readme.txt — Kitgenix CAPTCHA for Cloudflare Turnstile 1.1.3

kitgenix-captcha-for-cloudflare-turnstile / readme.txt

kitgenix-captcha-for-cloudflare-turnstile Last commit date

assets 1 month ago includes 1 month ago languages 1 month ago kitgenix-captcha-for-cloudflare-turnstile.php 1 month ago readme.txt 1 month ago uninstall.php 1 month ago

readme.txt

722 lines

1	=== Kitgenix CAPTCHA for Cloudflare Turnstile ===
2	Contributors: kitgenix
3	Donate link: https://buymeacoffee.com/kitgenix
4	Tags: cloudflare, turnstile, captcha, anti-spam, woocommerce
5	Requires at least: 6.0
6	Tested up to: 7.0
7	Requires PHP: 8.1
8	Stable tag: 1.1.3
9	License: GPLv3 or later
10	License URI: https://www.gnu.org/licenses/gpl-3.0.html
11	Plugin URI: https://wordpress.org/plugins/kitgenix-captcha-for-cloudflare-turnstile/
12	Author: Kitgenix
13	Author URI: https://kitgenix.com/
14	Author Plugin URI: https://kitgenix.com/plugins/kitgenix-captcha-for-cloudflare-turnstile
15	Documentation URI: https://kitgenix.com/plugins/kitgenix-captcha-for-cloudflare-turnstile/documentation
16	Support URI: https://wordpress.org/support/plugin/kitgenix-captcha-for-cloudflare-turnstile/
17	Author Support URI: https://kitgenix.com/plugins/kitgenix-captcha-for-cloudflare-turnstile/support
18	Feature Request URI: https://kitgenix.com/plugins/kitgenix-captcha-for-cloudflare-turnstile/feature-request
19
20	Add Cloudflare Turnstile CAPTCHA to WordPress, WooCommerce, Elementor, and popular form plugins with privacy-first server-side verification.
21
22	== Description ==
23
24	Spam is expensive: it wastes time, clogs inboxes, creates fake accounts, and on stores it can lead to abandoned checkout noise and fraudulent activity. Traditional CAPTCHA solutions can also hurt conversions by adding friction.
25
26	Cloudflare Turnstile is a modern, privacy-first CAPTCHA alternative designed to reduce friction for real people while still blocking bots.
27
28	Kitgenix CAPTCHA for Cloudflare Turnstile is a production-ready Turnstile integration for WordPress that focuses on reliability in real-world setups:
29	- Server-side token verification (using Cloudflare’s official endpoint)
30	- Fast, conditional loading (only where needed)
31	- Support for dynamic/AJAX forms and modern WooCommerce Blocks / Store API checkout
32	- Security features: replay protection, proxy-aware IP handling, whitelisting, and developer mode (warn-only)
33
34	You can enable/disable each integration (and many per-form toggles), choose auto-injection vs shortcode-only placement, customise display and messaging, and use built-in diagnostics and Site Health checks to troubleshoot.
35
36	The plugin also includes a real setup-verification gate for sensitive flows, a Portability tab for JSON export/import, a Support tab with active protection alerts, per-integration analytics, CSV exports, privacy-safe metrics, and recent verification events, and support for defining keys through `wp-config.php` constants or environment variables.
37
38	= Supported integrations (where Turnstile can be added) =
39
40	All integrations are enable-able from settings. Many also support Mode: Auto vs Shortcode.
41
42	WordPress Core
43	- Login
44	- Custom login screens rendered with `wp_login_form()`
45	- Registration
46	- Lost password
47	- Reset password
48	- Comments (standard WordPress comment forms, including safe handling for comment failures/redirects)
49
50	WooCommerce (Classic)
51	- Checkout
52	- Product reviews
53	- My Account login
54	- My Account registration
55	- Lost password
56
57	WooCommerce Blocks (Store API / Block Checkout)
58	- UI rendering inside block-based checkout
59	- Adds token to Store API requests (header and/or extensions payload when available)
60	- Server-side validation of Store API checkout requests
61	- Supports “shortcode-only mode” behaviour so you can control placement
62
63	Easy Digital Downloads (EDD)
64	- Checkout
65	- Login
66	- Register
67	- Profile editor
68
69	Form plugins
70	- Contact Form 7 (CF7)
71	- WPForms
72	- Fluent Forms
73	- Formidable Forms
74	- Forminator
75	- Gravity Forms
76	- JetFormBuilder
77	- Jetpack Forms
78	- Kadence Forms
79	- Elementor Forms (including popups and AJAX submissions)
80
81	Membership / community / newsletters
82	- Ultimate Member (login, registration, password reset)
83	- MemberPress (signup / checkout)
84	- Paid Memberships Pro (checkout / registration)
85	- MailPoet forms
86	- wpDiscuz comment forms
87
88	Community / forums
89	- bbPress (topic/reply flows where applicable)
90	- BuddyPress (flows where applicable)
91
92	= Core features (site-wide) =
93
94	Turnstile widget rendering
95	- Uses Cloudflare’s official Turnstile API script
96	- Widget options:
97	- Theme: auto / light / dark
98	- Size: normal / compact / flexible
99	- Appearance: stored as Turnstile “appearance” option (defaults to always)
100	- Language: auto or explicit locale (passed via `hl=...`)
101
102	Settings & admin experience
103	- Settings page under the shared Kitgenix WP admin menu
104	- Live “test widget” preview on the settings screen (renders when a Site Key is present)
105	- Setup verification gate helps confirm the widget works before auth-sensitive integrations are relied on
106	- Site Key + Secret Key storage (secret not printed in HTML by default)
107	- “Reveal secret key” (admins only, nonce-protected AJAX action)
108
109	Messaging & UX
110	- Custom error message (admin-configurable, used across integrations)
111	- Extra message text (optional text displayed alongside/under the widget)
112	- “Disable submit until completed” option (frontend behaviour via plugin JS)
113
114	Replay protection (enabled by default)
115	- Detects re-used tokens (hash stored in transients) and blocks replays
116	- TTL is filterable
117	- Stores hashed token markers under the transient prefix `kitgenix_captcha_for_cloudflare_turnstile_ts_`
118	- Sets a short-lived cookie (`kitgenix_captcha_for_cloudflare_turnstile_ts_replay`, ~120s) when replay is detected (for frontend behaviour/messages)
119	- Dedicated replay message (filterable)
120
121	Developer mode (warn-only)
122	- Verification failures do not block submissions
123	- Failures are logged (and emitted via a developer log action)
124	- Optional inline warning annotation for admins (frontend config)
125
126	Whitelisting (skip Turnstile + skip loading API script)
127	- Whitelist logged-in users
128	- Whitelist by IP (exact, wildcards, CIDR — including IPv6)
129	- Whitelist by User-Agent (substring or wildcard matching)
130	- Filter hook to override whitelist decision
131
132	Proxy / real-IP handling
133	- Optional trust of proxy headers (Cloudflare / X-Forwarded-For style)
134	- Trusted proxy IP list / trust controls
135	- Forwarded headers are only honoured when the request originates from a trusted proxy
136
137	Performance & resilience
138	- Conditional script loading only where needed
139	- Async/strategy-based script loading (depending on WP version)
140	- Adds resource hints (preconnect / dns-prefetch) for Turnstile domain
141	- Detects duplicate Turnstile API loaders (if another plugin/theme enqueues `api.js`):
142	- Stores detection in the transient `kitgenix_turnstile_duplicate_scripts`
143	- Shows admin notice on settings and Plugins screen
144	- Includes dismiss link (nonce-protected, uses `kitgenix_captcha_for_cloudflare_turnstile_ts_dismiss_dupe=1`)
145
146	Site Health + diagnostics
147	- Adds a Site Health test: “Cloudflare Turnstile readiness”
148	- Checks:
149	- Keys present
150	- Duplicate API loader transient (`kitgenix_turnstile_duplicate_scripts`)
151	- Last verification success/failure snapshot
152	- Heuristic warning if common optimisation/caching plugins are active
153	- Stores the last verify outcome (success, time, error codes) for Site Health display
154	- Tracks privacy-safe counters in `kitgenix_captcha_for_cloudflare_turnstile_metrics` (checks total/passed/failed/retries plus per-integration breakdowns)
155	- Raises automatic admin and Site Health alerts when recent verification failures spike or Cloudflare `siteverify` requests start failing at the HTTP layer
156	- Shows per-integration analytics in the Support tab so admins can compare passes, failures, retries, and friction by protected flow
157	- Shows active protection alerts in the Support tab for verification spikes, blocked API requests, and duplicate loader conflicts
158	- Exports per-integration analytics and the recent diagnostic log as CSV from the Support tab
159	- Shows a recent diagnostic log in the Support tab so admins can review the last verification events without storing raw IPs or URLs
160
161	= Portability and rollout =
162
163	- Export settings to JSON and import them into another site from the Portability tab.
164	- Choose whether exported settings include your Turnstile keys.
165	- Import settings in a controlled way for repeatable deployments.
166	- Define `KITGENIX_CAPTCHA_FOR_CLOUDFLARE_TURNSTILE_SITE_KEY` and `KITGENIX_CAPTCHA_FOR_CLOUDFLARE_TURNSTILE_SECRET_KEY` in `wp-config.php` or your environment when you want keys managed outside the database.
167
168	= Manual placement (shortcode) =
169
170	If you have a custom form or an unsupported plugin, you can manually render the widget:
171
172	[kitgenix_turnstile]
173
174	Shortcode output includes:
175	- a nonce field
176	- a hidden `cf-turnstile-response` input
177	- the widget container (with `data-sitekey`)
178	- support for passing arbitrary attributes via shortcode attributes
179
180	Many supported integrations also offer Shortcode-only mode (you place the shortcode where you want; the plugin validates server-side without auto-injection).
181
182	= Quick Start =
183
184	1. Install and activate the plugin.
185	2. Open the Turnstile settings under the Kitgenix hub in wp-admin.
186	3. Add your Cloudflare Turnstile Site Key and Secret Key.
187	4. Configure widget options (theme/size/appearance/language) and messaging if needed.
188	5. Enable the integrations (and per-form toggles) you want.
189	6. Save, then test the key user journeys: login, registration, checkout, and your main contact form.
190
191	Tip: Start with Developer mode (warn-only) on staging or during rollout. Once you’re satisfied, disable warn-only to enforce blocking.
192
193	= Performance and caching notes (important for stores) =
194
195	Turnstile is lightweight, but aggressive optimisation can break rendering or token freshness.
196
197	If you use caching/optimisation plugins:
198	- Allowlist https://challenges.cloudflare.com
199	- Avoid full-page caching on login/account/checkout pages
200	- Avoid combining/inlining the Turnstile loader
201	- Avoid heavily delaying Elementor/form plugin scripts
202	- Ensure outbound HTTP requests to Cloudflare are not blocked (needed for server-side verification)
203
204	== Installation ==
205
206	1. Go to Plugins → Add New.
207	2. Search for “Kitgenix Turnstile” and click Install Now.
208	3. Activate the plugin.
209	4. Open the settings under the Kitgenix hub.
210	5. Enter your Site Key and Secret Key from Cloudflare Turnstile.
211	6. Enable your integrations and save.
212
213	== Frequently Asked Questions ==
214
215	= Do I need a Cloudflare account? =
216	Yes. You need Turnstile keys from Cloudflare. A free account is enough.
217
218	= Is Cloudflare Turnstile a reCAPTCHA alternative? =
219	Yes. Turnstile is widely used as a privacy-first alternative to Google reCAPTCHA and typically offers a smoother experience for real users.
220
221	= Do you verify tokens on the server? =
222	Yes. Tokens are verified server-side using Cloudflare’s official `siteverify` endpoint (for supported forms/integrations).
223
224	= Does this plugin support WooCommerce checkout? =
225	Yes. It supports WooCommerce Classic checkout, WooCommerce product reviews, and WooCommerce Blocks / Store API checkout.
226
227	= What is “Auto vs Shortcode-only” mode? =
228	Auto mode injects the widget automatically (and avoids duplicates if it detects existing shortcode/widget markers). Shortcode-only mode requires you to place `[kitgenix_turnstile]` manually.
229
230	= What is replay protection? =
231	Replay protection blocks re-used tokens (a common bot technique). It’s enabled by default and can be tuned via a filter.
232
233	= I’m behind Cloudflare / a reverse proxy. Is IP handling correct? =
234	Yes. The plugin supports proxy-aware IP detection and lets you configure trusted proxies so forwarded headers are only honoured safely.
235
236	= Can I whitelist logged-in users or certain IPs/User-Agents? =
237	Yes. You can whitelist logged-in users, IPs (CIDR/wildcards, including IPv6), and user agents. Developers can also filter whitelist behaviour.
238
239	= Can I export or import my settings? =
240	Yes. The Portability tab lets you export settings as JSON and import them again when you are moving between environments or standardising multiple sites.
241
242	= Can I export Turnstile analytics by integration? =
243	Yes. The Support tab now includes per-integration analytics plus CSV exports for both the integration summary and the recent diagnostic log, so you can review passes, failures, retries, and friction outside wp-admin.
244
245	= Can the plugin warn me when Turnstile starts failing? =
246	Yes. The plugin now raises automatic admin and Site Health alerts when recent verification failures spike, Cloudflare `siteverify` requests are being blocked, or duplicate Turnstile loaders are detected, so you can investigate before forms quietly stop working.
247
248	= Can I define keys outside wp-admin? =
249	Yes. You can define `KITGENIX_CAPTCHA_FOR_CLOUDFLARE_TURNSTILE_SITE_KEY` and `KITGENIX_CAPTCHA_FOR_CLOUDFLARE_TURNSTILE_SECRET_KEY` in `wp-config.php` or your environment so keys are managed outside the database.
250
251	= The widget isn’t showing. What should I check? =
252	Check your Site Key, confirm the relevant integration and per-form toggle are enabled, clear caches, and review optimisation settings. If scripts are heavily delayed, allowlist Cloudflare’s Turnstile domain.
253
254	= Users keep seeing verification errors. Why? =
255	Common causes include cached form pages (token expiry), aggressive script delay/defer, blocked outbound requests to Cloudflare, duplicate Turnstile loaders, or misconfigured proxy trust settings. Developer mode (warn-only) can help diagnose without blocking users.
256
257	== Screenshots ==
258
259	1. WordPress login form protected by Cloudflare Turnstile.
260	2. WordPress registration form protected.
261	3. WooCommerce Classic checkout protected near the Place order area.
262	4. WooCommerce Blocks / Store API checkout protected inside the block-based checkout UI.
263	5. WooCommerce My Account login/register protected.
264	6. Contact Form 7 form protected.
265	7. WPForms form protected (AJAX and standard submissions).
266	8. Elementor form protected (including popup/AJAX behaviour).
267	9. Settings overview: keys, widget options, integration toggles and security features.
268	10. Security/advanced settings: replay protection, proxy trust configuration and whitelisting rules.
269	11. Site Health “Cloudflare Turnstile readiness” test view (keys, last verify snapshot, duplicate loader notice).
270	12. Portability tab: export/import settings and environment handoff.
271	13. Support tab: active alerts, per-integration analytics, CSV exports, and recent diagnostic log.
272
273	== Settings Overview ==
274
275	Main settings:
276	- Site Key
277	- Secret Key (with “secret present” state, clear/reveal)
278	- Theme (auto/light/dark)
279	- Size (normal/compact/flexible)
280	- Appearance (Turnstile appearance option)
281	- Language (auto or specific locale)
282	- Disable submit until completed
283	- Custom error message
284	- Extra message text
285
286	Security & advanced:
287	- Replay protection (on/off)
288	- Developer mode (warn-only)
289	- Whitelist logged-in users
290	- Whitelist IPs (wildcards/CIDR, including IPv6)
291	- Whitelist user agents
292	- Proxy trust (enable/disable)
293	- Trusted proxy IPs / trust controls
294	- Setup verification before sensitive rollouts
295
296	Portability & operations:
297	- Export settings to JSON
298	- Import settings from JSON
299	- Optionally include or exclude site keys during transfer
300	- Support `KITGENIX_CAPTCHA_FOR_CLOUDFLARE_TURNSTILE_SITE_KEY` and `KITGENIX_CAPTCHA_FOR_CLOUDFLARE_TURNSTILE_SECRET_KEY` as constants or environment-variable overrides for keys
301
302	Integrations (enable + per-form toggles where available):
303	- WordPress Core (login/register/lost password/reset password/standard comments)
304	- WooCommerce (checkout/product reviews/login/register/lost password)
305	- WooCommerce Blocks mode (auto vs shortcode-only)
306	- Easy Digital Downloads (checkout/login/register/profile)
307	- Contact Form 7
308	- WPForms
309	- Fluent Forms
310	- Formidable Forms
311	- Forminator
312	- Gravity Forms
313	- Jetpack Forms
314	- Kadence Forms
315	- Elementor Forms
316	- bbPress
317	- BuddyPress
318
319	== Developers ==
320
321	Shortcode:
322	[kitgenix_turnstile]
323
324	Server-side verification endpoint:
325	https://challenges.cloudflare.com/turnstile/v0/siteverify
326
327	Filters (script/loading):
328	- kitgenix_captcha_for_cloudflare_turnstile_script_url( $url, $settings )
329	- kitgenix_turnstile_freshness_ms
330	- kitgenix_turnstile_inline_style
331
332	Filters (verification / request handling):
333	- kitgenix_turnstile_siteverify_url
334	- kitgenix_turnstile_siteverify_timeout
335	- kitgenix_turnstile_siteverify_sslverify
336	- kitgenix_turnstile_siteverify_http_args
337	- kitgenix_turnstile_send_remoteip
338	- kitgenix_turnstile_remote_ip
339	- kitgenix_turnstile_token_from_request
340	- kitgenix_turnstile_handle_comment_form
341	- kitgenix_turnstile_error_codes
342	- kitgenix_turnstile_error_message
343	- kitgenix_turnstile_replay_message
344	- kitgenix_captcha_for_cloudflare_turnstile_{context}_turnstile_error_message
345
346	Filters (replay protection):
347	- kitgenix_turnstile_replay_ttl
348
349	Filters (operational alerts):
350	- kitgenix_turnstile_alert_window_seconds
351	- kitgenix_turnstile_alert_failure_spike_min_failures
352	- kitgenix_turnstile_alert_failure_spike_failure_rate
353	- kitgenix_turnstile_alert_http_error_min_failures
354
355	Filters (whitelist / proxy trust):
356	- kitgenix_turnstile_is_whitelisted( $is_whitelisted, $details )
357	- kitgenix_turnstile_trust_headers
358	- kitgenix_turnstile_trusted_proxies
359
360	Internal identifiers (options / transients / cookies / meta):
361	- Option: kitgenix_captcha_for_cloudflare_turnstile_settings
362	- Settings group (Settings API): kitgenix_captcha_for_cloudflare_turnstile_settings_group
363	- Option: kitgenix_captcha_for_cloudflare_turnstile_metrics
364	- Option: kitgenix_turnstile_recent_event_log
365	- Option: kitgenix_turnstile_last_verify
366	- Transient: kitgenix_captcha_for_cloudflare_turnstile_do_activation_redirect
367	- Transient: kitgenix_turnstile_duplicate_scripts
368	- Transient prefix (replay protection): kitgenix_captcha_for_cloudflare_turnstile_ts_
369	- Cookie (replay notice): kitgenix_captcha_for_cloudflare_turnstile_ts_replay
370	- WooCommerce order meta (Blocks/Store API verification): _kitgenix_turnstile_verified
371
372	Internal nonces / actions:
373	- Shortcode/form nonce field name: kitgenix_captcha_for_cloudflare_turnstile_nonce
374	- Shortcode/form nonce action: kitgenix_captcha_for_cloudflare_turnstile_action
375	- Settings save nonce field name: kitgenix_captcha_for_cloudflare_turnstile_settings_nonce
376	- Settings save nonce action: kitgenix_captcha_for_cloudflare_turnstile_settings_save
377	- Admin AJAX action (reveal saved secret): kitgenix_turnstile_get_secret (WordPress hook: wp_ajax_kitgenix_turnstile_get_secret)
378	- Admin AJAX nonce action (reveal saved secret): kitgenix_turnstile_reveal_secret
379	- Admin-post action (analytics exports): kitgenix_turnstile_export_analytics
380	- Admin-post nonce action (analytics exports): kitgenix_turnstile_export_analytics
381	- Duplicate-loader notice dismiss query arg: kitgenix_captcha_for_cloudflare_turnstile_ts_dismiss_dupe
382	- Duplicate-loader notice dismiss nonce action: kitgenix_captcha_for_cloudflare_turnstile_ts_dismiss
383
384	Actions (developer logging):
385	- kitgenix_turnstile_dev_log
386
387	== External Services ==
388
389	This plugin uses Cloudflare Turnstile to verify requests and prevent spam and abuse.
390
391	The plugin may:
392	- Load the Turnstile script:
393	https://challenges.cloudflare.com/turnstile/v0/api.js
394	- Submit verification requests server-side to:
395	https://challenges.cloudflare.com/turnstile/v0/siteverify
396
397	When verification is enabled, the plugin sends to Cloudflare:
398	- Your Turnstile secret key
399	- The Turnstile response token
400	- The visitor IP address (as the optional `remoteip` parameter, when enabled)
401
402	The plugin does not send the visitor's browser user agent to Cloudflare as part of the verification payload (the HTTP request itself is made server-side by WordPress).
403
404	If proxy trust is enabled, the plugin may read forwarding headers (e.g. `CF-Connecting-IP`, `X-Forwarded-For`) to determine the client IP, but only when requests originate from configured trusted proxies.
405
406	The plugin does not add tracking cookies itself and does not sell or share personal data.
407
408	Cloudflare Turnstile Terms: https://developers.cloudflare.com/turnstile/
409	Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/
410
411	This plugin also includes a shared “Kitgenix hub” component in wp-admin which may fetch publicly available plugin metadata from WordPress.org using the WordPress core `plugins_api()` function (WordPress.org Plugins API).
412
413	* When it runs: only in wp-admin (Kitgenix plugin admin pages)
414	* Data sent: plugin slug(s) (no personal data)
415	* Data received: publicly available plugin information (e.g. active installs, ratings)
416	* Caching: responses are cached locally using transients for ~1 day:
417	* `kitgenix_hub_wporg_active_installs_v1`
418	* `kitgenix_hub_wporg_ratings_v1`
419
420	== Trademark Notice ==
421
422	“Cloudflare” and the Cloudflare logo are trademarks of Cloudflare, Inc. This plugin is not affiliated with or endorsed by Cloudflare, Inc.
423
424	== Support Development ==
425
426	If this plugin helps keep spam away without slowing your site down, you can support ongoing development here:
427	https://buymeacoffee.com/kitgenix
428
429	== Credits ==
430	Built with ❤︎ by @kitgenix - https://kitgenix.com
431
432	== Upgrade Notice ==
433
434	= 1.1.3 =
435	Recommended for all websites.
436
437	== Changelog ==
438	= 1.1.3 (26 May 2026) =
439	* Compatibility: Confirmed compatibility with WordPress 7.0.
440	* Fix: WooCommerce My Account registration validation now correctly blocks bot registrations. The previous hook (`woocommerce_register_post` + `wc_add_notice`) only queued a frontend notice but did not prevent account creation; validation is now wired to the `woocommerce_registration_errors` filter so failed Turnstile challenges add a WP_Error that WooCommerce checks before creating the account.
441	* Fix: WooCommerce reset-password validation now receives the WP_Error object and adds errors directly to it, ensuring a failed Turnstile challenge blocks the password reset instead of only showing a notice.
442	* Improvement: Diagnostic log now shows a plain-English category and explanatory note for every entry instead of the internal retry-required / first-pass-or-hard-fail classification. False positives (e.g. stale nonce on a cached My Account page) are now clearly labelled as `cached-or-expired-page` with guidance, so they are not mistaken for attacks. A category legend table is displayed alongside the log in the Support tab.
443	* Fix: Diagnostic log data is now fully cleaned up when the plugin is uninstalled.
444
445	= 1.1.2 (26 May 2026) =
446	* Dev: Skipped to be in line with other Kitgenix Plugins
447
448	= 1.1.1 (26 May 2026) =
449	* Dev: Skipped to be in line with other Kitgenix Plugins
450
451	= 1.1.0 (7 May 2026) =
452	* New: Added MailPoet integration with Turnstile injection and server-side newsletter subscription validation.
453	* New: Added Ultimate Member integration covering login, registration, and password reset forms.
454	* New: Added MemberPress integration for signup and checkout flows.
455	* New: Added Paid Memberships Pro integration for checkout and registration flows.
456	* New: Added wpDiscuz integration for comment and reply forms.
457	* New: Added environment-managed and wp-config-managed key overrides for the Turnstile Site Key and Secret Key.
458	* New: Added a dedicated Portability tab with JSON export/import tools for reusing settings across sites.
459	* New: Added an end-to-end setup verification gate that validates the current Site Key and Secret Key through a real server-side Cloudflare siteverify check before login-sensitive flows are allowed to load.
460	* New: Added a privacy-safe recent diagnostic log for admins with copyable timestamps, integration labels, outcomes, and Cloudflare error codes.
461	* New: Added automatic admin and Site Health alerts for sudden verification failure spikes and blocked Cloudflare `siteverify` requests.
462	* New: Added per-integration analytics in the Support tab with pass, failure, retry, and friction reporting for each protected flow.
463	* New: Added CSV exports for the per-integration analytics table and the recent diagnostic log.
464	* Improvement: Added new admin integration toggles for MailPoet, Ultimate Member, MemberPress, Paid Memberships Pro, and wpDiscuz.
465	* Improvement: MailPoet forms now receive the Turnstile token through the expected nested request field for reliable validation.
466	* Improvement: Site Key and Secret Key admin fields now become read-only when a constant or environment variable override is active.
467	* Improvement: Settings exports can omit sensitive keys by default, while imports support replace or merge workflows for agency rollouts.
468	* Improvement: The admin test widget now performs server-side setup verification, records the result for the current key pair, and warns admins when auth-sensitive protections are still gated.
469	* Improvement: The Support tab now surfaces active protection alerts, including duplicate Turnstile loader conflicts, with quick triage actions.
470	* Improvement: WordPress core login protection now supports `wp_login_form()` custom login screens and skips REST/XML-RPC auth edge cases for better compatibility with hidden-login URLs, theme modals, and 2FA flows.
471	* Improvement: Recent diagnostic logging deliberately avoids storing raw IP addresses, request URIs, or submitted values.
472	* Improvement: Privacy-safe metrics now store per-integration retry counts so admins can quantify challenge friction without storing raw visitor identifiers.
473	* Fix: Turnstile API script loading now avoids adding WordPress `?ver=` query arguments to Cloudflare `api.js`, removing the browser console warning about unknown API parameters.
474	* Fix: Widget size handling now uses Cloudflare-supported values (`normal`, `compact`, `flexible`) with backward-compatible mapping for legacy saved sizes.
475	* Fix: WooCommerce Classic checkout now validates Turnstile only once per submission, preventing false “Your verification expired. Please complete the Turnstile challenge.” errors when enforcement is enabled.
476	* Fix: WooCommerce Classic Checkout with replay protection now allows checkout retries and only marks the token as used after successful order creation, preventing "replay_detected" errors during payment failures or validation retries.
477	* Fix: Easy Digital Downloads (EDD) checkout with replay protection now allows checkout retries and only marks the token as used after successful purchase, preventing "replay_detected" errors during payment failures or validation retries.
478	* Fix: Paid Memberships Pro checkout with replay protection now allows checkout retries and only marks the token as used after successful membership creation, preventing "replay_detected" errors during payment failures or validation retries.
479	* Fix: WooCommerce Blocks checkout with replay protection now allows checkout retries and only marks the token as used after successful order creation via Store API.
480	* Fix: Standard WordPress comments handling now defers to wpDiscuz-specific validation when wpDiscuz protection is enabled, preventing duplicate handling.
481	* Fix: All integration files (EDD, Elementor, WP Core, Paid Memberships Pro, Ultimate Member, MemberPress, wpDiscuz, MailPoet, BuddyPress, bbPress, Fluent Forms, WPForms, Contact Form 7, Kadence Forms, JetFormBuilder, Gravity Forms, Formidable Forms, Forminator, Jetpack Forms) now pass widget size through the `normalize_widget_size()` helper, ensuring only Cloudflare-supported values (`normal`, `compact`, `flexible`) are ever rendered in `data-size` attributes.
482	* Fix: Cleared stale `_lastToken` on Turnstile reset or expiry — the stored token is now always synced with the hidden input value, preventing a stale token being replayed by the WooCommerce Blocks fetch bridge after a checkout error.
483	* Fix: WooCommerce Classic Checkout now resets the Turnstile widget automatically after a failed submission (`checkout_error` event) and re-initialises it after checkout fragment refreshes (`updated_checkout` event), ensuring users always have a fresh token ready for retry.
484	* Docs: Updated the readme supported integrations list to include the new membership, newsletter, and community coverage.
485
486	= 1.0.18 (19 March 2026) =
487	* UI: Improved the Kitgenix admin header layout for better alignment and less clutter.
488	* UI: Social links in admin headers now render as compact icon buttons (with accessible labels).
489	* UI: Added responsive header helpers so titles/description and actions/links lay out consistently.
490	* UI: Admin tables inside Kitgenix pages now use Kitgenix styling for a more consistent branded look.
491	* Fix: Admin notices now display above the Kitgenix header using the WordPress standard notice area.
492	* Fix: Removed custom notice moving/styling so core WordPress notices keep their default appearance.
493	* Fix: Added defensive notice normalization to prevent notices being relocated into the header by other scripts.
494	* Fix: Normalised settings page card spacing so it matches other Kitgenix plugins.
495	* Fix: Added spacing between adjacent action links/buttons (e.g., Edit/Delete).
496	* Improvement: Validate Store API POSTs early via a single REST pre-dispatch path; token accepted from X-Turnstile-Token header or canonical extensions payload (WooCommerce Blocks).
497	* Cleanup: Normalised nonce verification and request handling across admin and validation flows for WordPress.org review compliance.
498	* Maintenance: Updated the plugin Author URI to the public Kitgenix WordPress.org profile and replaced the old custom admin-menu icon CSS with the native Dashicons icon.
499	* New: Added a dedicated WooCommerce Product Reviews integration toggle so store reviews can be protected independently of standard WordPress comments.
500	* Fix: Split standard WordPress comments from WooCommerce product reviews so enabling blog comments protection no longer captures product review submissions unless the WooCommerce reviews toggle is enabled.
501	* Improvement: WooCommerce product reviews now follow the WooCommerce Classic injection mode and error-message context while still using the shared comment form hooks internally.
502	* Docs: Updated the bundled documentation and package readme to describe the new WooCommerce Product Reviews coverage and the `kitgenix_turnstile_handle_comment_form` routing filter.
503
504	= 1.0.17 (18 February 2026) =
505	* New: Added JetFormBuilder integration (auto-inject and shortcode-only modes).
506	* New: JetFormBuilder server-side validation during submission handling (AJAX compatible).
507	* New: Added JetFormBuilder toggle + injection mode to the settings page.
508	* Improvement: JetFormBuilder auto-inject places the widget near the submit button row and avoids multi-step next/prev actions.
509	* Fix: Support tab “Your site impact” metrics now update as Turnstile checks run (total/passed/failed).
510	* UI: Added Stock Sync for WooCommerce to the Kitgenix hub cards.
511	* Docs: Overhauled readme.txt.
512	* Docs: Updated WordPress.org screenshots.
513	* Docs: JetFormBuilder includes its own Turnstile/CAPTCHA option; use one Turnstile provider per form to avoid duplicates.
514	* Dev: Regenerated /languages/kitgenix-captcha-for-cloudflare-turnstile.pot translation template.
515
516	= 1.0.16 (27 January 2026) =
517	* Improvement: Small admin UI tweaks and performance refinements.
518	* Change: Declared PHP requirement as 8.1.
519	* Cleanup: Minor compatibility and stability fixes, plus i18n/translation updates.
520	* Cleanup: PHPCS/i18n/security fixes across admin and core files (output escaping, translator comments, optional nonce checks).
521	* Fix: Hardened admin asset enqueues to prefer $_GET['page'] with a fallback to hook-suffix so assets load reliably on existing installs.
522	* Fix: Localized admin JS now exposes AJAX action and nonce for the reveal-secret flow to securely fetch stored secret keys.
523
524	= 1.0.15 (01 January 2026) =
525	* New: Added Easy Digital Downloads integration (checkout, login, registration, and profile editor) with per-form toggles and a dedicated mode setting (Auto vs Shortcode-only).
526	* New: Added a shared Kitgenix top-level wp-admin menu + hub page, and moved Turnstile settings to Kitgenix → Cloudflare Turnstile (activation redirect + “Settings” link updated accordingly).
527	* Security: Secret key is no longer printed into the settings page HTML by default; “Reveal secret key” now fetches it on-demand via authenticated AJAX + nonce.
528	* Improvement: bbPress integration now avoids duplicate widget output on themes that fire multiple hooks, adds support for the forum form, and validates forum creation flows.
529	* Improvement: Fluent Forms rendering is now more resilient when the Turnstile API loads late (prevents “stuck rendering” states and allows clean retries).
530	* Improvement: Standardized internal widget owner attribute + dynamic-render event naming, reducing render misses in dynamic/AJAX contexts.
531	* Improvement: WordPress comments widget placement is now consistently injected above the submit button across themes; comment widget now has a stable ID for easier targeting.
532	* Fix: Replay protection setting now persists correctly when you disable it (checkbox omission on save no longer forces it back on).
533	* UI: Updated Kitgenix branding (admin + public CSS tokens), added shared hub stylesheet, refreshed plugin banners, and added Kitgenix logo assets.
534	* Cleanup: Removed onboarding strings and updated translations; plugin headers/requirements updated (Tested up to 6.9, requires PHP 8.0).
535
536	= 1.0.14 (09 December 2025) =
537	* UI: Split WooCommerce settings into two blocks — “WooCommerce Classic” and “WooCommerce Blocks (Store API)” — with separate injection mode controls and clearer guidance.
538	* UI: Modernized settings page with sidebar navigation (icons), status overview card, accessible collapsible sections, and improved layout. Kept the floating “Unsaved changes” bar.
539	* UI: Added a copy button next to [kitgenix_turnstile] in the settings for easy manual placement.
540	* UI: Updated brand colors across admin and public CSS to main #4f2a9a and accent #f364dd.
541	* Improvement: Public JS detects data-kitgenix-captcha-for-cloudflare-turnstile-owner="woocommerce-blocks" and performs an immediate render, then falls back to visibility guard for other owners.
542	* Fix: WooCommerce Blocks checkout widget now renders reliably even when Classic Checkout is disabled. The renderer no longer waits for the container to be visible before calling turnstile.render() for Blocks, preventing missed render windows.
543	* Change: Respect Shortcode-only — when Blocks is set to “Shortcode only”, auto-rendering is suppressed and server-side validation only enforces when a token is present (i.e. when you place the shortcode). Without a shortcode/token, checkout proceeds without Turnstile.
544	* Change: Clarification — unchecking “Checkout Form (Classic)” does not affect Blocks Checkout; disable Blocks auto-injection via its “Shortcode only” mode if desired.
545	* Cleanup: Removed Export/Import Settings feature — UI removed and handlers disabled (class-settings-transfer.php no longer registers actions). Any old direct Import/Export URLs are no-ops.
546	* Cleanup: Removed the Simple/Advanced mode toggle from the settings UI and scripts.
547	* Dev: Dropped the unused kitgenix_turnstile_validate_keys AJAX nonce localization from admin scripts.
548	* Preparation: Placement — ensures the widget is injected directly above the “Place order” area in WooCommerce Blocks checkout (handles submit button, text node, and actions wrapper variants).
549	* Preparation: Stability — keeps existing behaviour for Classic, core, and form plugins; no changes to validation flows or token forwarding (header + Store API extensions).
550
551	= 1.0.13 (22 November 2025) =
552	* Security: Critical validation bypass in Elementor Pro Forms and Forminator Forms where missing tokens were incorrectly allowing form submissions instead of blocking them.
553	* Security: Audit confirmed all other integrations (Contact Form 7, Gravity Forms, Formidable Forms, WPForms, Fluent Forms, Jetpack Forms, Kadence Forms, WooCommerce, WordPress core, bbPress, BuddyPress) correctly validate and fail when tokens are missing.
554	* Security: This update fixes a vulnerability where forms could be submitted without completing CAPTCHA verification. Update immediately.
555	* Fix: Elementor Pro Forms now properly fail validation when the Turnstile token is missing or empty (previously skipped validation entirely).
556	* Fix: Forminator Forms now properly fail validation when the Turnstile token is missing or empty (previously skipped validation entirely).
557	* Fix: Removed the wp_kses_post() wrapper from Forminator submit button HTML that could strip required attributes.
558
559	= 1.0.12.1 (22 November 2025) =
560	* Fix: Reverted to 1.0.11 until the security update was released.
561
562	= 1.0.12 (21 November 2025) =
563	* New: Global shortcode [kitgenix_turnstile] to render the Turnstile widget manually inside custom HTML fields, form content, or page templates.
564	* Improvement: Auto-inject vs Shortcode behavior is now mutually exclusive and consistent across integrations.
565	* Improvement: Ensured Shortcode-only mode works across all supported form plugins via defensive do_shortcode() passthroughs and field-level filters, while Auto mode detection ignores literal shortcode tokens.
566	* UI: Only show the global Shortcode guidance card when at least one supported forms integration is present. Removed Auto/Shortcode radio controls from the WordPress Core card; core forms use the Enable checkbox and per-form toggles only.
567	* Dev: Reworked temporary shortcode removal logic to guarantee re-registration after do_shortcode(). Fixed edge-case uninitialised variable and parse issues.
568	* Dev: Standardised detection and injection semantics and added comments and guards for missing site keys, filters, and plugin version differences.
569	* Fix: CF7 shortcode rendering in Shortcode-only mode — Contact Form 7 form HTML is now passed through do_shortcode() when the integration is set to Shortcode-only.
570	* Change: Added includes/core/class-turnstile-shortcode.php with a robust shortcode renderer and recursive detection helper has_shortcode_in() that detects literal shortcodes and rendered widget markers (class="cf-turnstile", data-kitgenix-shortcode, or hidden name="cf-turnstile-response").
571	* Change: Integration adapters now use the new helper and treat literal shortcode text separately from rendered markup so Auto mode is not blocked by leftover shortcode tokens.
572	* Change: When an integration needs to run do_shortcode() in Auto mode, it temporarily removes the plugin shortcode, runs do_shortcode(), then immediately re-registers the shortcode so it is never left unregistered.
573	* Docs: Note — the stored mode_wp_core setting is retained for compatibility but no longer exposed in the UI. It can be removed in a future release if needed.
574
575	= 1.0.11 (19 October 2025) =
576	* Fix: Elementor AJAX regression — prevented a brief layout “bump” where Interaction Only lost .kitgenix-ts-collapsed during the * AJAX send; the container now stays collapsed unless a visible challenge is explicitly required.
577
578	= 1.0.10 (16 October 2025) =
579	* Improvement: Event-driven rendering — added kitgenix:turnstile-containers-added event from injectors; public script listens and re-initializes rendering automatically for dynamically added containers.
580	* Improvement: Stability and UX — defensive re-render guards, explicit data-rendered attribute for CSS control, and safer visibility checks to avoid rendering inside hidden containers.
581	* Fix: Elementor Popups — reliably initializes the Turnstile challenge when a popup opens (even if the widget was inserted while hidden). Clears stale render flags, resets hidden iframes, and triggers a fresh render on show.
582	* Fix: Hidden input — always ensures input[name="cf-turnstile-response"] exists for Elementor forms (including popups) so the token is properly captured and validated.
583	* Fix: Interaction Only empty gaps — placeholders are now fully collapsed until the widget actually renders (via data-rendered). After successful AJAX submits, the container is collapsed/hidden to prevent any blank space.
584	* Fix: Multiple forms on a page — consistent collapsed behavior across instances; prevents duplicate containers in Elementor popups and re-renders only when needed.
585
586	= 1.0.9 (15 October 2025) =
587	* Improvement: Proactive reveal for Interaction Only — if auto-verification doesn’t complete after a short period (~5s), the widget is surfaced and the challenge is triggered so users aren’t left waiting.
588	* Improvement: Streamlined inline messaging to align with Cloudflare’s own phrasing; reduced redundant prompts to let Cloudflare’s UI lead the experience.
589	* Improvement: Submit-time guards — for regular forms and Elementor AJAX; when no token is present, we halt that submission, reveal the widget, scroll it into view, and start a fresh challenge.
590	* Dev: Standardized render locks and defensive pre-render cleanup across remaining integrations to prevent duplicate iframes and race conditions.
591	* Fix: “Disable Submit Button” now respects “Interaction Only” — submit stays enabled when Turnstile can verify invisibly, and is disabled only if a visible challenge is actually required (unsupported/timeout/error). Applies to Elementor, WordPress core forms, WooCommerce, Gravity Forms, Formidable, Forminator, Jetpack, Fluent Forms, and Kadence.
592
593	= 1.0.8 (15 October 2025) =
594	* Improvement: Deferred render — widgets now render when their container is visible (Elementor + generic paths), reducing layout thrash and improving perceived load times across dynamic UIs.
595	* Dev: Simplified collapse logic by removing the previous mutation-based watcher and relying on Turnstile callbacks + visibility checks.
596	* Fix: Elementor popup — reliably renders Turnstile when popups open after page load (e.g., delayed by timer); if a widget initialized while hidden, it is reset and re-rendered on open.
597	* Fix: Elementor popup duplicates — de-duplicated popup/form event listeners and centralized rendering to avoid multiple widget instances; idempotent guards ensure one render per container.
598	* Fix: Interaction Only placeholder stays collapsed (no gap/shadow) after invisible validation; it only expands when UI is truly required (via unsupported/timeout/error callbacks or actual visible challenge).
599	* Fix: Prevent duplicate renders on Gravity Forms, Formidable, Forminator, and Jetpack by adding per-element render locks and pre-render cleanup.
600	* Fix: Prevent loader overlay — no spinner is injected for Interaction Only while the API loads; collapsed state fully hides any inner spinner and spinners never intercept clicks.
601
602	= 1.0.7 (14 October 2025) =
603	* New: Added “Flexible (100% width)” widget size (Cloudflare Turnstile data-size="flexible") for fully responsive, container-width layouts.
604	* New: Interaction Only UX refinement — collapses the initial blank gap (no more 50+px empty space) until the user interacts or the widget needs to expand.
605	* Improvement: Consistent collapsed/expand logic across Elementor, Gravity Forms, Formidable, Forminator, Jetpack, Fluent Forms, Kadence, WPForms, and core render paths.
606	* Improvement: CSS enhancements for flexible width + reduced gap state (.kitgenix-ts-collapsed).
607	* Improvement: Unified size handling in JS (flexible passes straight through; existing custom sizes still map to Cloudflare equivalents).
608	* Preparation: Foundation laid for upcoming modal/delayed form robustness (MutationObserver structure ready for attribute watching & visibility checks in a future release).
609	* Dev: Sanitization now allows flexible; admin settings UI updated with help text.
610
611	= 1.0.6 (10 September 2025) =
612	* Improvement: Updated plugin assets (banners, icons, screenshots with clearer cropping/labels).
613	* Improvement: Updated readme.txt — full integrations list, screenshot captions, Support Development section, improved tags/short description, and clarified WooCommerce Blocks/Store API notes.
614
615	= 1.0.5 (10 September 2025) =
616	* Improvement: More reliable widget injection and cleanup on AJAX/dynamic DOM events; tighter re-render/reset behavior.
617	* Security: Replay protection enabled by default (TTL filterable via kitgenix_turnstile_replay_ttl).
618	* Fix: Admin: detect duplicate Turnstile API loader and show a dismissible notice on Settings and Plugins screens.
619	* Fix: Contact Form 7 injects once and resets cleanly on CF7 validation/error events.
620	* Fix: Exposed window.KitgenixCaptchaForCloudflareTurnstile so Cloudflare onload can reliably call renderWidgets() (prevents “no widget → no token”).
621	* Fix: Guard Elementor script enqueue to avoid PHP warnings in REST/AJAX or early hooks.
622	* Fix: Guarded “render once” logic to prevent duplicate widget rendering across core, WooCommerce, and form plugins.
623	* Fix: Prevent Turnstile overlapping submit buttons for Gravity Forms and WPForms; adjusted spacing and placement heuristics.
624	* Fix: Sanitization & import/export hardening — preserve CIDR & wildcard IP patterns.
625	* Fix: “Disable Submit Until Verified” now disables buttons on render and re-enables only after a valid token callback.
626	* Fix: Token handling — canonical token channel, auto-create hidden cf-turnstile-response input, getLastToken() helper, and kitgenixcaptchaforcloudflareturnstile:token-updated event.
627	* Fix: WooCommerce login/checkout placement (Classic & Blocks / Store API), including correct “Place order” positioning.
628
629	= 1.0.4 (17 August 2025) =
630	* Fix: Added spacing so Turnstile no longer overlaps the WPForms submit button.
631	* Fix: Positioned Turnstile above the WooCommerce reviews submit button.
632	* Fix: Prevented Turnstile from rendering inline with the submit button on Gravity Forms.
633
634	= 1.0.3 (12 August 2025) =
635	* Fix: Fixed the “Save Settings” button not working after a few attempts.
636
637	= 1.0.2 (12 August 2025) =
638	* New: Added advanced fields: respect_proxy_headers and trusted_proxy_ips (legacy), plus trust_proxy and trusted_proxies (current).
639	* New: Developer Mode (warn-only) — Turnstile failures are logged and annotated inline for admins but do not block submissions (useful for staging/troubleshooting).
640	* New: Replay protection — caches recent Turnstile tokens (hashed) for ~10 minutes and rejects re-use. Enabled by default; duration filterable via kitgenix_turnstile_replay_ttl.
641	* Improvement: Added canonical token channel (getLastToken() helper and kitgenixcaptchaforcloudflareturnstile:token-updated event dispatched on each token change). Hidden cf-turnstile-response input is auto-created in forms that don’t already have it.
642	* Improvement: Added preconnect/dns-prefetch resource hints for https://challenges.cloudflare.com to speed up first paint.
643	* Improvement: Added Site Health test (“Cloudflare Turnstile readiness”) reporting keys presence, duplicate loader detection, last verification snapshot, and possible JS delay/defer from optimization plugins (with guidance).
644	* Improvement: Admin CSS fully scoped to the settings wrapper, compact modern fields, focus-visible styles, and reduced-motion fallback.
645	* Improvement: Checkout protected via woocommerce_checkout_process and woocommerce_after_checkout_validation (WooCommerce Classic).
646	* Improvement: Consistent widget + validation across checkout/login/register/lost password (WooCommerce Classic).
647	* Improvement: Ensure hidden input + container are present; don’t inject a container if no site key is available (Elementor).
648	* Improvement: Export / Import JSON for settings (merge/replace). Optional inclusion of Secret Key (explicitly allowed).
649	* Improvement: Guardrails and housekeeping — centralized render flow, lightweight MutationObserver to catch dynamically added forms, and safer class/existence guards.
650	* Improvement: Include token in Elementor Pro AJAX payloads; re-render in popups and dynamic forms; reset widget on submit/errors.
651	* Improvement: Improved Disable Submit Button behavior — submit buttons are disabled immediately on render and re-enabled only after a valid token callback (previously disabled only on error/expired).
652	* Improvement: Inject container next to the “Place order” area via render_block_woocommerce/checkout-actions-block (WooCommerce Blocks).
653	* Improvement: Late alignment helpers for consistent widget placement on login/admin.
654	* Improvement: Preserve CIDR and wildcard IP patterns instead of stripping them; sanitize lines while keeping valid patterns.
655	* Improvement: Public CSS greatly reduced in scope (fewer global !importants), small min-height to prevent CLS, better RTL + reduced-motion support, and per-integration spacing.
656	* Improvement: Reliable widget injection before submit, spinner cleanup, and re-render on each plugin’s AJAX/DOM events.
657	* Improvement: Server-side validation hook support (elementor_pro/forms/validation).
658	* Improvement: Server-side validation mapped to each plugin’s native API.
659	* Improvement: “Test widget” is rendered only via a tight inline onload callback (prevents double-render / undefined globals).
660	* Improvement: Token freshness & UX — idle timer and token-age timer auto-reset widgets after ~150s (filterable via kitgenix_turnstile_freshness_ms), plus a gentle inline “Expired / Verification error — please verify again.” message beside the widget.
661	* Improvement: Validate Store API POSTs early via REST auth filter; token accepted from X-Turnstile-Token header or extensions (WooCommerce Blocks).
662	* Improvement: Widget injection and validation improvements across WooCommerce Blocks and Classic flows.
663	* Security: Added Cloudflare/Proxy-aware client IP handling with Trust Cloudflare/Proxy headers + Trusted Proxy IPs/CIDRs settings. Only honors CF-Connecting-IP / X-Forwarded-For when the request comes from a trusted proxy; otherwise falls back to REMOTE_ADDR.
664	* Security: Validator accepts token from POST, X-Turnstile-Token header, or custom filter; memoized siteverify; robust HTTP args; remote IP + URL + timeouts filterable; friendly error mapping; last verify snapshot stored for diagnostics.
665	* Security: Whitelist supports logged-in bypass, IPs with exact/wildcard/CIDR (IPv4/IPv6), and UA wildcards; decision cached per request and filterable via kitgenix_turnstile_is_whitelisted.
666	* Fix: Added widget render on resetpass_form and proper validation via validate_password_reset; lost password now validates via lostpassword_post.
667	* Fix: Contact Form 7 integrates cleanly (single injection, resets on CF7 error events).
668	* Fix: Duplicate Turnstile API loader detection with a dismissible admin notice (surfaces on the Settings page and Plugins screen).
669	* Fix: Exposed the public module globally as window.KitgenixCaptchaForCloudflareTurnstile so the Cloudflare API onload callback can call renderWidgets() (prevents “no widget → no token” failures).
670	* Fix: Guarded “render once” logic so widgets don’t duplicate across hooks (core + WooCommerce + form plugins).
671	* Fix: Reintroduced inline centering on wp-login.php / wp-admin to stabilize layout across all auth screens.
672	* Fix: Run Turnstile validation only on POST submissions for core forms (login, register, lost password, reset password, comments). Prevents the “Please complete the Turnstile challenge” message on refresh or wrong password.
673	* Fix: WooCommerce login handles both modern woocommerce_process_login_errors and legacy woocommerce_login_errors.
674
675	= 1.0.1 (11 August 2025) =
676	* Change: Overhauled includes/core/class-script-handler.php to use the modern Script API (async strategy on WP 6.3+, attribute helpers on 5.7–6.2) and eliminated raw <script> output.
677	* Docs: Expanded readme and updated links.
678	* Dev: Added filter kitgenix_captcha_for_cloudflare_turnstile_script_url for advanced control.
679	* Dev: Public/admin assets now use filemtime() for cache-busting.
680	* Fix: Centered Cloudflare Turnstile on all wp-login.php variants (login, lost password, reset, register) and across wp-admin.
681
682	= 1.0.0 (11 August 2025) =
683	* New: Initial Release
684	* New: Admin Notices and Settings Errors
685	* New: Admin UI (Modern)
686	* New: AJAX and Dynamic Form Rendering Support
687	* New: Caching, AJAX, and Dynamic Forms Optimizations
688	* New: Conditional Script Loading for Performance
689	* New: Contact Form 7 Integration
690	* New: CSRF Protection (Nonce Fields)
691	* New: Custom Error and Fallback Messages
692	* New: Elementor Forms Integration
693	* New: Error Handling and User Feedback
694	* New: Fluent Forms Integration
695	* New: Formidable Forms Integration
696	* New: Forminator Forms Integration
697	* New: GDPR-friendly (No Cookies or Tracking)
698	* New: Gravity Forms Integration
699	* New: IP / User Agent / Logged-in User Whitelisting
700	* New: Jetpack Forms Integration
701	* New: Kadence Forms Integration
702	* New: Language Selection for Widget
703	* New: Multisite Support
704	* New: Optional Plugin Badge
705	* New: Per-Form and Per-Integration Enable/Disable
706	* New: Plugin Translations/Localization
707	* New: Server-Side Validation for All Supported Forms
708	* New: Site Key & Secret Key Management
709	* New: Widget Appearance Customization
710	* New: Widget Options (Size, Theme, Appearance)
711	* New: WooCommerce Checkout Integration
712	* New: WooCommerce Login Integration
713	* New: WooCommerce Lost Password Integration
714	* New: WooCommerce Registration Integration
715	* New: Works With Elementor Element Cache
716	* New: WPForms Integration
717	* New: WordPress Comment Integration
718	* New: WordPress Login Integration
719	* New: WordPress Lost Password Integration
720	* New: WordPress Registration Integration
721	* New: “Defer Scripts” and “Disable Submit” Logic
722	* New: No Impact on Core Web Vitals