=== RIS Cloudflare CAPTCHA - Cloudflare Turnstile ===
Contributors: realitsolution, smartshovon
Tags: captcha, cloudflare, turnstile, spam, security
Requires at least: 5.0
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.1
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Privacy-friendly Cloudflare Turnstile CAPTCHA for WordPress login, registration, comments &amp; WPForms. Stops bots and spam.

== Description ==

**RIS Cloudflare CAPTCHA** adds the modern, privacy-first [Cloudflare Turnstile](https://www.cloudflare.com/products/turnstile/) CAPTCHA to your WordPress site. Stop bots, spam comments, and brute-force login attacks without annoying your visitors with image puzzles or Google reCAPTCHA.

Unlike legacy CAPTCHAs, Cloudflare Turnstile runs completely in the background, never asks visitors to click traffic lights or type distorted text, and protects visitor privacy.

= Why Choose RIS Cloudflare CAPTCHA? =

* **Privacy-friendly** - No user tracking, no cookies, no personal data collection.
* **User-friendly** - Most visitors never see a challenge; it's invisible by default.
* **Lightweight** - Tiny footprint, no external dependencies, no bloated JS bundles.
* **Free** - Powered by Cloudflare Turnstile, which is 100% free for unlimited use.
* **Universal** - Protects WordPress login, registration, comment, lost-password, and WPForms.
* **Developer-friendly** - Shortcode, PHP function, and a verification filter for custom forms.
* **Multilingual** - Supports 11 widget languages including English, Spanish, French, German, Bengali, Hindi, Arabic, Chinese, Japanese, and more.
* **Customizable** - Light, dark, or auto theme; visible, invisible, or interaction-only mode.

= Features =

* Drop-in Turnstile widget on:
 * WordPress login form
 * WordPress registration form
 * WordPress lost password form
 * WordPress comment form
 * WPForms (all forms)
* Server-side token verification for every form (not just client-side).
* Secure nonce checks on every form submission.
* **Test Connection** button to instantly verify your API keys.
* Per-form enable/disable checkboxes.
* Light, dark, or auto theme matching.
* Visible, invisible ("execute"), or interaction-only appearance.
* Custom widget language selection.
* Tabbed admin settings page (Settings / Help / About).
* Shortcode: `[ris_turnstile action="contact"]` for custom forms.
* Developer filter: `ris_cf_captcha_verify_response` for custom verification.
* Full uninstall cleanup (deletes all options on plugin removal).
* Multisite compatible.
* Translation ready (.pot, /languages folder).
* Proper WordPress coding standards, sanitization, escaping, and capability checks.

= How It Works =

1. Install and activate the plugin.
2. Get free Turnstile keys from your [Cloudflare Dashboard](https://dash.cloudflare.com/?to=/:account/turnstile).
3. Paste your Site Key and Secret Key into the plugin settings.
4. Tick the forms you want to protect.
5. Save. Done.

= Shortcode =

Use the widget on any page or custom form:

`[ris_turnstile action="contact"]`

Or in PHP:

`<?php echo do_shortcode( '[ris_turnstile]' ); ?>`

= Custom Form Verification (Developers) =

Hook into the verification filter:

`add_filter( 'ris_cf_captcha_verify_response', function( $is_valid, $token, $ip ) {
 // Your custom checks here.
 return $is_valid;
}, 10, 3 );`

= Privacy =

This plugin:
* Does **not** set any cookies.
* Does **not** track users.
* Does **not** store any personal data.
* Sends the visitor's IP address to Cloudflare only for the verification request, as required by the Turnstile API.
* Does **not** send any data to any third party other than Cloudflare.

GDPR, CCPA, and privacy-law friendly.

= Related Plugins =

* Real IT Solution - [https://www.realitsolution.com/](https://www.realitsolution.com/)

== Installation ==

1. Upload the plugin folder to `/wp-content/plugins/ris-cloudflare-captcha/` or install via the WordPress plugin installer.
2. Activate the plugin from the **Plugins** menu in WordPress.
3. Go to **RIS CF CAPTCHA** in your admin sidebar.
4. Click **Cloudflare Turnstile** in your Cloudflare dashboard and create a new widget.
5. Copy your **Site Key** and **Secret Key** and paste them into the plugin settings.
6. Tick the forms you want to protect.
7. Click **Save Changes**.
8. Use the **Test Connection** button to verify your keys work.
9. Visit your login page to see Turnstile in action.

== Frequently Asked Questions ==

= Do I need a Cloudflare account? =

Yes. Sign up for a free Cloudflare account at [cloudflare.com](https://www.cloudflare.com/) and create a Turnstile widget from the dashboard.

= Is Cloudflare Turnstile really free? =

Yes. Cloudflare Turnstile is 100% free for unlimited use, with no quotas or hidden fees.

= Does it work with WPForms? =

Yes. Enable "WPForms (all forms)" in the plugin settings and Turnstile will be added to every WPForms form on your site.

= Does it work with Contact Form 7? =

Not directly, but you can use the `[ris_turnstile]` shortcode in your CF7 form markup or use a CF7 hook to render it.

= Does it work with WooCommerce? =

The plugin protects WordPress core forms (login, register, lost password, comments). For WooCommerce checkout and account forms, you can use the shortcode `[ris_turnstile]` and the `ris_cf_captcha_verify_response` filter.

= Is it GDPR compliant? =

Yes. Turnstile is privacy-friendly and the plugin does not store any personal data.

= Will it slow down my site? =

No. The Turnstile script is loaded asynchronously from Cloudflare's CDN and weighs only a few KB.

= The widget isn't showing up. What's wrong? =

1. Make sure you saved your Site Key and Secret Key.
2. Make sure the relevant form is ticked in "Enabled Forms".
3. Click the **Test Connection** button to confirm your keys are valid.
4. Clear any caching plugin (WP Super Cache, W3 Total Cache, LiteSpeed, etc.).
5. Check the browser console for JavaScript errors.

= Can I hide the Turnstile badge? =

Yes, there's an option in the Advanced tab. Note that Cloudflare's ToS may require visible attribution - check Cloudflare's current Turnstile terms.

== Screenshots ==

1. Settings page - Cloudflare API keys configuration
2. Tabbed admin interface with Settings, Help, and About tabs
3. Test Connection button for instant verification
4. Login form with Turnstile widget
5. Comment form with Turnstile widget
6. Dark theme option
7. Mobile-friendly responsive widget

== Changelog ==

= 1.1 - 2026-06-15 =
* **SECURITY**: Added server-side Turnstile verification for login form (was previously client-side only).
* **SECURITY**: Added server-side verification for registration, lost password, and comment forms.
* **SECURITY**: Added proper WordPress nonce fields and checks on every form.
* **SECURITY**: Added capability checks and additional sanitization/escaping throughout.
* **NEW**: Tabbed settings page (Settings / Help / About).
* **NEW**: "Test Connection" button with AJAX verification of API keys.
* **NEW**: Per-form enable/disable checkboxes (login, register, comment, lost password, WPForms).
* **NEW**: Theme selector (auto / light / dark).
* **NEW**: Appearance mode selector (always / execute / interaction-only).
* **NEW**: Widget language selector with 11 languages.
* **NEW**: Shortcode `[ris_turnstile action="contact"]` for custom forms.
* **NEW**: PHP function `ris_cf_captcha_render_widget()` for theme developers.
* **NEW**: Developer filter `ris_cf_captcha_verify_response` for custom verification.
* **NEW**: Activation notice pointing to the settings page.
* **NEW**: "Settings" link on the Plugins list page.
* **NEW**: Documentation, Support, and Author links on the Plugins list page.
* **NEW**: Uninstall cleanup that removes all plugin options and transients (including legacy v1.0 options).
* **NEW**: Multisite support in uninstall.
* **NEW**: Better error messages with WordPress-standard markup.
* **NEW**: Optional custom CSS spacing around the widget.
* **NEW**: Optional badge hiding.
* **IMPROVED**: Code refactored into modular, well-documented functions.
* **IMPROVED**: All functions prefixed with `ris_cf_captcha_` for namespacing.
* **IMPROVED**: Translation-ready with proper text domain and /languages folder.
* **IMPROVED**: WordPress coding standards compliance.
* **IMPROVED**: Bumped to PHP 7.4 minimum, tested up to WordPress 6.5.
* **SEO**: Improved plugin metadata, keywords, and description for better WordPress.org search ranking.

= 1.0 - 2024-XX-XX =
* Initial release.
* Cloudflare Turnstile widget on WordPress login.
* Optional Turnstile on WPForms forms.

== Upgrade Notice ==

= 1.1 =
Major security update. Adds server-side verification for all forms, proper nonces, tabbed settings UI, test-connection button, per-form toggles, theme/appearance controls, shortcode, developer hooks, and uninstall cleanup. Recommended for all users.

== Credits ==

* Developed by [Real IT Solution](https://www.realitsolution.com/) - Md Taufiqur Rahman.
* Powered by [Cloudflare Turnstile](https://www.cloudflare.com/products/turnstile/).
* Icons by [WordPress Dashicons](https://developer.wordpress.org/resource/dashicons/).

== Support ==

* Documentation: [https://wordpress.org/plugins/ris-cloudflare-captcha/](https://wordpress.org/plugins/ris-cloudflare-captcha/)
* Support forum: [https://wordpress.org/support/plugin/ris-cloudflare-captcha/](https://wordpress.org/support/plugin/ris-cloudflare-captcha/)
* Author website: [https://www.realitsolution.com/](https://www.realitsolution.com/)
