Glossary

Definitions of every term used in the plugin and its docs.

A

Appearance (widget) — How the Turnstile widget renders visually. Values: always (visible), interaction-only (invisible until user interacts), execute (fully silent). Set on General Settings.

Analytics dashboard — Built-in page showing pass/fail trends, top forms, top blocked IPs. At WooCommerce → Webkul Addons → Analytics. See Analytics.

API key — Umbrella term for Site Key + Secret Key. See each.

AJAX endpoint — Server endpoint reached via JavaScript, not a full page reload. The plugin uses admin-ajax.php?action=wkcft_recover for bypass-cache recovery.

B

Block checkout / Checkout Blocks — The modern React-based WooCommerce checkout (as opposed to the classic [woocommerce_checkout] shortcode). See Checkout Blocks.

Bot — Automated script posing as a human. Fills forms, tries credentials, places fake orders. The thing this plugin stops.

Brute force — Bot attack trying many username/password combinations. Common on wp-login.php.

C

CAPTCHA — Completely Automated Public Turing test to tell Computers and Humans Apart. A challenge that is easy for humans but hard for bots.

Capability — WordPress permission system. The plugin requires manage_woocommerce to edit settings.

CIDR notation — Compact way to write IP ranges. Example: 192.168.1.0/24 means "192.168.1.0 through 192.168.1.255". Used in Conditional Rules IP whitelist/blacklist.

Classic checkout — The PHP-rendered WooCommerce checkout using the [woocommerce_checkout] shortcode. As opposed to Block checkout.

Cloudflare — CDN and security company that builds and operates Turnstile. cloudflare.com.

Cloudflare Turnstile — The privacy-friendly CAPTCHA alternative this plugin integrates with. See Introduction.

Conditional Rules — The plugin's rule engine for deciding who sees CAPTCHA. See Conditional Rules.

Cron — Scheduled task system. WordPress has WP-Cron; servers have system cron. Plugin uses WP-Cron for digest + webhook cadence.

D

Design Studio — The plugin's visual editor for widget styling. Live preview. See Design Studio.

Digest — Scheduled email summary of plugin activity. See Email Digest.

E

Execute mode — Widget appearance mode where the challenge runs silently. Visitor sees nothing unless Cloudflare detects bot behavior. See General Settings.

F

Filter — WordPress hook that lets code modify a value. This plugin exposes ~15 filters. See Filters & Hooks.

Form slug — String identifier for a protected form. Used in Per-Form Config and filter $form_context. Examples: login, checkout, cf7.

G

GDPR — EU General Data Protection Regulation. Turnstile is GDPR-friendly because it does not set tracking cookies.

H

hCaptcha — Alternative CAPTCHA service. See vs hCaptcha.

Hook — WordPress event system. Actions fire when something happens; filters modify values. This plugin uses both.

Hostname — Your domain name. Cloudflare widgets are scoped to specific hostnames. Must match your site's domain or Turnstile rejects challenges.

HPOS — High-Performance Order Storage. WooCommerce's modern order storage using custom tables instead of post types. Plugin is HPOS-compatible.

I

Instant load — Load Mode where the Cloudflare API script loads immediately with the page. Contrast: lazy load.

IP address — The numeric address of a device connecting to your site. Plugin uses for rate-limiting and whitelist/blacklist.

IP whitelist / blacklist — Lists of IPs that always skip / always require CAPTCHA. See Conditional Rules.

ISO country code — 2-letter country identifier like US, DE, FR. Used in country whitelist/blacklist.

L

Lazy load — Load Mode where the Cloudflare API script loads after a delay. Lighter initial page. See General Settings.

Lockout — State where an IP is blocked from submitting after hitting the rate-limit threshold.

Logger — The plugin's logging subsystem. Writes every validation to wp_wkcft_log table. See Analytics.

M

Managed mode (Cloudflare) — Cloudflare's default widget mode. Cloudflare decides when to show an interactive challenge. Invisible for most visitors.

Multisite — WordPress multi-site network. Plugin works per-site with independent settings.

N

Namespace (REST) — URL prefix for a group of REST routes. This plugin uses /wkcft/v1.

Notification — Umbrella for email digest + webhook alerts. See Notifications.

O

Onboarding wizard — 3-step setup that runs after activation. See Onboarding Wizard.

Option (WordPress) — Key-value setting stored in wp_options table. Plugin uses keys prefixed wkcft_*.

P

Per-form config — Ability to override widget settings per form. See Per-Form Config.

PII — Personally Identifiable Information. Plugin stores hashed user-agents and raw IPs (for rate-limiting) — no names, emails, or PII.

R

Rate limiting — Locking out an IP after too many failed attempts. See Rate Limiting.

reCAPTCHA — Google's CAPTCHA service. Compared at vs reCAPTCHA.

Recovery URL — Secret URL that clears a rate-limit lockout. See Recovery URL.

Replay protection — Prevents a Turnstile token from being used twice. Token is one-shot, 5-minute expiry.

REST API — The plugin's REST endpoints under /wkcft/v1. See REST API.

S

Secret Key — Private Cloudflare Turnstile key. Goes on the server. Never share publicly. See API Settings.

Shortcode[wkcft-turnstile] — drops the widget anywhere. See Shortcode.

Site Health — WordPress admin tool at Tools → Site Health. Plugin adds a "Cloudflare Turnstile Readiness" test. See Site Health.

Site Key — Public Cloudflare Turnstile key. Goes on the frontend. Safe to share. See API Settings.

Slug (form / page) — URL-safe identifier. Settings page slug: wkcft-settings. Analytics page slug: wkcft-analytics.

SMTP — Protocol for sending email. Recommended for reliable email digest delivery. See Email Digest.

T

Token — The Turnstile result. A one-time-use string proving the visitor passed the CAPTCHA. Validated server-side against Cloudflare's verify API.

Transient — WordPress short-lived cache entry. Plugin uses transients for rate-limit buckets and failure counters.

Turnstile — Cloudflare's privacy-friendly CAPTCHA service. See Introduction.

U

UA hash — MD5 hash of the User-Agent string. Stored in logs for fingerprinting without storing the actual UA.

V

Validator — The plugin's server-side Turnstile verification subsystem. Class: WKCFT_Validator.

Verify API — Cloudflare's server-to-server endpoint: https://challenges.cloudflare.com/turnstile/v0/siteverify.

W

Warn-only mode — Logs validation results but does not block failed submissions. For staging / soft-launch. See General Settings.

Webhook — HTTP callback fired on events. Plugin supports generic + Slack webhooks for alerts. See Webhooks.

WKCFT — Plugin's internal prefix. Stands for "WebKul Cloudflare Turnstile". Used in class names (WKCFT_Plugin), options (wkcft_*), and filters (wkcft_*).

WooCommerce Blocks — The block-based WooCommerce UI, introduced for Gutenberg. Includes Checkout block.

WP-Cron — WordPress's built-in cron system. Runs on page visits. For reliable execution on low-traffic sites, pair with real server cron.