Filters & Hooks

The plugin exposes a small set of filters for code-level customization. Use them in your child theme's functions.php or a small MU-plugin.

Every filter listed below is confirmed in the plugin source. If you see a filter named elsewhere on the internet that is not on this page, it does not exist.

Validation

wkcft_should_validate

Where applied: WKCFT_Validator::wkcft_check() — the moment before a token is sent to Cloudflare.

Signature:

apply_filters('wkcft_should_validate', $should, $context);

Default: true

Parameters:

  • $should (bool) — whether to perform validation
  • $context (string) — form slug (e.g., login, checkout, wp_login)

Return false to skip validation entirely for a context.

Main use

The plugin's own Conditional Rules engine is wired into this filter. You can add extra skip logic on top.

Example — skip validation for requests with a specific header (e.g., internal monitoring):

add_filter('wkcft_should_validate', function($should, $context) {
    if (isset($_SERVER['HTTP_X_MONITOR']) && $_SERVER['HTTP_X_MONITOR'] === 'our-uptime-bot') {
        return false;
    }
    return $should;
}, 10, 2);

Conditional Rules

wkcft_conditions_should_skip

Where applied: main plugin bridge to wkcft_should_validate.

Signature:

apply_filters('wkcft_conditions_should_skip', $skip, $context);

Default: result of the conditional-rules engine (IP lists, country lists, logged-in, failure threshold)

Parameters:

  • $skip (bool) — whether the rules engine wants to skip
  • $context (string) — form slug

Final override on the rules-engine result. Return true to skip CAPTCHA, false to force it.

Example — force CAPTCHA on high-value orders even for logged-in customers:

add_filter('wkcft_conditions_should_skip', function($skip, $context) {
    if ($context === 'checkout' && function_exists('WC') && WC()->cart && WC()->cart->total > 500) {
        return false;
    }
    return $skip;
}, 20, 2);

wkcft_fail_counter_window

Where applied: WKCFT_Conditions — sets TTL for the per-IP failure counter transient.

Signature:

apply_filters('wkcft_fail_counter_window');

Default: 30 * MINUTE_IN_SECONDS (1800 seconds)

Sliding window for the require_after_failures counter.

Example — widen to 1 hour:

add_filter('wkcft_fail_counter_window', function() {
    return HOUR_IN_SECONDS;
});

Rate Limiting

wkcft_rate_limit_threshold

Where applied: WKCFT_Validator — max failed CAPTCHA attempts per IP before lockout.

Signature:

apply_filters('wkcft_rate_limit_threshold', $default);

Default: reads the wkcft_max_retries option (default 10)

Example — stricter under active attack:

add_filter('wkcft_rate_limit_threshold', function() {
    return 3;
}, 20);

wkcft_rate_limit_window

Where applied: WKCFT_Validator — rolling window for the rate-limit counter (seconds).

Signature:

apply_filters('wkcft_rate_limit_window', $default);

Default: reads the wkcft_lockout_time option (minutes) and converts to seconds. Built-in default: 300 seconds.

Example — 10-minute window:

add_filter('wkcft_rate_limit_window', function() {
    return 10 * MINUTE_IN_SECONDS;
}, 20);

Presentation

wkcft_widget_classes

Where applied: WKCFT_Frontend_Extras::wkcft_shortcode_widget() — the wrapping <div> around a shortcode-rendered Turnstile widget.

Signature:

apply_filters('wkcft_widget_classes', $classes, $context);

Parameters:

  • $classes (string[]) — CSS classes attached to the wrapper
  • $context (string) — where the widget is rendered (e.g. shortcode)

Example — add a theme-specific skin class:

add_filter('wkcft_widget_classes', function($classes, $context) {
    $classes[] = 'my-theme-turnstile';
    return $classes;
}, 10, 2);

Admin

wkcft_modify_menu_capability

Where applied: WKCFT_Admin::wkcft_register_admin_menu() — capability required to access the Turnstile settings menu.

Signature:

apply_filters('wkcft_modify_menu_capability', 'manage_woocommerce');

Default: manage_woocommerce

Example — restrict to administrators only:

add_filter('wkcft_modify_menu_capability', function() {
    return 'manage_options';
});

Logging

wkcft_log_enabled

Where applied: WKCFT_Logger::wkcft_log() — gate every insert.

Signature:

apply_filters('wkcft_log_enabled');

Default: true

Return false to disable all per-validation logging.

Example — skip logging on staging:

add_filter('wkcft_log_enabled', function() {
    if (defined('WP_ENVIRONMENT_TYPE') && WP_ENVIRONMENT_TYPE !== 'production') {
        return false;
    }
    return true;
});

wkcft_log_retention_days

Where applied: WKCFT_Logger::wkcft_run_scheduled_purge() — daily purge cron.

Signature:

apply_filters('wkcft_log_retention_days');

Default: 90

Shorter retention = smaller table, less PII on record.

Example — 30-day retention:

add_filter('wkcft_log_retention_days', function() {
    return 30;
});

Cron Schedules

cron_schedules (standard WP filter)

The Email Digest class registers two custom recurrences:

SlugInterval
wkcft_weekly604800 sec (7 days)
wkcft_monthly2592000 sec (30 days)

You can inspect via WP-CLI:

wp cron schedule list

Complete Filter Reference Table

Every filter the plugin actually applies:

FilterDefaultFired In
wkcft_should_validatetrueValidator, per form context
wkcft_conditions_should_skip(rules engine result)Main plugin bridge
wkcft_rate_limit_thresholdwkcft_max_retries option (default 10)Validator
wkcft_rate_limit_windowwkcft_lockout_time option (seconds, default 300)Validator
wkcft_fail_counter_window1800 (30 min)Conditions
wkcft_log_enabledtrueLogger
wkcft_log_retention_days90Logger purge cron
wkcft_widget_classes[]Frontend Extras — shortcode wrapper
wkcft_modify_menu_capabilitymanage_woocommerceAdmin — settings menu registration
cron_schedules(WP core filter)Email Digest registers wkcft_weekly, wkcft_monthly

Cron Hooks (Action Hooks)

The plugin registers the following scheduled WP-Cron hooks. You can fire them manually via WP-CLI or hook additional callbacks to them.

HookRecurrenceFired By
wkcft_logger_purgedailyLogger — deletes rows older than wkcft_log_retention_days days
wkcft_send_digestdaily / wkcft_weekly / wkcft_monthlyEmail Digest — sends HTML email digest
wkcft_check_notificationshourlyNotifications — evaluates block threshold and fires webhooks

Manually Trigger a Cron Hook

wp cron event run wkcft_send_digest
wp cron event run wkcft_check_notifications
wp cron event run wkcft_logger_purge

Add Your Own Callback

add_action('wkcft_send_digest', function() {
    error_log('Digest just fired');
});

Admin AJAX Actions (Developer Reference)

The plugin registers these AJAX endpoints. They are documented here for developers building custom admin UIs. All require a nonce.

Action (nopriv or priv)PurposeNonce
wkcft_recover (both priv + nopriv)Consume recovery token to clear IP lockouttoken-based (no WP nonce)
wkcft_onboarding_saveSave onboarding wizard step datawkcft_onboarding
wkcft_onboarding_dismissDismiss onboarding wizardwkcft_onboarding
wkcft_get_analytics_dataFetch analytics data for chartsadmin nonce
wkcft_export_analytics_csvStream analytics CSVadmin nonce
wkcft_send_test_digestDispatch one-off test digest emailwkcft_email_digest
wkcft_send_test_webhookDispatch one-off test webhookwkcft_notifications
wkcft_dismiss_conditions_introDismiss Conditional Rules intro noticeadmin nonce

Form Context Slugs

Used as the $context parameter in the filters above.

SlugForm
loginWooCommerce Login
registerWooCommerce Registration
password_resetWooCommerce Lost Password
checkoutWooCommerce Classic Checkout
woocommerce-checkoutWooCommerce Blocks Checkout
pay_orderPay for Order
track_orderTrack Order
product_reviewProduct Review
wp_loginWP Login
wp_registerWP Registration
wp_lost_passwordWP Lost Password
wp_commentWP Comments
cf7Contact Form 7
wpformsWPForms
gravityformsGravity Forms
elementorElementor Forms
formidableFormidable Forms
forminatorForminator
bbpressbbPress
buddypressBuddyPress
eddEasy Digital Downloads