Added an explicit admin checkbox for Turnstile on the public delisting/removal page.
The public delist flow no longer inherits Turnstile automatically just because comment or registration Turnstile is configured.
Site owners can now disable only the removal-page challenge when Cloudflare Turnstile has temporary problems, while keeping comment and registration protection enabled.
Unreleased
Tools-backed DNSBL write/check requests now also carry additive site identity metadata (source_type, source_name, source_site_url, source_site_host) so backend delist/removal audits can identify which WordPress site submitted the request.
3.1.0
Added the plugin-side DNSBL write integration (add, delete, update, bulk) around one visible Write token field, bulk queueing, and optional dry-run acknowledgement through the Tools DNSBL endpoints.
Added the shortcode-based removal form ([dnsbl_removal_form]) with AJAX backend proxy support, built-in main removal-page templating, and live delisting-page permission gating.
Added the Tools-backed checker/removal follow-up via POST /api/dnsbl/check-ip, together with the checker-style public delist flow and dashboard/settings warnings when live delete / delist access is still missing.
Added advanced optional CIDR removal flow for permitted tokens, including safe /24../32 validation, plugin-local scan progress, a visible hit list of listed addresses, listed-hit-only delete targeting, sequential per-IP delete requests, and Cloudflare Turnstile verification for live removal-form submissions.
The plugin UI now uses one visible DNSBL / Tools API token field, and the Check token permissions tool now always asks Tools for a live answer and reports effective DNSBL access more clearly.
Preferred resolver hosts now cover all four canonical DNSBL/FraudBL zones, and migrations merge any missing defaults into existing installs without removing custom hosts.
Shortcode/custom removal pages now expose only the operations allowed by the current token, while the plugin-managed main removal page stays delete-focused.
Token status panels, delisting-page controls, and checker submits now better reflect real delete capability, including explicit IP reposting when the checker has locked the field before submit.
Checker follow-up failures now report clearer backend/API errors for remote 419 cases, and write/check diagnostics now distinguish true invalid DNSBL tokens from wrong-token-type or inactive admin-key cases.
Checker-mode Turnstile stays hidden during pre-check/background steps, is enforced on actual write submissions, the Delist button now carries the in-flight submit state itself, and checker/delist requests now also show a dedicated busy spinner row.
CIDR scanning now stays inside WordPress in small local batches so the resolver side is not flooded, while the final delete still goes through the DNSBL write endpoint after the block scan has found at least one listed address and only for the IPs the local scan actually marked as listed, one IP at a time.
If the user clicks Check if listed while a valid CIDR is still entered in the first checker IP field, the plugin now opens Advanced automatically, moves the CIDR there, and keeps that Advanced CIDR value as the authoritative range for the later scan/delete flow instead of requiring a separate single-IP anchor.
The admin UI now also shows a dismissible reminder that links directly to the WordPress.org review form for quick feedback.
3.0.3
Fixed frontend dry-run availability so the public banner and toggle only appear when DNSBL dev mode is enabled and Tools environment mode is set to dev.
3.0.2
Repackaged the release so updated screenshots and other WordPress.org assets can be picked up properly.
Restored Markdown-style links in the readme after the previous plain-URL formatting pass.
3.0.1
Simplified and aligned the public plugin name so it better matches the WordPress.org slug.
Corrected the author metadata spelling to Thomas Tornevall.
Reduced the WordPress.org tags to five broader discovery terms with better general search value.
Refreshed the readme wording for FraudBL/fraud discovery and noted planned WooCommerce-oriented follow-up work.
3.0.0
Refactored the plugin around WordPress-native DNS lookups, admin AJAX tooling and a namespaced internal structure while keeping the historical main plugin file name and compatibility entry points.
Added asynchronous admin lookup and self-check tools that run without reloading the page.
Added visitor statistics for resolved checks, blacklist hits, blocked requests, unique visitor addresses and cached blacklist activity.
Added configurable cache TTL, configurable cleanup intervals and automatic expiry cleanup for both listed and non-listed DNSBL lookups.
Added a safe IP whitelist, protected-admin notices and a one-click current-visitor whitelist action.
Added public documentation links, changelog links and source-history links in the admin help flow.
Added Cloudflare Turnstile protection for frontend WordPress comments.
Added DNSBL/FraudBL checks for new WordPress account registrations.
Added Cloudflare Turnstile protection for new WordPress account registrations.
Added IP_FRAUDCOMMERCE to the default trigger-flag profile.
Tightened comment blocking so hidden comment forms also reject direct submissions.
Restricted dry-run simulation to the public site for logged-in administrators.
Switched Tools integration default mode to production.
