS, better RTL + reduced-motion support, and per-integration spacing.
• Improvement: Reliable widget injection before submit, spinner cleanup, and re-render on each plugin’s AJAX/DOM events.
• Improvement: Server-side validation hook support (elementor_pro/forms/validation).
• Improvement: Server-side validation mapped to each plugin’s native API.
• Improvement: “Test widget” is rendered only via a tight inline onload callback (prevents double-render / undefined globals).
• Improvement: Token freshness & UX — idle timer and token-age timer auto-reset widgets after ~150s (filterable via kitgenix_turnstile_freshness_ms), plus a gentle inline “Expired / Verification error — please verify again.” message beside the widget.
• Improvement: Validate Store API POSTs early via REST auth filter; token accepted from X-Turnstile-Token header or extensions (WooCommerce Blocks).
• Improvement: Widget injection and validation improvements across WooCommerce Blocks and Classic flows.
• Security: Added Cloudflare/Proxy-aware client IP handling with Trust Cloudflare/Proxy headers + Trusted Proxy IPs/CIDRs settings. Only honors CF-Connecting-IP / X-Forwarded-For when the request comes from a trusted proxy; otherwise falls back to REMOTE_ADDR.
• Security: Validator accepts token from POST, X-Turnstile-Token header, or custom filter; memoized siteverify; robust HTTP args; remote IP + URL + timeouts filterable; friendly error mapping; last verify snapshot stored for diagnostics.
• Security: Whitelist supports logged-in bypass, IPs with exact/wildcard/CIDR (IPv4/IPv6), and UA wildcards; decision cached per request and filterable via kitgenix_turnstile_is_whitelisted.
• Fix: Added widget render on resetpass_form and proper validation via validate_password_reset; lost password now validates via lostpassword_post.
• Fix: Contact Form 7 integrates cleanly (single injection, resets on CF7 error events).
• Fix: Duplicate Turnstile API loader detection with a dismissible admin notice (surfaces on the Settings page and Plugins screen).
• Fix: Exposed the public module globally as window.KitgenixCaptchaForCloudflareTurnstile so the Cloudflare API onload callback can call renderWidgets() (prevents “no widget → no token” failures).
• Fix: Guarded “render once” logic so widgets don’t duplicate across hooks (core + WooCommerce + form plugins).
• Fix: Reintroduced inline centering on wp-login.php / wp-admin to stabilize layout across all auth screens.
• Fix: Run Turnstile validation only on POST submissions for core forms (login, register, lost password, reset password, comments). Prevents the “Please complete the Turnstile challenge” message on refresh or wrong password.
• Fix: WooCommerce login handles both modern woocommerce_process_login_errors and legacy woocommerce_login_errors.

1.0.1 (11 August 2025)

• Change: Overhauled includes/core/class-script-handler.php to use the modern Script API (async strategy on WP 6.3+, attribute helpers on 5.7–6.2) and eliminated raw output.
• Docs: Expanded readme and updated links.
• Dev: Added filter kitgenix_captcha_for_cloudflare_turnstile_script_url for advanced control.
• Dev: Public/admin assets now use filemtime() for cache-busting.
• Fix: Centered Cloudflare Turnstile on all wp-login.php variants (login, lost password, reset, register) and across wp-admin.

1.0.0 (11 August 2025)

• New: Initial Release
• New: Admin Notices and Settings Errors
• New: Admin UI (Modern)
• New: AJAX and Dynamic Form Rendering Support
• New: Caching, AJAX, and Dynamic Forms Optimizations
• New: Conditional Script Loading for Performance
• New: Contact Form 7 Integration
• New: CSRF Protection (Nonce Fields)
• New: Custom Error and Fallback Messages
• New: Elementor Forms Integration
• New: Error Handling and User Feedback
• New: Fluent Forms Integration
• New: Formidable Forms Integration
• New: Forminator Forms Integration
• New: GDPR-friendly (No Cookies or Tracking)
• New: Gravity Forms Integration
• New: IP / User Agent / Logged-in User Whitelisting
• New: Jetpack Forms Integration
• New: Kadence Forms Integration
• New: Language Selection for Widget
• New: Multisite Support
• New: Optional Plugin Badge
• New: Per-Form and Per-Integration Enable/Disable
• New: Plugin Translations/Localization
• New: Server-Side Validation for All Supported Forms
• New: Site Key & Secret Key Management
• New: Widget Appearance Customization
• New: Widget Options (Size, Theme, Appearance)
• New: WooCommerce Checkout Integration
• New: WooCommerce Login Integration
• New: WooCommerce Lost Password Integration
• New: WooCommerce Registration Integration
• New: Works With Elementor Element Cache
• New: WPForms Integration
• New: WordPress Comment Integration
• New: WordPress Login Integration
• New: WordPress Lost Password Integration
• New: WordPress Registration Integration
• New: “Defer Scripts” and “Disable Submit” Logic
• New: No Impact on Core Web Vitals