# Changelog All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). --- ## [1.0.5] - 2025-11-17 ### Fixed - **WP Remote 2FA (Disabled) Login Flow**: Fixed critical redirect issue when WP Remote 2FA is disabled - Fixed infinite redirect loop where users were stuck on login page after successful authentication - Fixed white page display when accessing `/wp-login.php` while already logged in - Fixed Turnstile widget not re-appearing after failed login attempts with wrong credentials - Session now properly validates user authentication state (checks for `WP_User` object, not just session flag) - Added `login_init` hook with `mountdev_turnstile_redirect_if_logged_in()` to redirect logged-in users to admin - Added `wp_login_failed` hook with `mountdev_turnstile_wp_login_failed_clear()` to clear session on failed attempts - **Logout Functionality**: Fixed logout being blocked by overly aggressive redirect logic - Added action parameter check (`$_REQUEST['action']`) to prevent redirect during logout - Added support for `register`, `lostpassword`, and other non-login actions - Added Theme My Login plugin support via `tml_get_action()` check - **Session Management**: Enhanced session handling for WP Remote AJAX login flow - Modified `mountdev_turnstile_wp_login_check()` to only skip Turnstile when user is authenticated (`!is_wp_error($user) && $user instanceof WP_User`) - Session cleared on Turnstile validation failures - Session cleared on login failures to force Turnstile re-verification on next attempt ### Changed - **Session Verification Logic** (`src/wp/wordpress.php`): - Lines 228-236: Enhanced session check to validate user authentication state - Lines 260-266: Added session clearing on Turnstile validation failure - Lines 297-316: Added `wp_login_failed` hook handler - Lines 348-376: Added `login_init` hook handler with action filtering - **Turnstile Check Function** (`src/wp/turnstile.php`): - Removed complex session-verified token handling (previously lines 436-456) - Simplified to basic success return for session-verified tokens - Updated plugin version to 1.0.5 in main plugin file header - Updated stable tag to 1.0.5 in readme.txt --- ## [1.0.4] - 2025-11-05 ### Added - **WPRemote 2FA Support**: Full integration with WPRemote Two-Factor Authentication on WordPress login forms - Seamless 2FA flow without requiring Turnstile re-verification after 2FA code submission - Backend detection of 2FA submissions via `twofa_code` POST parameter - Session-based tracking to preserve Turnstile verification state through 2FA flow - Frontend MutationObserver to detect when 2FA field appears dynamically - Automatic submit button re-enabling when 2FA field is displayed - Form submission bypass for 2FA code verification (second login click) ### Fixed - **WordPress Login with 2FA**: Fixed "Please verify that you are human" error when submitting 2FA code - Updated `mountdev_turnstile_wp_login_check()` to skip Turnstile verification when `twofa_code` is present - Added session flag to track successful Turnstile verification across 2FA flow - **Submit Button State**: Fixed submit button remaining disabled after 2FA field appears - Added `mountdevTurnstileMonitor2FA()` function to watch for 2FA field appearance - Periodic checking (500ms for 5 seconds) after Turnstile verification - Ensures button remains enabled for 2FA code submission ### Changed - **Frontend JavaScript** (`src/js/button.js`): - Enhanced form submission prevention to allow 2FA submissions without Turnstile check - Added detection for WPRemote 2FA field structure (`#twofa_code_field`, `input[name="twofa_code"]`) - Improved button state management for multi-step authentication flows - **Backend PHP** (`src/wp/wordpress.php`): - Enhanced login check function to handle 2FA workflow - Added session-based verification state tracking - Improved authentication flow for WPRemote integration - Updated plugin version to 1.0.4 in main plugin file header - Updated stable tag to 1.0.4 in readme.txt - Updated all asset versions (CSS/JS) to 1.0.4 for cache busting --- ## [1.0.3] - 2025-10-30 ### Security - **Encrypted Credential Storage**: API credentials (Site Key and Secret Key) are now encrypted in the database using AES-256-CBC encryption - Added `CFTurnstile_Encryption` class for secure credential management (`src/wp/security/encryption.php`) - Encryption keys derived from WordPress salts (AUTH_KEY, SECURE_AUTH_KEY, etc.) for unique per-installation security - Credentials stored with `ENCRYPTED:` prefix for easy detection - Random initialization vectors (IV) for each encryption operation - **Automatic Migration**: Existing installations automatically migrate plain-text credentials to encrypted format on update - Migration runs once during version check on `admin_init` hook - Zero downtime - backward compatible with both encrypted and plain-text credentials - No manual action required from administrators - API test status automatically reset after migration to verify encrypted credentials work correctly - **UI Security Improvements**: Enhanced settings page to prevent credential exposure - Credentials are no longer visible or copyable from the settings page - Password fields show masked placeholders (e.g., `••••••••••1234`) - Fields are read-only by default to prevent autofill attacks - Clear messaging when credentials are securely stored: "Credential is securely stored. Enter a new value to update." - Empty field submissions preserve existing encrypted credentials ### Added - Helper functions for consistent credential access throughout the plugin: - `mountdev_turnstile_get_site_key()` - Returns decrypted site key - `mountdev_turnstile_get_secret_key()` - Returns decrypted secret key - `mountdev_turnstile_migrate_credentials()` - Handles automatic migration with post-migration verification - Comprehensive documentation in `docs/SECURITY_ENHANCEMENT_V1.0.3.md` ### Fixed - **WooCommerce Block Checkout**: Fixed "Invalid input for parameter 'sitekey'" error - Updated `mountdev_turnstile_field_checkout()` to use `mountdev_turnstile_get_site_key()` helper function - Encrypted credentials were being passed directly to Turnstile widget causing validation errors - **Contact Form 7**: Fixed site key retrieval to properly decrypt credentials - Updated `mountdev_turnstile_field_cf7()` to use helper function - Updated `mountdev_turnstile_cf7_verify_recaptcha()` to use helper function - **WordPress Core Forms**: Fixed credential retrieval in `wordpress.php` - **All Integrations**: Updated credential retrieval in all verification points: - `src/wp/turnstile.php` - Main verification function and widget rendering - `src/wp/errors.php` - Error checking and admin notices - `src/wp/settings/test.php` - Credential testing - `src/wp/integrations/ecommerce/woocommerce.php` - WooCommerce verification - `src/wp/integrations/forms/fluent-form.php` - Fluent Forms verification - `src/wp/integrations/forms/contact-form-7.php` - CF7 integration - `src/wp/integrations/builder/elementor.php` - Elementor Pro Forms integration - `src/wp/wordpress.php` - WordPress core forms ### Changed - Updated plugin version to 1.0.3 in main plugin file header - Updated stable tag to 1.0.3 in readme.txt - Updated all asset versions (CSS/JS) to 1.0.3 for cache busting: - Login CSS: `1.0.2` → `1.0.3` - Turnstile script: `1.0.2` → `1.0.3` - Plugin CSS: `1.0.2` → `1.0.3` - Button JS: `1.0.2` → `1.0.3` - WooCommerce JS: `1.0.2` → `1.0.3` --- ## [1.0.2] - 2025-10-27 ### Fixed - **WooCommerce Blocks Checkout**: Fixed "Please verify that you are human" error on checkout - Added WooCommerce Store API integration for block-based checkout - Implemented multiple fallback methods for token validation - Added REST API filter to ensure token is properly captured - Fixed duplicate Turnstile loading issues with manual rendering - Added comprehensive debug logging for troubleshooting - **WooCommerce Lost Password**: Fixed issue where the "Please verify that you are human" error would appear even after successful verification - Modified `mountdev_turnstile_check()` to conditionally bypass nonce verification when a Turnstile token is passed directly - Updated `mountdev_turnstile_woo_reset_check()` to properly handle WooCommerce's nonce verification - **Button Disabling**: Fixed issue where submit buttons would be disabled even when the "Disable Submit Button" setting was unchecked - Updated JavaScript to only disable buttons if the Turnstile widget has a data-callback attribute - **Elementor Integration**: Fixed critical JavaScript errors preventing form submissions - Fixed "Invalid or missing type for parameter 'sitekey', expected 'string', got 'object'" error in form re-render functions - Fixed PHP validation to properly accept alphanumeric Elementor form IDs (previously only accepted numeric IDs) - Updated callback function references to use proper function objects instead of string names ## [1.0.1] - 2025-10-22 ### Fixed - **Admin Test Form**: Test credentials button now always enabled and functional - Removed conditional logic that hid test button after successful verification - Added exclusion for admin test form in JavaScript button disabling logic - Added exclusion for admin test form in form submission prevention - Added nonce verification support for test form in `mountdev_turnstile_check()` - **WooCommerce Checkout**: Improved Turnstile verification for block-based checkout - Enhanced error handling in `mountdev_turnstile_check()` to properly handle WP_Error responses - Added JSON decode validation to prevent invalid response processing - Fixed error-codes array access using proper object notation - Improved strict comparison for success validation (`===` instead of loose comparison) - Applied same improvements to `mountdev_turnstile_check_woo_blocks()` function - **Code Quality**: Enhanced robustness of Cloudflare API response handling across all verification functions ### Changed - Improved error handling for Cloudflare API communication failures - Better validation of API responses before processing --- ## [1.0.0] - 2025-10-21 ### Changed - Excluded root assets folder from release package ### Documentation - Added plugin icons and banner assets - Enhanced readme.txt with compelling, informative content - Updated README.md to match enhanced readme.txt structure - Added comprehensive FAQ section - Added detailed feature descriptions and use cases - Added support policy and external services disclosure --- ## [1.0.0-beta] - 2025-10-10 ### Added - Plugin icons and banner for WordPress.org listing - Screenshots for readme documentation - Comprehensive documentation updates ### Fixed - Data sanitization improvements across all forms - Nonces and user permissions validation for enhanced security - Enqueue script issues resolved - Turnstile widget alignment improvements - Input sanitization for Contact Form 7 - Input sanitization for Elementor forms - Script version management (semver) - Processing of complete input data - WordPress enqueue functions properly implemented - WordPress comment form integration - Nonce verification for Elementor integration - Elementor integration stability - Removed duplicate external script registration - Added nonce verification to Contact Form 7 - Added nonce verification to Elementor integration - Proper escaping throughout the plugin - Removed error logs from production code - Renamed labels for clarity - WooCommerce disable button functionality - Button disable setting - WooCommerce authentication improvements - WooCommerce login issues - WooCommerce integration stability - Fluent Forms integration - WordPress default forms functionality - Generic function names improved - Tab render issues - Variable escaping - Array access on boolean value - Nonce verification - Undocumented use of 3rd party/external service (added disclosure) - Calling files remotely (security improvement) - Updated to use wp_enqueue commands properly - Updated author name - Updated contributor information - Updated plugin name - Updated plugin details - Test integration key form submission - Removed duplicate plugin details - Offload error handling ### Documentation - Added Kiro documentation - Updated README with comprehensive information - Added external services disclosure - Enhanced plugin description --- ## [1.0.0-alpha] - 2025-10-01 ### Added - **Initial Release** - Fluent Forms integration with Turnstile - Elementor Pro support for Turnstile verification - Contact Form 7 support - Turnstile validation for WordPress AJAX comments - WooCommerce Checkout integration with Turnstile - Turnstile support for WooCommerce authentication pages - List of supported plugins in the Integrations tab - WordPress core forms support (login, registration, password reset, comments) - Customizable widget themes (light, dark, auto) - Multi-language support - Flexible appearance modes - Submit button locking functionality - Custom error messages - Widget positioning controls - Built-in credential testing - Script deferral options - WordPress Multisite compatibility - Developer-friendly hooks and filters ### Changed - Updated plugin metadata and details - Improved pill component styles in UI - Enhanced admin settings page layout and user experience - Better folder structuring - Improved form submission persistence ### Fixed - Resolved issue with Elementor Turnstile theme not being applied - Fixed "disable button" functionality not working properly in Elementor forms - Reset button now re-enables correctly on default form page - CSS and JS version management - Turnstile undefined warnings - Various warnings and errors ### Security - Implemented secret key masking for enhanced security - Added proper nonce verification throughout - Implemented data sanitization - Added user permission checks ### Documentation - Initial README and documentation - Changelog documentation - License file added - Comprehensive setup guide --- ## [0.0.1] - Initial Development ### Added - Initial plugin structure - Basic Turnstile integration - WordPress form integration - WooCommerce basic integration - Admin settings and configurations - Button control scripts - Form field styling - Tailwind CSS setup - Release script for automating plugin releases - Package dependencies ### Changed - Better folder structuring - Plugin entry point updates ### Removed - Non-working implementations --- ## Development Notes ### Key Features - **Enterprise-grade bot protection** using Cloudflare Turnstile - **Privacy-first approach** - no tracking or unnecessary data collection - **Lightweight & fast** - optimized for performance - **Comprehensive form support** - WordPress core, WooCommerce, Contact Form 7, Elementor Pro, Fluent Forms - **Highly customizable** - themes, languages, positioning, error messages - **Developer-friendly** - clean code, hooks, filters, WordPress coding standards ### Contributors - **Cascadia Web Services** - Development and maintenance - **Isaac A.** (`isaacdarcilla`) - Lead developer ### Support For support and documentation, visit [Cascadia Web Services](https://cascadiaweb.services/contact)