From b9195e7a974139a7637ffd87fe72315ef74b8ba2 Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike@yard.nl>
Date: Tue, 25 Feb 2025 13:46:42 +0100
Subject: [PATCH 01/30] (refactor): implement security measures for usage of
 the REST API endpoint(s)

---
 assets/css/editor.css                    |   7 ++
 languages/yard-deepl-nl_NL.mo            | Bin 2957 -> 3106 bytes
 languages/yard-deepl-nl_NL.po            |  12 ++-
 languages/yard-deepl.pot                 |  12 ++-
 src/Controllers/RestAPIController.php    | 130 +++++++++++++++++++++++
 src/Providers/AssetsServiceProvider.php  |  25 ++++-
 src/Providers/MetaBoxServiceProvider.php |  79 ++++++++++----
 src/Services/TranslationService.php      |  15 ++-
 src/helpers.php                          |  38 ++++---
 webpack.config.js                        |   1 +
 10 files changed, 275 insertions(+), 44 deletions(-)
 create mode 100644 assets/css/editor.css

diff --git a/assets/css/editor.css b/assets/css/editor.css
new file mode 100644
index 0000000..c9c9af6
--- /dev/null
+++ b/assets/css/editor.css
@@ -0,0 +1,7 @@
+.ydpl-metabox-row:not( :first-child ) {
+	margin-top: 1rem;
+}
+
+.ydpl-metabox-row > p {
+	font-weight: 500;
+}
diff --git a/languages/yard-deepl-nl_NL.mo b/languages/yard-deepl-nl_NL.mo
index fd6f7bb0134a2c9952fa1e18534f510355d20fa2..e74c46f35e7fcdecc94897bdde8f9f60e51c5504 100644
GIT binary patch
delta 1193
zcmYk*OK1~O6vpvW6JyhdnpADAud%IKZH;whEog;^V0Ga_1RoHm?Wl<%wUgLF5CU$r
zh*&5}UHL$K;Hm_4Bf1cwpx{QjQIu}fMcoOm1pi+$qL-Zeo7}mNbMMStZ@%AB`Wz46
zG|En5E%BhnEQ#GADoStIEP}f+iu-T{4&X{mVH;k=7M#Y#ID;DZ92@Z^uEuw`AHQO&
zS;@NStpNw9;&>Qin8I2d#U)roO?WwQ0{Ph_l@hy!b$A!m|0!yG88z-j(Eb|L?=8ky
z-{!bjN5gki#|YIbY((v_12s_}YT_i4yd4VKk03ugPNhUnqxxk6eVpKb5l>*4o4TK(
zin6|)<w6;a;!?bXO?VCY*&V7c_z0EA6)HJN)r_}M3D00V&Y~XC0&3nGvSM%6fI8VY
z>QQxIX@HA8T<8R@q6R!fB`||Z=nX2752&4gLQOay_zl^d{Xo{VpIDE-k)K7GRQH=u
z_ghi(wAXR|nz)k&y(B%TME0T<IEC8bAZkZN)C4yIr%~hYVFNx1+Mfl!LM=QS_#Pkg
ze-2M#seV^=p^v0Xo6QF<pmzQXbrKO~*Fvqx2V(70u~2hqBUegWrGw}s^a`u!ds508
zt&xie&Dc$BCN>ay2ufQ;-$sJaH>k3P(AISv+Omp{L~rC4qRZ?In60nW)oL5)32zVD
z_`oV<2er<jhge29#8yIEUQXyC=?!AHl?S5_`fu4Z)fhh5m-SrV8FGitdBaY@cXRoy
zTS$-O^3F)k$-84-!jhFP|J|#0?=K$>w}g9-dH#4hGwk`!nCBN<H(Qy@8BAxKkqb=b
W<`PDqe|N^y`Mj6wFQ2b%3;hAhgLonU

delta 1045
zcmX}rOG{fp7{>8e&rzEu#%pfYris=|qtQxT2_i+QRE0u8B4(kuur35E2!dd<a-n!x
zq^{g`72Vl<2;G!^16`GZn-<ztLGb^?u|sBlbLLED-gnM9U*ZR`!d0_>Y?MK2JN0vw
z**Jzg8cN(ZtHlHcFoms{!3d6F4bGzG<*^=@Fo7R&0{5^DzoX{gV6$1le$#1Uz+?0g
zMz9W(s0F*7S>$KKGzw${AL9gS{yWtFbEy9<y73RFd26VBw(u$LV=epJ8J#Et=ctS>
zQ43w67XFFEXusU}U(^P-s6c!!G%xIo;x5-ooX3(I_n4&lK~z8y470zb=(OM<^0RT8
zYn(;}(nlkQX<|5v3V0T^&?*v(ZK5*V#yB3~6qZmK|3S@fA`0!-j)gFtmvpr87%J0A
z)Pgh4_ec^phpb@>7{nFiXB#xS{|R+}2er;2YTY90oj5@Sa*A62BEb18qi+o8rTT$d
z;GfeYTrCj75VoT3r=1zp#;=?sSmOFM=J5u#(Ho+rYctLqD)FTtyXz>{8PG;M$OmBQ
z;*b|BJfp|J|I$sb(Ov0#;r*=~cn4Nf6=H_^oT@zakhHCe((I?|8&J`=p||Y`RVk<_
zR7KN8ePOl?_a9}YL(@xbp!T@|J!O^bJvM+k=p?m=s<Tp_N=@g>u~r^T3Li>mG3&oA
NfAyn&xhjzM?f}&HKWzX2

diff --git a/languages/yard-deepl-nl_NL.po b/languages/yard-deepl-nl_NL.po
index 1832649..09a366d 100644
--- a/languages/yard-deepl-nl_NL.po
+++ b/languages/yard-deepl-nl_NL.po
@@ -30,14 +30,22 @@ msgstr "Yard | Digital"
 msgid "https://www.yard.nl"
 msgstr "https://www.yard.nl"
 
-#: src/Providers/MetaboxServiceProvider.php:51
+#: src/Providers/MetaboxServiceProvider.php:72
 msgid "Disable translation cache when this object contains dynamic content."
 msgstr "Schakel de vertalingscache uit wanneer dit object dynamische inhoud bevat."
 
-#: src/Providers/MetaboxServiceProvider.php:76
+#: src/Providers/MetaboxServiceProvider.php:75
 msgid "Disable translation cache?"
 msgstr "Vertalingscache uitschakelen?"
 
+#: src/Providers/MetaboxServiceProvider.php:78
+msgid "Clear cached translations on save."
+msgstr "Verwijder vertaalcache bij opslaan."
+
+#: src/Providers/MetaboxServiceProvider.php:80
+msgid "Clear translation cache?"
+msgstr "Vertaalcache wissen?"
+
 #: src/Providers/SettingsServiceProvider.php:66
 msgid "Settings"
 msgstr "Instellingen"
diff --git a/languages/yard-deepl.pot b/languages/yard-deepl.pot
index aacc228..3ed8026 100644
--- a/languages/yard-deepl.pot
+++ b/languages/yard-deepl.pot
@@ -33,14 +33,22 @@ msgstr ""
 msgid "https://www.yard.nl"
 msgstr ""
 
-#: src/Providers/MetaboxServiceProvider.php:51
+#: src/Providers/MetaboxServiceProvider.php:72
 msgid "Disable translation cache when this object contains dynamic content."
 msgstr ""
 
-#: src/Providers/MetaboxServiceProvider.php:76
+#: src/Providers/MetaboxServiceProvider.php:75
 msgid "Disable translation cache?"
 msgstr ""
 
+#: src/Providers/MetaboxServiceProvider.php:78
+msgid "Clear cached translations on save."
+msgstr ""
+
+#: src/Providers/MetaboxServiceProvider.php:80
+msgid "Clear translation cache?"
+msgstr ""
+
 #: src/Providers/SettingsServiceProvider.php:66
 msgid "Settings"
 msgstr ""
diff --git a/src/Controllers/RestAPIController.php b/src/Controllers/RestAPIController.php
index 0e804c9..940c39d 100644
--- a/src/Controllers/RestAPIController.php
+++ b/src/Controllers/RestAPIController.php
@@ -10,6 +10,7 @@
 }
 
 use Exception;
+use WP_Post;
 use WP_REST_Request;
 use WP_REST_Response;
 use YDPL\Services\TranslationService;
@@ -21,6 +22,9 @@
  */
 class RestAPIController
 {
+	protected const RATE_LIMIT                        = 3;
+	protected const RATE_LIMIT_TIME_WINDOW_IN_SECONDS = 60;
+
 	use ErrorLog;
 
 	protected TranslationService $service;
@@ -40,6 +44,12 @@ public function handle_translate_request( WP_REST_Request $request ): WP_REST_Re
 		$text        = $request->get_param( 'text' );
 		$target_lang = $request->get_param( 'target_lang' );
 		$object_id   = $request->get_param( 'object_id' );
+		$origin      = $request->get_header( 'origin' );
+		$referer     = (string) $request->get_header( 'referer' );
+
+		if ( is_null( $origin ) || home_url() !== $origin ) {
+			return $this->set_failure_response( 403, 'Invalid origin. Origin does not match the site URL.' );
+		}
 
 		// Are required by Deepl.
 		if ( empty( $text ) || empty( $target_lang ) ) {
@@ -51,6 +61,13 @@ public function handle_translate_request( WP_REST_Request $request ): WP_REST_Re
 			return $this->set_failure_response( 400, 'Invalid input parameters.' );
 		}
 
+		// Apply rate limit check if object ID is absent or translation is not cached when an object ID is present.
+		if ( empty( $object_id ) || ! $this->service->object_has_cached_translation( (int) $object_id, $target_lang ) ) {
+			if ( $this->is_rate_limit_exceeded( (int) $object_id, $referer ) ) {
+				return $this->set_failure_response( 429, 'Rate limit exceeded or could not be validated.' );
+			}
+		}
+
 		try {
 			$translation = $this->service->handle_translation( (int) $object_id, $text, $target_lang );
 
@@ -68,6 +85,119 @@ public function handle_translate_request( WP_REST_Request $request ): WP_REST_Re
 		);
 	}
 
+	/**
+	 * @since 1.1.1
+	 */
+	protected function is_rate_limit_exceeded( int $object_id, string $referer ): bool
+	{
+		if ( empty( $object_id ) && ! $this->referer_without_object_id_exists_and_matches_host( $referer ) ) {
+			return true;
+		}
+
+		if ( ! empty( $object_id ) && ! $this->referer_with_object_id_exists_and_matches_url_path( $object_id, $referer ) ) {
+			return true;
+		}
+
+		$client_ip = $this->get_client_ip();
+
+		// Validate if client IP is valid.
+		if ( 1 > strlen( $client_ip ) ) {
+			return true;
+		}
+
+		$transient_key = 'ydpl_rate_limit_' . hash_hmac( 'sha256', $referer . $client_ip, SECURE_AUTH_KEY );
+		$request_count = (int) ( get_transient( $transient_key ) ?: 0 );
+
+		if ( self::RATE_LIMIT <= $request_count ) {
+			return true;
+		}
+
+		set_transient( $transient_key, $request_count + 1, self::RATE_LIMIT_TIME_WINDOW_IN_SECONDS );
+
+		return false;
+	}
+
+	/**
+	 * @since 1.1.1
+	 */
+	protected function referer_without_object_id_exists_and_matches_host( string $referer ): bool
+	{
+		if ( ! $this->hosts_match( $referer, home_url() ) ) {
+			return false;
+		}
+
+		// Validate if requested page exists.
+		$result = wp_remote_head( $referer );
+
+		if ( is_wp_error( $result ) ) {
+			return false;
+		}
+
+		$response_code = wp_remote_retrieve_response_code( $result );
+
+		if ( ! is_int( $response_code ) || ! in_array( $response_code, array( 200, 201 ) ) ) {
+			return false;
+		}
+
+		return true;
+	}
+
+	/**
+	 * @since 1.1.1
+	 */
+	protected function referer_with_object_id_exists_and_matches_url_path( int $object_id, string $referer ): bool
+	{
+		$post = get_post( $object_id );
+
+		if ( ! $post instanceof WP_Post ) {
+			return false;
+		}
+
+		$permalink = get_permalink( $post );
+
+		if ( ! $permalink ) {
+			return false;
+		}
+
+		if ( ! $this->hosts_match( $referer, $permalink ) ) {
+			return false;
+		}
+
+		$referer_path   = wp_parse_url( $referer, PHP_URL_PATH );
+		$permalink_path = wp_parse_url( $permalink, PHP_URL_PATH );
+
+		return str_replace( '/', '', $referer_path ) === str_replace( '/', '', $permalink_path );
+	}
+
+	/**
+	 * @since 1.1.1
+	 */
+	protected function hosts_match( mixed $url_one, mixed $url_two ): bool
+	{
+		$host_one = wp_parse_url( $url_one, PHP_URL_HOST );
+		$host_two = wp_parse_url( $url_two, PHP_URL_HOST );
+
+		if ( ! is_string( $host_one ) || ! is_string( $host_two ) ) {
+			return false;
+		}
+
+		return $host_one === $host_two;
+	}
+
+	/**
+	 * @since 1.1.1
+	 */
+	protected function get_client_ip(): string
+	{
+		$remote_address = $_SERVER['REMOTE_ADDR'] ?? '';
+
+		if ( filter_var( $remote_address, FILTER_VALIDATE_IP ) === false ) {
+			return '';
+		}
+
+		return $remote_address;
+	}
+
 	/**
 	 * @since 0.0.1
 	 */
diff --git a/src/Providers/AssetsServiceProvider.php b/src/Providers/AssetsServiceProvider.php
index 19f8459..0fd9e69 100644
--- a/src/Providers/AssetsServiceProvider.php
+++ b/src/Providers/AssetsServiceProvider.php
@@ -22,6 +22,7 @@ class AssetsServiceProvider implements ServiceProviderInterface
 	public function register(): void
 	{
 		add_action( 'wp_enqueue_scripts', array( $this, 'enqueue_assets' ) );
+		add_action( 'admin_enqueue_scripts', array( $this, 'enqueue_admin_assets' ) );
 	}
 
 	/**
@@ -29,18 +30,17 @@ public function register(): void
 	 */
 	public function enqueue_assets(): void
 	{
-		$path         = ydpl_asset_url( 'main.asset.php' );
+		$path         = ydpl_asset_path( 'main.asset.php' );
 		$script_asset = file_exists( $path ) ? require $path : array(
 			'dependencies' => array(),
 			'version'      => round( microtime( true ) ),
 		);
-
-		wp_enqueue_script( 'ydpl-main', ydpl_asset_url( 'main.js' ), array( 'jquery' ), $script_asset['version'], true );
+		wp_enqueue_script( 'ydpl-main', ydpl_asset_url( 'main.js' ), $script_asset['dependencies'] ?? array(), $script_asset['version'], true );
 		wp_localize_script(
 			'ydpl-main',
 			'ydpl',
 			array(
-				'ydpl_translate_post_id'   => get_the_ID() ?: 0,
+				'ydpl_translate_post_id'   => get_the_ID() ?: get_queried_object_id() ?: 0,
 				'ydpl_rest_translate_url'  => esc_url_raw( rest_url( YDPL_API_NAMESPACE . '/translate' ) ),
 				'ydpl_supported_languages' => $this->format_selected_supported_languages(),
 				'ydpl_api_request_nonce'   => wp_create_nonce( YDPL_NONCE_REST_NAME ),
@@ -48,6 +48,9 @@ public function enqueue_assets(): void
 		);
 	}
 
+	/**
+	 * @since 0.0.1
+	 */
 	private function format_selected_supported_languages(): array
 	{
 		$supported_languages            = ydpl_resolve_from_container( 'ydpl.supported_target.languages' );
@@ -62,4 +65,18 @@ function ( $supported_language ) use ( $configured_supported_languages ) {
 
 		return array_values( $filtered );
 	}
+
+	/**
+	 * @since 1.1.1
+	 */
+	public function enqueue_admin_assets(): void
+	{
+		$path         = ydpl_asset_path( 'editor.asset.php' );
+		$script_asset = file_exists( $path ) ? require $path : array(
+			'dependencies' => array(),
+			'version'      => round( microtime( true ) ),
+		);
+
+		wp_enqueue_style( 'ydpl-main', ydpl_asset_url( 'editor.css' ), $script_asset['dependencies'] ?? array(), $script_asset['version'] );
+	}
 }
diff --git a/src/Providers/MetaBoxServiceProvider.php b/src/Providers/MetaBoxServiceProvider.php
index e00b406..2022a7a 100644
--- a/src/Providers/MetaBoxServiceProvider.php
+++ b/src/Providers/MetaBoxServiceProvider.php
@@ -20,20 +20,20 @@ class MetaBoxServiceProvider implements ServiceProviderInterface
 {
 	public function register(): void
 	{
-		add_action( 'add_meta_boxes', array( $this, 'register_meta_box' ), 999 );
-		add_action( 'save_post', array( $this, 'save_metabox_values' ), 999 );
+		add_action( 'add_meta_boxes', array( $this, 'register_meta_boxes' ), 999 );
+		add_action( 'save_post', array( $this, 'handle_saved_metabox_values' ), 999 );
 	}
 
 	/**
 	 * @since 1.1.0
 	 */
-	public function register_meta_box(): void
+	public function register_meta_boxes(): void
 	{
 		add_meta_box(
 			'yard-deepl',
 			__( 'Yard Deepl', 'yard-deepl' ),
-			array( $this, 'render_meta_box' ),
-			apply_filters( 'yard::deepl/disable_cache_metabox_post_types', array( 'page' ) ),
+			array( $this, 'render_meta_boxes' ),
+			apply_filters( 'yard::deepl/cache_metabox_post_types', array( 'page' ) ),
 			'side',
 			'high'
 		);
@@ -42,16 +42,11 @@ public function register_meta_box(): void
 	/**
 	 * @since 1.1.0
 	 */
-	public function render_meta_box( WP_Post $post ): void
+	public function render_meta_boxes( WP_Post $post ): void
 	{
 		$this->security_nonce_field();
 
-		$html = sprintf(
-			'<p>%s</p>',
-			esc_html__( 'Disable translation cache when this object contains dynamic content.', 'yard-deepl' )
-		);
-
-		$html = $this->disable_translation_cache_metabox( $html, $post );
+		$html = $this->translation_cache_metaboxes( $post );
 
 		echo $html;
 	}
@@ -67,34 +62,74 @@ private function security_nonce_field(): void
 	/**
 	 * @since 1.1.0
 	 */
-	private function disable_translation_cache_metabox( string $html, WP_Post $post ): string
+	private function translation_cache_metaboxes( WP_Post $post ): string
 	{
-		$is_disabled = get_post_meta( $post->ID, 'ydpl_disable_deepl_translation_cache', true );
-
-		$html .= '<div class="ydpl-metabox-wrapper"><label for="ydpl_disable_deepl_translation_cache">';
-		$html .= sprintf( '<input type="checkbox" name="ydpl_disable_deepl_translation_cache" id="ydpl_disable_deepl_translation_cache" value="1"%s />', esc_attr( checked( $is_disabled, 1, false ) ) );
+		$cache_is_disabled       = get_post_meta( $post->ID, 'ydpl_disable_deepl_translation_cache', true );
+		$cache_clear_is_disabled = get_post_meta( $post->ID, 'ydpl_clear_deepl_translation_cache', true );
+
+		$html  = '<div class="ydpl-metabox-wrapper">';
+		$html .= '<div class="ydpl-metabox-row">';
+		$html .= sprintf( '<p>%s</p>', esc_html__( 'Disable translation cache when this object contains dynamic content.', 'yard-deepl' ) );
+		$html .= '<label for="ydpl_disable_deepl_translation_cache">';
+		$html .= sprintf( '<input type="checkbox" name="ydpl_disable_deepl_translation_cache" id="ydpl_disable_deepl_translation_cache" value="1"%s />', esc_attr( checked( $cache_is_disabled, 1, false ) ) );
 		$html .= sprintf( ' %s</label></div>', esc_html__( 'Disable translation cache?', 'yard-deepl' ) );
 
+		$html .= '<div class="ydpl-metabox-row">';
+		$html .= sprintf( '<p>%s</p>', esc_html__( 'Clear cached translations on save.', 'yard-deepl' ) );
+		$html .= '<label for="ydpl_clear_deepl_translation_cache">';
+		$html .= sprintf( '<input type="checkbox" name="ydpl_clear_deepl_translation_cache" id="ydpl_clear_deepl_translation_cache" value="1"%s />', esc_attr( checked( $cache_clear_is_disabled, 1, false ) ) );
+		$html .= sprintf( ' %s</label></div>', esc_html__( 'Clear translation cache?', 'yard-deepl' ) );
+		$html .= '</div>';
+
 		return $html;
 	}
 
 	/**
 	 * @since 1.1.0
 	 */
-	public function save_metabox_values( int $post_id ): void
+	public function handle_saved_metabox_values( int $post_id ): void
+	{
+		if ( ! $this->should_handle_saved_metabox_values( $post_id ) ) {
+			return;
+		}
+
+		$this->set_disable_cache_metabox_value( $post_id );
+		$this->clear_translation_cache( $post_id );
+	}
+
+	/**
+	 * @since 1.1.1
+	 */
+	private function set_disable_cache_metabox_value( int $post_id ): void
+	{
+		$cache_is_disabled = ( isset( $_POST['ydpl_disable_deepl_translation_cache'] ) ? '1' : '0' );
+		update_post_meta( $post_id, 'ydpl_disable_deepl_translation_cache', $cache_is_disabled );
+	}
+
+	/**
+	 * @since 1.1.1
+	 */
+	private function clear_translation_cache( int $post_id ): void
 	{
-		if ( ! $this->should_save_metabox_values( $post_id ) ) {
+		$cache_clear_is_enabled = ( isset( $_POST['ydpl_clear_deepl_translation_cache'] ) ? '1' : '0' );
+
+		if ( '1' !== $cache_clear_is_enabled ) {
 			return;
 		}
 
-		$is_disabled = ( isset( $_POST['ydpl_disable_deepl_translation_cache'] ) ? '1' : '0' );
-		update_post_meta( $post_id, 'ydpl_disable_deepl_translation_cache', $is_disabled );
+		$meta_keys = get_post_meta( $post_id );
+
+		foreach ( $meta_keys as $key => $value ) {
+			if ( strpos( $key, '_translation_' ) === 0 ) {
+				delete_post_meta( $post_id, $key );
+			}
+		}
 	}
 
 	/**
 	 * @since 1.1.0
 	 */
-	private function should_save_metabox_values( int $post_id ): bool
+	private function should_handle_saved_metabox_values( int $post_id ): bool
 	{
 		// Verify nonce.
 		if ( ! isset( $_POST['ydpl_metabox_nonce'] ) || ! wp_verify_nonce( wp_unslash( $_POST['ydpl_metabox_nonce'] ), 'ydpl_metabox_nonce_action' ) ) {
diff --git a/src/Services/TranslationService.php b/src/Services/TranslationService.php
index 648c813..1ff30e2 100644
--- a/src/Services/TranslationService.php
+++ b/src/Services/TranslationService.php
@@ -9,6 +9,7 @@
 	exit;
 }
 
+use YDPL\Exceptions\ObjectNotFoundException;
 use YDPL\Repositories\TranslationRepository;
 
 /**
@@ -40,7 +41,7 @@ public function handle_translation( int $object_id, array $text, string $target_
 	 */
 	public function handle_translation_with_object_id( int $object_id, array $text, string $target_lang ): array
 	{
-		$cached_translation = $this->repository->get_cached_translation( $object_id, $target_lang );
+		$cached_translation = $this->object_has_cached_translation( $object_id, $target_lang );
 
 		if ( $cached_translation ) {
 			return $cached_translation;
@@ -62,4 +63,16 @@ public function handle_translation_without_object_id( array $text, string $targe
 
 		return $translation;
 	}
+
+	/**
+	 * @since 1.1.1
+	 */
+	public function object_has_cached_translation( int $object_id, string $target_lang ): ?array
+	{
+		try {
+			return $this->repository->get_cached_translation( $object_id, $target_lang );
+		} catch ( ObjectNotFoundException $e ) {
+			return null;
+		}
+	}
 }
diff --git a/src/helpers.php b/src/helpers.php
index fb41aa2..2ecbabe 100644
--- a/src/helpers.php
+++ b/src/helpers.php
@@ -4,9 +4,7 @@
  * Plugin helpers.
  *
  * @package Yard_Deepl
- *
  * @author  Yard | Digital Agency
- *
  * @since   0.0.1
  */
 
@@ -21,9 +19,7 @@
  * Add prefix for the given string.
  *
  * @package Yard_Deepl
- *
  * @author  Yard | Digital Agency
- *
  * @since   0.0.1
  */
 function ydpl_prefix( $name ): string
@@ -32,12 +28,10 @@ function ydpl_prefix( $name ): string
 }
 
 /**
- * Add prefix for the given string.
+ * Generates a full plugin URL by appending the given path to the base plugin URL.
  *
  * @package Yard_Deepl
- *
  * @author  Yard | Digital Agency
- *
  * @since   0.0.1
  */
 function ydpl_url( string $path ): string
@@ -46,12 +40,22 @@ function ydpl_url( string $path ): string
 }
 
 /**
- * Add prefix for the given string.
+ * Generates a full plugin path by appending the given path to the base plugin URL.
  *
  * @package Yard_Deepl
- *
  * @author  Yard | Digital Agency
+ * @since   0.0.1
+ */
+function ydpl_path( string $path ): string
+{
+	return YDPL_PLUGIN_DIR_PATH . $path;
+}
+
+/**
+ * Generates a full asset URL by appending the given path to the plugin's asset directory.
  *
+ * @package Yard_Deepl
+ * @author  Yard | Digital Agency
  * @since   0.0.1
  */
 function ydpl_asset_url( string $path ): string
@@ -60,12 +64,22 @@ function ydpl_asset_url( string $path ): string
 }
 
 /**
- * Render a view file.
+ * Generates a full asset path by appending the given path to the plugin's asset directory.
  *
  * @package Yard_Deepl
- *
  * @author  Yard | Digital Agency
+ * @since   1.1.1
+ */
+function ydpl_asset_path( string $path ): string
+{
+	return ydpl_path( 'dist/' . $path );
+}
+
+/**
+ * Render a view file.
  *
+ * @package Yard_Deepl
+ * @author  Yard | Digital Agency
  * @since   0.0.1
  */
 function ydpl_render_view( string $file_path, $data = array() )
@@ -84,9 +98,7 @@ function ydpl_render_view( string $file_path, $data = array() )
  * Finds an entry of the container by its identifier and returns it.
  *
  * @package Yard_Deepl
- *
  * @author  Yard | Digital Agency
- *
  * @since   0.0.1
  */
 function ydpl_resolve_from_container( string $container )
diff --git a/webpack.config.js b/webpack.config.js
index dbd4cf7..19ef71a 100644
--- a/webpack.config.js
+++ b/webpack.config.js
@@ -5,6 +5,7 @@ const defaultConfig = require( '@wordpress/scripts/config/webpack.config' ); //
 module.exports = {
 	...defaultConfig,
 	entry: {
+		editor: [ './assets/css/editor.css' ],
 		main: [ './assets/js/translation.js' ],
 	},
 	output: {

From 1c84c1630d597308009ce00d6bd28ac329197102 Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Thu, 21 May 2026 11:07:26 +0200
Subject: [PATCH 02/30] refactor: enqueue admin assets only on editor page

---
 src/Providers/AssetsServiceProvider.php | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/Providers/AssetsServiceProvider.php b/src/Providers/AssetsServiceProvider.php
index 0fd9e69..d0b6751 100644
--- a/src/Providers/AssetsServiceProvider.php
+++ b/src/Providers/AssetsServiceProvider.php
@@ -43,7 +43,7 @@ public function enqueue_assets(): void
 				'ydpl_translate_post_id'   => get_the_ID() ?: get_queried_object_id() ?: 0,
 				'ydpl_rest_translate_url'  => esc_url_raw( rest_url( YDPL_API_NAMESPACE . '/translate' ) ),
 				'ydpl_supported_languages' => $this->format_selected_supported_languages(),
-				'ydpl_api_request_nonce'   => wp_create_nonce( YDPL_NONCE_REST_NAME ),
+				'ydpl_api_request_nonce'   => wp_create_nonce( 'wp_rest' ),
 			)
 		);
 	}
@@ -69,14 +69,18 @@ function ( $supported_language ) use ( $configured_supported_languages ) {
 	/**
 	 * @since 1.1.1
 	 */
-	public function enqueue_admin_assets(): void
+	public function enqueue_admin_assets( string $hook_suffix ): void
 	{
+		if ( ! in_array( $hook_suffix, array( 'post.php', 'post-new.php' ), true ) ) {
+			return;
+		}
+
 		$path         = ydpl_asset_path( 'editor.asset.php' );
 		$script_asset = file_exists( $path ) ? require $path : array(
 			'dependencies' => array(),
 			'version'      => round( microtime( true ) ),
 		);
 
-		wp_enqueue_style( 'ydpl-main', ydpl_asset_url( 'editor.css' ), $script_asset['dependencies'] ?? array(), $script_asset['version'] );
+		wp_enqueue_style( 'ydpl-editor', ydpl_asset_url( 'editor.css' ), $script_asset['dependencies'] ?? array(), $script_asset['version'] );
 	}
 }

From 38898af552a3570dc8ec91b78dbf0910d7d56a15 Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Thu, 21 May 2026 11:13:10 +0200
Subject: [PATCH 03/30] refactor: post meta
 'ydpl_clear_deepl_translation_cache' always set to unchecked

---
 src/Providers/MetaBoxServiceProvider.php | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/Providers/MetaBoxServiceProvider.php b/src/Providers/MetaBoxServiceProvider.php
index 2022a7a..25c5eb5 100644
--- a/src/Providers/MetaBoxServiceProvider.php
+++ b/src/Providers/MetaBoxServiceProvider.php
@@ -64,8 +64,7 @@ private function security_nonce_field(): void
 	 */
 	private function translation_cache_metaboxes( WP_Post $post ): string
 	{
-		$cache_is_disabled       = get_post_meta( $post->ID, 'ydpl_disable_deepl_translation_cache', true );
-		$cache_clear_is_disabled = get_post_meta( $post->ID, 'ydpl_clear_deepl_translation_cache', true );
+		$cache_is_disabled = get_post_meta( $post->ID, 'ydpl_disable_deepl_translation_cache', true );
 
 		$html  = '<div class="ydpl-metabox-wrapper">';
 		$html .= '<div class="ydpl-metabox-row">';
@@ -77,7 +76,7 @@ private function translation_cache_metaboxes( WP_Post $post ): string
 		$html .= '<div class="ydpl-metabox-row">';
 		$html .= sprintf( '<p>%s</p>', esc_html__( 'Clear cached translations on save.', 'yard-deepl' ) );
 		$html .= '<label for="ydpl_clear_deepl_translation_cache">';
-		$html .= sprintf( '<input type="checkbox" name="ydpl_clear_deepl_translation_cache" id="ydpl_clear_deepl_translation_cache" value="1"%s />', esc_attr( checked( $cache_clear_is_disabled, 1, false ) ) );
+		$html .= '<input type="checkbox" name="ydpl_clear_deepl_translation_cache" id="ydpl_clear_deepl_translation_cache" value="1" />';
 		$html .= sprintf( ' %s</label></div>', esc_html__( 'Clear translation cache?', 'yard-deepl' ) );
 		$html .= '</div>';
 
@@ -142,7 +141,7 @@ private function should_handle_saved_metabox_values( int $post_id ): bool
 		}
 
 		// Only allow updates for supported post types.
-		$post_types = apply_filters( 'yard::deepl/disable_cache_metabox_post_types', array( 'page' ) );
+		$post_types = apply_filters( 'yard::deepl/cache_metabox_post_types', array( 'page' ) );
 		if ( ! in_array( get_post_type( $post_id ), $post_types, true ) ) {
 			return false;
 		}

From 07b81aee4e49f2bc84d1840b844458393dbce343 Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Thu, 21 May 2026 11:21:22 +0200
Subject: [PATCH 04/30] refactor: only cache translation when logged in user
 can edit posts

---
 src/Controllers/RestAPIController.php    | 92 +++---------------------
 src/Providers/RestAPIServiceProvider.php |  3 +-
 src/Services/TranslationService.php      | 10 +--
 3 files changed, 16 insertions(+), 89 deletions(-)

diff --git a/src/Controllers/RestAPIController.php b/src/Controllers/RestAPIController.php
index 940c39d..3fb566d 100644
--- a/src/Controllers/RestAPIController.php
+++ b/src/Controllers/RestAPIController.php
@@ -10,7 +10,6 @@
 }
 
 use Exception;
-use WP_Post;
 use WP_REST_Request;
 use WP_REST_Response;
 use YDPL\Services\TranslationService;
@@ -45,7 +44,6 @@ public function handle_translate_request( WP_REST_Request $request ): WP_REST_Re
 		$target_lang = $request->get_param( 'target_lang' );
 		$object_id   = $request->get_param( 'object_id' );
 		$origin      = $request->get_header( 'origin' );
-		$referer     = (string) $request->get_header( 'referer' );
 
 		if ( is_null( $origin ) || home_url() !== $origin ) {
 			return $this->set_failure_response( 403, 'Invalid origin. Origin does not match the site URL.' );
@@ -63,13 +61,15 @@ public function handle_translate_request( WP_REST_Request $request ): WP_REST_Re
 
 		// Apply rate limit check if object ID is absent or translation is not cached when an object ID is present.
 		if ( empty( $object_id ) || ! $this->service->object_has_cached_translation( (int) $object_id, $target_lang ) ) {
-			if ( $this->is_rate_limit_exceeded( (int) $object_id, $referer ) ) {
-				return $this->set_failure_response( 429, 'Rate limit exceeded or could not be validated.' );
+			if ( $this->is_rate_limit_exceeded() ) {
+				return $this->set_failure_response( 429, 'Rate limit exceeded.' );
 			}
 		}
 
+		$cache = current_user_can( apply_filters( 'yard::deepl/cache_capability', 'edit_posts' ) );
+
 		try {
-			$translation = $this->service->handle_translation( (int) $object_id, $text, $target_lang );
+			$translation = $this->service->handle_translation( (int) $object_id, $text, $target_lang, $cache );
 
 			if ( empty( $translation ) ) {
 				throw new Exception( 'Failed to translate text.', 500 );
@@ -88,24 +88,15 @@ public function handle_translate_request( WP_REST_Request $request ): WP_REST_Re
 	/**
 	 * @since 1.1.1
 	 */
-	protected function is_rate_limit_exceeded( int $object_id, string $referer ): bool
+	protected function is_rate_limit_exceeded(): bool
 	{
-		if ( empty( $object_id ) && ! $this->referer_without_object_id_exists_and_matches_host( $referer ) ) {
-			return true;
-		}
-
-		if ( ! empty( $object_id ) && ! $this->referer_with_object_id_exists_and_matches_url_path( $object_id, $referer ) ) {
-			return true;
-		}
-
 		$client_ip = $this->get_client_ip();
 
-		// Validate if client IP is valid.
-		if ( 1 > strlen( $client_ip ) ) {
+		if ( empty( $client_ip ) ) {
 			return true;
 		}
 
-		$transient_key = 'ydpl_rate_limit_' . hash_hmac( 'sha256', $referer . $client_ip, SECURE_AUTH_KEY );
+		$transient_key = 'ydpl_rate_limit_' . hash_hmac( 'sha256', $client_ip, SECURE_AUTH_KEY );
 		$request_count = (int) ( get_transient( $transient_key ) ?: 0 );
 
 		if ( self::RATE_LIMIT <= $request_count ) {
@@ -117,73 +108,6 @@ protected function is_rate_limit_exceeded( int $object_id, string $referer ): bo
 		return false;
 	}
 
-	/**
-	 * @since 1.1.1
-	 */
-	protected function referer_without_object_id_exists_and_matches_host( string $referer ): bool
-	{
-		if ( ! $this->hosts_match( $referer, home_url() ) ) {
-			return false;
-		}
-
-		// Validate if requested page exists.
-		$result = wp_remote_head( $referer );
-
-		if ( is_wp_error( $result ) ) {
-			return false;
-		}
-
-		$response_code = wp_remote_retrieve_response_code( $result );
-
-		if ( ! is_int( $response_code ) || ! in_array( $response_code, array( 200, 201 ) ) ) {
-			return false;
-		}
-
-		return true;
-	}
-
-	/**
-	 * @since 1.1.1
-	 */
-	protected function referer_with_object_id_exists_and_matches_url_path( int $object_id, string $referer ): bool
-	{
-		$post = get_post( $object_id );
-
-		if ( ! $post instanceof WP_Post ) {
-			return false;
-		}
-
-		$permalink = get_permalink( $post );
-
-		if ( ! $permalink ) {
-			return false;
-		}
-
-		if ( ! $this->hosts_match( $referer, $permalink ) ) {
-			return false;
-		}
-
-		$referer_path   = wp_parse_url( $referer, PHP_URL_PATH );
-		$permalink_path = wp_parse_url( $permalink, PHP_URL_PATH );
-
-		return str_replace( '/', '', $referer_path ) === str_replace( '/', '', $permalink_path );
-	}
-
-	/**
-	 * @since 1.1.1
-	 */
-	protected function hosts_match( mixed $url_one, mixed $url_two ): bool
-	{
-		$host_one = wp_parse_url( $url_one, PHP_URL_HOST );
-		$host_two = wp_parse_url( $url_two, PHP_URL_HOST );
-
-		if ( ! is_string( $host_one ) || ! is_string( $host_two ) ) {
-			return false;
-		}
-
-		return $host_one === $host_two;
-	}
-
 	/**
 	 * @since 1.1.1
 	 */
diff --git a/src/Providers/RestAPIServiceProvider.php b/src/Providers/RestAPIServiceProvider.php
index 669e49a..eb2a7a2 100644
--- a/src/Providers/RestAPIServiceProvider.php
+++ b/src/Providers/RestAPIServiceProvider.php
@@ -86,6 +86,7 @@ public function register_routes()
 	 */
 	public function verify_nonce(): bool
 	{
-		return wp_verify_nonce( sanitize_text_field( wp_unslash( $_SERVER['HTTP_NONCE'] ?? '' ) ), YDPL_NONCE_REST_NAME ) || is_user_logged_in();
+		$nonce = sanitize_text_field( wp_unslash( $_SERVER['HTTP_X_WP_NONCE'] ?? '' ) );
+		return (bool) wp_verify_nonce( $nonce, 'wp_rest' );
 	}
 }
diff --git a/src/Services/TranslationService.php b/src/Services/TranslationService.php
index 1ff30e2..3b2e442 100644
--- a/src/Services/TranslationService.php
+++ b/src/Services/TranslationService.php
@@ -27,10 +27,10 @@ public function __construct()
 	/**
 	 * @since 0.0.1
 	 */
-	public function handle_translation( int $object_id, array $text, string $target_lang ): array
+	public function handle_translation( int $object_id, array $text, string $target_lang, bool $cache = false ): array
 	{
 		if ( 0 < $object_id ) {
-			return $this->handle_translation_with_object_id( $object_id, $text, $target_lang );
+			return $this->handle_translation_with_object_id( $object_id, $text, $target_lang, $cache );
 		}
 
 		return $this->handle_translation_without_object_id( $text, $target_lang );
@@ -39,7 +39,7 @@ public function handle_translation( int $object_id, array $text, string $target_
 	/**
 	 * @since 0.0.1
 	 */
-	public function handle_translation_with_object_id( int $object_id, array $text, string $target_lang ): array
+	public function handle_translation_with_object_id( int $object_id, array $text, string $target_lang, bool $cache = false ): array
 	{
 		$cached_translation = $this->object_has_cached_translation( $object_id, $target_lang );
 
@@ -49,7 +49,9 @@ public function handle_translation_with_object_id( int $object_id, array $text,
 
 		$translation = $this->handle_translation_without_object_id( $text, $target_lang );
 
-		$this->repository->store_translation( $object_id, $target_lang, $translation );
+		if ( $cache ) {
+			$this->repository->store_translation( $object_id, $target_lang, $translation );
+		}
 
 		return $translation;
 	}

From 2d7cb17c37e05e0faaef2af902146bcd92291645 Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Thu, 21 May 2026 11:33:23 +0200
Subject: [PATCH 05/30] docs: add @since NEXT annotations to new methods

---
 package-lock.json                        | 5 ++++-
 src/Controllers/RestAPIController.php    | 4 ++--
 src/Providers/AssetsServiceProvider.php  | 2 +-
 src/Providers/MetaBoxServiceProvider.php | 4 ++--
 src/Services/TranslationService.php      | 2 +-
 src/helpers.php                          | 2 +-
 6 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 9c459ae..e03f17e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -5,6 +5,7 @@
 	"requires": true,
 	"packages": {
 		"": {
+			"name": "yard-deepl",
 			"version": "1.0.0",
 			"devDependencies": {
 				"@wordpress/prettier-config": "^2.16.0",
@@ -29885,7 +29886,9 @@
 					"resolved": "https://registry.npmjs.org/ajv-formats/-/ajv-formats-2.1.1.tgz",
 					"integrity": "sha512-Wx0Kx52hxE7C18hkMEggYlEifqWZtYaRgouJor+WMdPnQyEK13vgEWyVNup7SoeeoLMsr4kf5h6dOW11I15MUA==",
 					"dev": true,
-					"requires": {}
+					"requires": {
+						"ajv": "^8.0.0"
+					}
 				},
 				"ajv-keywords": {
 					"version": "5.1.0",
diff --git a/src/Controllers/RestAPIController.php b/src/Controllers/RestAPIController.php
index 3fb566d..2ca30de 100644
--- a/src/Controllers/RestAPIController.php
+++ b/src/Controllers/RestAPIController.php
@@ -86,7 +86,7 @@ public function handle_translate_request( WP_REST_Request $request ): WP_REST_Re
 	}
 
 	/**
-	 * @since 1.1.1
+	 * @since NEXT
 	 */
 	protected function is_rate_limit_exceeded(): bool
 	{
@@ -109,7 +109,7 @@ protected function is_rate_limit_exceeded(): bool
 	}
 
 	/**
-	 * @since 1.1.1
+	 * @since NEXT
 	 */
 	protected function get_client_ip(): string
 	{
diff --git a/src/Providers/AssetsServiceProvider.php b/src/Providers/AssetsServiceProvider.php
index d0b6751..8c3e621 100644
--- a/src/Providers/AssetsServiceProvider.php
+++ b/src/Providers/AssetsServiceProvider.php
@@ -67,7 +67,7 @@ function ( $supported_language ) use ( $configured_supported_languages ) {
 	}
 
 	/**
-	 * @since 1.1.1
+	 * @since NEXT
 	 */
 	public function enqueue_admin_assets( string $hook_suffix ): void
 	{
diff --git a/src/Providers/MetaBoxServiceProvider.php b/src/Providers/MetaBoxServiceProvider.php
index 25c5eb5..8c5f4b2 100644
--- a/src/Providers/MetaBoxServiceProvider.php
+++ b/src/Providers/MetaBoxServiceProvider.php
@@ -97,7 +97,7 @@ public function handle_saved_metabox_values( int $post_id ): void
 	}
 
 	/**
-	 * @since 1.1.1
+	 * @since NEXT
 	 */
 	private function set_disable_cache_metabox_value( int $post_id ): void
 	{
@@ -106,7 +106,7 @@ private function set_disable_cache_metabox_value( int $post_id ): void
 	}
 
 	/**
-	 * @since 1.1.1
+	 * @since NEXT
 	 */
 	private function clear_translation_cache( int $post_id ): void
 	{
diff --git a/src/Services/TranslationService.php b/src/Services/TranslationService.php
index 3b2e442..9c5c840 100644
--- a/src/Services/TranslationService.php
+++ b/src/Services/TranslationService.php
@@ -67,7 +67,7 @@ public function handle_translation_without_object_id( array $text, string $targe
 	}
 
 	/**
-	 * @since 1.1.1
+	 * @since NEXT
 	 */
 	public function object_has_cached_translation( int $object_id, string $target_lang ): ?array
 	{
diff --git a/src/helpers.php b/src/helpers.php
index 2ecbabe..a92602e 100644
--- a/src/helpers.php
+++ b/src/helpers.php
@@ -68,7 +68,7 @@ function ydpl_asset_url( string $path ): string
  *
  * @package Yard_Deepl
  * @author  Yard | Digital Agency
- * @since   1.1.1
+ * @since   NEXT
  */
 function ydpl_asset_path( string $path ): string
 {

From 28390ecd9c9a6cbf9f2e2ae47f62bf75fc7ce8c1 Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Thu, 21 May 2026 12:21:35 +0200
Subject: [PATCH 06/30] fix: remove dist from gitignore

---
 .gitignore            | 1 -
 dist/editor-rtl.css   | 1 +
 dist/editor.asset.php | 1 +
 dist/editor.css       | 1 +
 dist/editor.js        | 0
 5 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 dist/editor-rtl.css
 create mode 100644 dist/editor.asset.php
 create mode 100644 dist/editor.css
 create mode 100644 dist/editor.js

diff --git a/.gitignore b/.gitignore
index 9b87a28..5676717 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,7 +5,6 @@
 .phpunit.result.cache
 
 # Folders
-dist
 node_modules
 tests/coverage
 vendor
diff --git a/dist/editor-rtl.css b/dist/editor-rtl.css
new file mode 100644
index 0000000..5f390b4
--- /dev/null
+++ b/dist/editor-rtl.css
@@ -0,0 +1 @@
+.ydpl-metabox-row:not(:first-child){margin-top:1rem}.ydpl-metabox-row>p{font-weight:500}
diff --git a/dist/editor.asset.php b/dist/editor.asset.php
new file mode 100644
index 0000000..8712eb1
--- /dev/null
+++ b/dist/editor.asset.php
@@ -0,0 +1 @@
+<?php return array('dependencies' => array(), 'version' => '1e80dfdc79e5d8f97eba');
diff --git a/dist/editor.css b/dist/editor.css
new file mode 100644
index 0000000..5f390b4
--- /dev/null
+++ b/dist/editor.css
@@ -0,0 +1 @@
+.ydpl-metabox-row:not(:first-child){margin-top:1rem}.ydpl-metabox-row>p{font-weight:500}
diff --git a/dist/editor.js b/dist/editor.js
new file mode 100644
index 0000000..e69de29

From effc26a9469c7af090df2b6ab1f97bd6eaea74d9 Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Thu, 21 May 2026 14:08:33 +0200
Subject: [PATCH 07/30] refactor: exclude editors from rate limiting

---
 src/Controllers/RestAPIController.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/Controllers/RestAPIController.php b/src/Controllers/RestAPIController.php
index 2ca30de..c4f00d5 100644
--- a/src/Controllers/RestAPIController.php
+++ b/src/Controllers/RestAPIController.php
@@ -59,17 +59,17 @@ public function handle_translate_request( WP_REST_Request $request ): WP_REST_Re
 			return $this->set_failure_response( 400, 'Invalid input parameters.' );
 		}
 
+		$user_has_cache_capability = current_user_can( apply_filters( 'yard::deepl/cache_capability', 'edit_posts' ) );
+
 		// Apply rate limit check if object ID is absent or translation is not cached when an object ID is present.
 		if ( empty( $object_id ) || ! $this->service->object_has_cached_translation( (int) $object_id, $target_lang ) ) {
-			if ( $this->is_rate_limit_exceeded() ) {
+			if ( $this->is_rate_limit_exceeded() && ! $user_has_cache_capability ) {
 				return $this->set_failure_response( 429, 'Rate limit exceeded.' );
 			}
 		}
 
-		$cache = current_user_can( apply_filters( 'yard::deepl/cache_capability', 'edit_posts' ) );
-
 		try {
-			$translation = $this->service->handle_translation( (int) $object_id, $text, $target_lang, $cache );
+			$translation = $this->service->handle_translation( (int) $object_id, $text, $target_lang, $user_has_cache_capability );
 
 			if ( empty( $translation ) ) {
 				throw new Exception( 'Failed to translate text.', 500 );

From 4c5b56105a67011538b4c665d9ce366d2c88e674 Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Thu, 21 May 2026 14:19:31 +0200
Subject: [PATCH 08/30] chore: update translation files

---
 languages/yard-deepl-nl_NL.mo | Bin 3106 -> 3107 bytes
 languages/yard-deepl-nl_NL.po | 127 +++++++++++++++++++---------------
 languages/yard-deepl.pot      | 112 ++++++++++++++++--------------
 3 files changed, 134 insertions(+), 105 deletions(-)

diff --git a/languages/yard-deepl-nl_NL.mo b/languages/yard-deepl-nl_NL.mo
index e74c46f35e7fcdecc94897bdde8f9f60e51c5504..7ca9f5c987ac798a96cd13626757b786a0c087ba 100644
GIT binary patch
delta 903
zcmXZaKWGzS7{~D^Tr_EG3#nC88&TTD7W4uYk=CK0Ac{6_LdD@EN3?|Iyd+4c6ogWB
zP&h<E!9N|WAc6!0(WOgQr%EPW#6_2iD1{dM{_s66@8|Bh_kG^yxyy_Ea=!JYKmEWs
ziu?-vo}|o9>Dpu9IGi@yiKEzsMI68h+=C??#t`$kggfv#YTZlh#Wy&JAMrGP#{Fh3
z8)CK=9B1gqlbFL2W--7F&Y}{=&Uxgt1qKzih~0P}HUBYc{W5CZYZq^$=6%2%``a29
z2MBaf6aU~|+(vacKv0RsP>IKp;%(B!r;yXmGN_P?sChHat9YCHS)9S&E?#0%7yH{K
zE>ux~yRnL#w!qNG=U74&@Q^`1W7vnUP=&7I2zF4PW($=sM>X_d1=JfIMt!1Vcn&XM
zOPxRBLJQuZ3RuNHTt^l14b|~aRKgACU!)n^M)tHcNqVps3E3d(`3UOy7%I;=D({JI
z-oO4FQv_7VG-`t?s>2x7(H&HRr_L2rg15K}-@Evl^Al?0j`J(7aQ_`I<2|a>K0kU6
z{_lK)0MBd-^#(Fz)doY!s5hA^CZU(4ti9>o@{+rmGyb(kBdSmM{>@rkj^eOhKU#|`
ze!Uq*wYcF&)n?`ToIfAL<s;=VjH=0W)=$<mhqC8`xk@vrgvqbWmG)xxhO!m@0j|?!
A2><{9

delta 901
zcmZwFPe_w-9LMqRc;@y@-N0!zhr(zc0;A?l?GJ$>p&h(*m<4lT3@d^Sy$oTXhmsBn
z4~CukqiEu34C)egh(IXl5?+czgi5em&?)f!q2IBGXW!TF`ThC+zQ5<$YU+8a_B9z^
zHm*K?UHsNUW<z+|BXISH%_2B}F}#EwIEu%xfG2SlQ@DanSVygUg>l@*PW*tw_#M+`
zHS1-z7K{**cm><AfIgNnid9s?dFLW>+Y&*AJ;G*uikiQLTHiped+qw)qUOEFHukq&
z8r^jKL`{qkj$<5k!X8wjK~&-)q<9;1{o}}Od4dX=M9sV9tl%QgRh+;ugBmXoV(f1v
z8mg#_37o@re1P2cgzybFP=(wh$R)xFe2gl%j#=D6eWF8D-VjxBHfu$_*(B;y^<Zt3
z#swOB1NTu2)=>r2Q3bt274ivn@-L`_d(I!o;p`W(r~Sqj{EOTcBdNyQQR8V;o@_Jk
zUx`oAp+89uRmeru2G>z1yn#AV6_wzja|N~j8Mfl4>woEdgW7n<`4M06yo=Yc)^hgW
zMxQB{KHGC1qE7w?^(G=@*GB1}(>oXH3$A)WDAzdf7Q95hSeeSqWrn9q(=)|8!R_ef
eAmL|&^ZrDzA3fvWEzK57HwQC~Wxw*D$=yeCrd?hD

diff --git a/languages/yard-deepl-nl_NL.po b/languages/yard-deepl-nl_NL.po
index 09a366d..7aeb36b 100644
--- a/languages/yard-deepl-nl_NL.po
+++ b/languages/yard-deepl-nl_NL.po
@@ -1,79 +1,42 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: \n"
-"Report-Msgid-Bugs-To: \n"
+"Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/yard-deepl\n"
+"POT-Creation-Date: 2026-05-21T12:17:13+00:00\n"
+"PO-Revision-Date: 2024-09-06T17:21:36+00:00\n"
 "Last-Translator: \n"
 "Language-Team: \n"
+"Language: \n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"POT-Creation-Date: 2024-09-06T17:21:36+00:00\n"
-"PO-Revision-Date: 2024-09-06T17:21:36+00:00\n"
-"Language: \n"
 
 #. Plugin Name of the plugin
-#: src/Providers/SettingsServiceProvider.php:44
+#: yard-deepl.php:8 src/Providers/SettingsServiceProvider.php:44
 #: src/Providers/SettingsServiceProvider.php:45
-#: src/Providers/MetaboxServiceProvider.php:34
 msgid "Yard DeepL"
 msgstr "Yard DeepL"
 
 #. Description of the plugin
-msgid "This plugin registers secure API endpoints that allow you to request translations directly from DeepL without exposing your Deepl API-key"
-msgstr "Deze plugin registreert beveiligde API-eindpunten waarmee je vertalingen direct bij DeepL kunt opvragen zonder je DeepL API-sleutel bloot te stellen aan de buitenwereld"
+#: yard-deepl.php:9
+msgid ""
+"This plugin registers secure API endpoints that allow you to request "
+"translations directly from DeepL without exposing your Deepl API-key"
+msgstr ""
+"Deze plugin registreert beveiligde API-eindpunten waarmee je vertalingen "
+"direct bij DeepL kunt opvragen zonder je DeepL API-sleutel bloot te stellen "
+"aan de buitenwereld"
 
 #. Author of the plugin
-msgid "Yard | Digital"
-msgstr "Yard | Digital"
+#: yard-deepl.php:11
+msgid "Yard | Digital Agency"
+msgstr ""
 
 #. Author URI of the plugin
+#: yard-deepl.php:12
 msgid "https://www.yard.nl"
 msgstr "https://www.yard.nl"
 
-#: src/Providers/MetaboxServiceProvider.php:72
-msgid "Disable translation cache when this object contains dynamic content."
-msgstr "Schakel de vertalingscache uit wanneer dit object dynamische inhoud bevat."
-
-#: src/Providers/MetaboxServiceProvider.php:75
-msgid "Disable translation cache?"
-msgstr "Vertalingscache uitschakelen?"
-
-#: src/Providers/MetaboxServiceProvider.php:78
-msgid "Clear cached translations on save."
-msgstr "Verwijder vertaalcache bij opslaan."
-
-#: src/Providers/MetaboxServiceProvider.php:80
-msgid "Clear translation cache?"
-msgstr "Vertaalcache wissen?"
-
-#: src/Providers/SettingsServiceProvider.php:66
-msgid "Settings"
-msgstr "Instellingen"
-
-#: src/Providers/SettingsServiceProvider.php:73
-msgid "Deepl API key"
-msgstr "Deepl API-sleutel"
-
-#: src/Providers/SettingsServiceProvider.php:82
-msgid "Deepl supported languages"
-msgstr "Deepl ondersteunde talen"
-
-#: src/Providers/SettingsServiceProvider.php:98
-msgid "Parameter object_id mandatory"
-msgstr "Parameter object_id verplicht"
-
-#: src/Views/admin/settings-page.php:15
-msgid "Save"
-msgstr "Opslaan"
-
-#: src/Views/admin/partials/settings/settings-description-general.php:10
-msgid "website"
-msgstr "website"
-
-#: src/Views/admin/partials/settings/settings-description-general.php:16
-msgid "To query the Deepl API, an API key is required. You can find more information on their %s."
-msgstr "Om de Deepl API te bevragen, is een API-sleutel vereist. Meer informatie vind je op hun %s."
-
 #: config/php-di.php:25
 msgid "Arabic"
 msgstr "Arabisch"
@@ -205,3 +168,59 @@ msgstr "Chinees (vereenvoudigd)"
 #: config/php-di.php:153
 msgid "Chinese (Traditional)"
 msgstr "Chinees (traditioneel)"
+
+#: src/Providers/MetaBoxServiceProvider.php:34
+msgid "Yard Deepl"
+msgstr ""
+
+#: src/Providers/MetaBoxServiceProvider.php:71
+msgid "Disable translation cache when this object contains dynamic content."
+msgstr "Schakel de vertalingscache uit wanneer dit object dynamische inhoud bevat."
+
+#: src/Providers/MetaBoxServiceProvider.php:74
+msgid "Disable translation cache?"
+msgstr "Vertalingscache uitschakelen?"
+
+#: src/Providers/MetaBoxServiceProvider.php:77
+msgid "Clear cached translations on save."
+msgstr "Verwijder vertaalcache bij opslaan."
+
+#: src/Providers/MetaBoxServiceProvider.php:80
+msgid "Clear translation cache?"
+msgstr "Vertaalcache wissen?"
+
+#: src/Providers/SettingsServiceProvider.php:69
+msgid "Settings"
+msgstr "Instellingen"
+
+#: src/Providers/SettingsServiceProvider.php:76
+msgid "Deepl API key"
+msgstr "Deepl API-sleutel"
+
+#: src/Providers/SettingsServiceProvider.php:85
+msgid "Deepl supported languages"
+msgstr "Deepl ondersteunde talen"
+
+#: src/Providers/SettingsServiceProvider.php:101
+msgid "Parameter object_id mandatory"
+msgstr "Parameter object_id verplicht"
+
+#. Translators: %s is the URL to the Deepl API documentation page.
+#: src/Views/admin/partials/settings/settings-description-general.php:10
+msgid "website"
+msgstr "website"
+
+#. Translators: %s is the link to the Deepl API documentation website.
+#: src/Views/admin/partials/settings/settings-description-general.php:16
+#, php-format
+msgid "To query the Deepl API, an API key is required. You can find more "
+"information on their %s."
+msgstr "Om de Deepl API te bevragen, is een API-sleutel vereist. Meer informatie "
+"vind je op hun %s."
+
+#: src/Views/admin/settings-page.php:15
+msgid "Save"
+msgstr "Opslaan"
+
+#~ msgid "Yard | Digital"
+#~ msgstr "Yard | Digital"
diff --git a/languages/yard-deepl.pot b/languages/yard-deepl.pot
index 3ed8026..15dbc9e 100644
--- a/languages/yard-deepl.pot
+++ b/languages/yard-deepl.pot
@@ -1,82 +1,41 @@
-# Copyright (C) 2024 Yard | Digital
+# Copyright (C) 2026 Yard | Digital Agency
 # This file is distributed under the GPLv2 or later.
 msgid ""
 msgstr ""
-"Project-Id-Version: Yard DeepL 0.0.1\n"
+"Project-Id-Version: Yard DeepL 1.1.0\n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/yard-deepl\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"POT-Creation-Date: 2024-09-06T17:29:33+00:00\n"
+"POT-Creation-Date: 2026-05-21T12:17:13+00:00\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
-"X-Generator: WP-CLI 2.9.0\n"
+"X-Generator: WP-CLI 2.12.0\n"
 "X-Domain: yard-deepl\n"
 
 #. Plugin Name of the plugin
+#: yard-deepl.php:8
 #: src/Providers/SettingsServiceProvider.php:44
 #: src/Providers/SettingsServiceProvider.php:45
-#: src/Providers/MetaboxServiceProvider.php:34
 msgid "Yard DeepL"
 msgstr ""
 
 #. Description of the plugin
-msgid "This plugin registers secure API endpoints that allows you to request translations directly from DeepL"
+#: yard-deepl.php:9
+msgid "This plugin registers secure API endpoints that allow you to request translations directly from DeepL without exposing your Deepl API-key"
 msgstr ""
 
 #. Author of the plugin
-msgid "Yard | Digital"
+#: yard-deepl.php:11
+msgid "Yard | Digital Agency"
 msgstr ""
 
 #. Author URI of the plugin
+#: yard-deepl.php:12
 msgid "https://www.yard.nl"
 msgstr ""
 
-#: src/Providers/MetaboxServiceProvider.php:72
-msgid "Disable translation cache when this object contains dynamic content."
-msgstr ""
-
-#: src/Providers/MetaboxServiceProvider.php:75
-msgid "Disable translation cache?"
-msgstr ""
-
-#: src/Providers/MetaboxServiceProvider.php:78
-msgid "Clear cached translations on save."
-msgstr ""
-
-#: src/Providers/MetaboxServiceProvider.php:80
-msgid "Clear translation cache?"
-msgstr ""
-
-#: src/Providers/SettingsServiceProvider.php:66
-msgid "Settings"
-msgstr ""
-
-#: src/Providers/SettingsServiceProvider.php:73
-msgid "Deepl API key"
-msgstr ""
-
-#: src/Providers/SettingsServiceProvider.php:82
-msgid "Deepl supported languages"
-msgstr ""
-
-#: src/Providers/SettingsServiceProvider.php:98
-msgid "Parameter object_id mandatory"
-msgstr ""
-
-#: src/Views/admin/settings-page.php:15
-msgid "Save"
-msgstr ""
-
-#: src/Views/admin/partials/settings/settings-description-general.php:10
-msgid "website"
-msgstr ""
-
-#: src/Views/admin/partials/settings/settings-description-general.php:16
-msgid "To query the Deepl API, an API key is required. You can find more information on their %s."
-msgstr ""
-
 #: config/php-di.php:25
 msgid "Arabic"
 msgstr ""
@@ -208,3 +167,54 @@ msgstr ""
 #: config/php-di.php:153
 msgid "Chinese (Traditional)"
 msgstr ""
+
+#: src/Providers/MetaBoxServiceProvider.php:34
+msgid "Yard Deepl"
+msgstr ""
+
+#: src/Providers/MetaBoxServiceProvider.php:71
+msgid "Disable translation cache when this object contains dynamic content."
+msgstr ""
+
+#: src/Providers/MetaBoxServiceProvider.php:74
+msgid "Disable translation cache?"
+msgstr ""
+
+#: src/Providers/MetaBoxServiceProvider.php:77
+msgid "Clear cached translations on save."
+msgstr ""
+
+#: src/Providers/MetaBoxServiceProvider.php:80
+msgid "Clear translation cache?"
+msgstr ""
+
+#: src/Providers/SettingsServiceProvider.php:69
+msgid "Settings"
+msgstr ""
+
+#: src/Providers/SettingsServiceProvider.php:76
+msgid "Deepl API key"
+msgstr ""
+
+#: src/Providers/SettingsServiceProvider.php:85
+msgid "Deepl supported languages"
+msgstr ""
+
+#: src/Providers/SettingsServiceProvider.php:101
+msgid "Parameter object_id mandatory"
+msgstr ""
+
+#. Translators: %s is the URL to the Deepl API documentation page.
+#: src/Views/admin/partials/settings/settings-description-general.php:10
+msgid "website"
+msgstr ""
+
+#. Translators: %s is the link to the Deepl API documentation website.
+#: src/Views/admin/partials/settings/settings-description-general.php:16
+#, php-format
+msgid "To query the Deepl API, an API key is required. You can find more information on their %s."
+msgstr ""
+
+#: src/Views/admin/settings-page.php:15
+msgid "Save"
+msgstr ""

From a8ef79db6eee68f93490639894c3c630cab657d5 Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Tue, 26 May 2026 07:30:16 +0200
Subject: [PATCH 09/30] refactor: more specific validations and same origin
 check

---
 src/Controllers/RestAPIController.php | 36 ++++++++++++++++++++-------
 src/Services/TranslationService.php   |  8 +++---
 2 files changed, 31 insertions(+), 13 deletions(-)

diff --git a/src/Controllers/RestAPIController.php b/src/Controllers/RestAPIController.php
index c4f00d5..a805f04 100644
--- a/src/Controllers/RestAPIController.php
+++ b/src/Controllers/RestAPIController.php
@@ -40,36 +40,37 @@ public function __construct()
 	 */
 	public function handle_translate_request( WP_REST_Request $request ): WP_REST_Response
 	{
-		$text        = $request->get_param( 'text' );
-		$target_lang = $request->get_param( 'target_lang' );
-		$object_id   = $request->get_param( 'object_id' );
-		$origin      = $request->get_header( 'origin' );
+		$text        = (array) ( $request->get_param( 'text' ) ?? array() );
+		$target_lang = (string) ( $request->get_param( 'target_lang' ) ?? '' );
+		$object_id   = (int) ( $request->get_param( 'object_id' ) ?? 0 );
+		$origin      = (string) ( $request->get_header( 'origin' ) ?? '' );
 
-		if ( is_null( $origin ) || home_url() !== $origin ) {
+		if ( 0 < strlen( $origin ) && ! $this->is_same_origin( $origin ) ) {
 			return $this->set_failure_response( 403, 'Invalid origin. Origin does not match the site URL.' );
 		}
 
 		// Are required by Deepl.
-		if ( empty( $text ) || empty( $target_lang ) ) {
+		if ( array() === $text || 1 > strlen( $target_lang ) ) {
 			return $this->set_failure_response( 400, 'Invalid input parameters.' );
 		}
 
 		// Is required when configured as such in the plugin settings.
-		if ( $this->options->rest_api_param_object_id_is_mandatory() && empty( $object_id ) ) {
+		if ( $this->options->rest_api_param_object_id_is_mandatory() && 0 === $object_id ) {
 			return $this->set_failure_response( 400, 'Invalid input parameters.' );
 		}
 
 		$user_has_cache_capability = current_user_can( apply_filters( 'yard::deepl/cache_capability', 'edit_posts' ) );
+		$cached_translation        = ( 0 < $object_id ) ? $this->service->object_has_cached_translation( $object_id, $target_lang ) : null;
 
 		// Apply rate limit check if object ID is absent or translation is not cached when an object ID is present.
-		if ( empty( $object_id ) || ! $this->service->object_has_cached_translation( (int) $object_id, $target_lang ) ) {
+		if ( is_null( $cached_translation ) ) {
 			if ( $this->is_rate_limit_exceeded() && ! $user_has_cache_capability ) {
 				return $this->set_failure_response( 429, 'Rate limit exceeded.' );
 			}
 		}
 
 		try {
-			$translation = $this->service->handle_translation( (int) $object_id, $text, $target_lang, $user_has_cache_capability );
+			$translation = $this->service->handle_translation( $object_id, $text, $target_lang, $user_has_cache_capability, $cached_translation );
 
 			if ( empty( $translation ) ) {
 				throw new Exception( 'Failed to translate text.', 500 );
@@ -122,6 +123,23 @@ protected function get_client_ip(): string
 		return $remote_address;
 	}
 
+	/**
+	 * @since NEXT
+	 */
+	protected function is_same_origin( string $origin ): bool
+	{
+		$home   = wp_parse_url( home_url() );
+		$parsed = wp_parse_url( $origin );
+
+		if ( ! $home || ! $parsed ) {
+			return false;
+		}
+
+		return ( $home['scheme'] ?? '' ) === ( $parsed['scheme'] ?? '' )
+			&& ( $home['host'] ?? '' ) === ( $parsed['host'] ?? '' )
+			&& ( $home['port'] ?? null ) === ( $parsed['port'] ?? null );
+	}
+
 	/**
 	 * @since 0.0.1
 	 */
diff --git a/src/Services/TranslationService.php b/src/Services/TranslationService.php
index 9c5c840..f1170f3 100644
--- a/src/Services/TranslationService.php
+++ b/src/Services/TranslationService.php
@@ -27,10 +27,10 @@ public function __construct()
 	/**
 	 * @since 0.0.1
 	 */
-	public function handle_translation( int $object_id, array $text, string $target_lang, bool $cache = false ): array
+	public function handle_translation( int $object_id, array $text, string $target_lang, bool $cache = false, ?array $cached_translation = null ): array
 	{
 		if ( 0 < $object_id ) {
-			return $this->handle_translation_with_object_id( $object_id, $text, $target_lang, $cache );
+			return $this->handle_translation_with_object_id( $object_id, $text, $target_lang, $cache, $cached_translation );
 		}
 
 		return $this->handle_translation_without_object_id( $text, $target_lang );
@@ -39,9 +39,9 @@ public function handle_translation( int $object_id, array $text, string $target_
 	/**
 	 * @since 0.0.1
 	 */
-	public function handle_translation_with_object_id( int $object_id, array $text, string $target_lang, bool $cache = false ): array
+	public function handle_translation_with_object_id( int $object_id, array $text, string $target_lang, bool $cache = false, ?array $cached_translation = null ): array
 	{
-		$cached_translation = $this->object_has_cached_translation( $object_id, $target_lang );
+		$cached_translation = $cached_translation ?? $this->object_has_cached_translation( $object_id, $target_lang );
 
 		if ( $cached_translation ) {
 			return $cached_translation;

From b6267208f4619e652a55bdacf5efd8fc1d7857f9 Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Tue, 26 May 2026 08:14:40 +0200
Subject: [PATCH 10/30] refactor: rename object_has_cached_translation to
 get_cached_translation for clarity

---
 src/Controllers/RestAPIController.php | 2 +-
 src/helpers.php                       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Controllers/RestAPIController.php b/src/Controllers/RestAPIController.php
index a805f04..0d30c28 100644
--- a/src/Controllers/RestAPIController.php
+++ b/src/Controllers/RestAPIController.php
@@ -60,7 +60,7 @@ public function handle_translate_request( WP_REST_Request $request ): WP_REST_Re
 		}
 
 		$user_has_cache_capability = current_user_can( apply_filters( 'yard::deepl/cache_capability', 'edit_posts' ) );
-		$cached_translation        = ( 0 < $object_id ) ? $this->service->object_has_cached_translation( $object_id, $target_lang ) : null;
+		$cached_translation        = ( 0 < $object_id ) ? $this->service->get_cached_translation( $object_id, $target_lang ) : null;
 
 		// Apply rate limit check if object ID is absent or translation is not cached when an object ID is present.
 		if ( is_null( $cached_translation ) ) {
diff --git a/src/helpers.php b/src/helpers.php
index a92602e..2182edf 100644
--- a/src/helpers.php
+++ b/src/helpers.php
@@ -40,7 +40,7 @@ function ydpl_url( string $path ): string
 }
 
 /**
- * Generates a full plugin path by appending the given path to the base plugin URL.
+ * Generates a full plugin path by appending the given path to the base plugin directory path.
  *
  * @package Yard_Deepl
  * @author  Yard | Digital Agency

From 64d4607b6705736832b08c7bdb3b98220f43700c Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Tue, 26 May 2026 08:17:02 +0200
Subject: [PATCH 11/30] deprecate: rename filter
 yard::deepl/disable_cache_metabox_post_types to
 yard::deepl/cache_metabox_post_types

---
 src/Providers/MetaBoxServiceProvider.php | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/src/Providers/MetaBoxServiceProvider.php b/src/Providers/MetaBoxServiceProvider.php
index 8c5f4b2..842bc85 100644
--- a/src/Providers/MetaBoxServiceProvider.php
+++ b/src/Providers/MetaBoxServiceProvider.php
@@ -33,7 +33,7 @@ public function register_meta_boxes(): void
 			'yard-deepl',
 			__( 'Yard Deepl', 'yard-deepl' ),
 			array( $this, 'render_meta_boxes' ),
-			apply_filters( 'yard::deepl/cache_metabox_post_types', array( 'page' ) ),
+			$this->get_cache_metabox_post_types(),
 			'side',
 			'high'
 		);
@@ -141,11 +141,26 @@ private function should_handle_saved_metabox_values( int $post_id ): bool
 		}
 
 		// Only allow updates for supported post types.
-		$post_types = apply_filters( 'yard::deepl/cache_metabox_post_types', array( 'page' ) );
+		$post_types = $this->get_cache_metabox_post_types();
 		if ( ! in_array( get_post_type( $post_id ), $post_types, true ) ) {
 			return false;
 		}
 
 		return true;
 	}
+
+	/**
+	 * @since NEXT
+	 */
+	private function get_cache_metabox_post_types(): array
+	{
+		$post_types = apply_filters_deprecated(
+			'yard::deepl/disable_cache_metabox_post_types',
+			array( array( 'page' ) ),
+			'NEXT',
+			'yard::deepl/cache_metabox_post_types'
+		);
+
+		return apply_filters( 'yard::deepl/cache_metabox_post_types', $post_types );
+	}
 }

From 4cd48afbbfcf334fe0d18a6de4257fa00bcbbdfb Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Tue, 26 May 2026 08:17:45 +0200
Subject: [PATCH 12/30] refactor: validate nonce with fallback to legacy nonce

---
 src/Providers/RestAPIServiceProvider.php | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/Providers/RestAPIServiceProvider.php b/src/Providers/RestAPIServiceProvider.php
index eb2a7a2..115d7de 100644
--- a/src/Providers/RestAPIServiceProvider.php
+++ b/src/Providers/RestAPIServiceProvider.php
@@ -12,6 +12,7 @@
 use YDPL\Contracts\ServiceProviderInterface;
 use YDPL\Controllers\RestAPIController;
 use YDPL\Singletons\SiteOptionsSingleton;
+use WP_REST_Request;
 
 /**
  * @since 0.0.1
@@ -82,11 +83,18 @@ public function register_routes()
 	}
 
 	/**
+	 * Reads nonce from WP_REST_Request; falls back to legacy YDPL_NONCE_REST_NAME action.
+	 *
 	 * @since 0.0.1
 	 */
-	public function verify_nonce(): bool
+	public function verify_nonce( WP_REST_Request $request ): bool
 	{
-		$nonce = sanitize_text_field( wp_unslash( $_SERVER['HTTP_X_WP_NONCE'] ?? '' ) );
-		return (bool) wp_verify_nonce( $nonce, 'wp_rest' );
+		$nonce = sanitize_text_field( $request->get_header( 'X-WP-Nonce' ) ?? '' );
+
+		if ( wp_verify_nonce( $nonce, 'wp_rest' ) ) {
+			return true;
+		}
+
+		return (bool) wp_verify_nonce( $nonce, YDPL_NONCE_REST_NAME );
 	}
 }

From 5b3549e2a8eebc5691442f0722fe2ecbedd3d807 Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Tue, 26 May 2026 08:19:05 +0200
Subject: [PATCH 13/30] refactor: rename object_has_cached_translation to
 get_cached_translation for clarity

---
 src/Services/TranslationService.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Services/TranslationService.php b/src/Services/TranslationService.php
index f1170f3..bc33165 100644
--- a/src/Services/TranslationService.php
+++ b/src/Services/TranslationService.php
@@ -41,7 +41,7 @@ public function handle_translation( int $object_id, array $text, string $target_
 	 */
 	public function handle_translation_with_object_id( int $object_id, array $text, string $target_lang, bool $cache = false, ?array $cached_translation = null ): array
 	{
-		$cached_translation = $cached_translation ?? $this->object_has_cached_translation( $object_id, $target_lang );
+		$cached_translation = $cached_translation ?? $this->get_cached_translation( $object_id, $target_lang );
 
 		if ( $cached_translation ) {
 			return $cached_translation;
@@ -69,7 +69,7 @@ public function handle_translation_without_object_id( array $text, string $targe
 	/**
 	 * @since NEXT
 	 */
-	public function object_has_cached_translation( int $object_id, string $target_lang ): ?array
+	public function get_cached_translation( int $object_id, string $target_lang ): ?array
 	{
 		try {
 			return $this->repository->get_cached_translation( $object_id, $target_lang );

From b07c9db8328c1df938ff94256bac64ba92c37478 Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Tue, 26 May 2026 08:23:13 +0200
Subject: [PATCH 14/30] refactor: more specific validations

---
 src/Controllers/RestAPIController.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Controllers/RestAPIController.php b/src/Controllers/RestAPIController.php
index 0d30c28..c769bb3 100644
--- a/src/Controllers/RestAPIController.php
+++ b/src/Controllers/RestAPIController.php
@@ -72,7 +72,7 @@ public function handle_translate_request( WP_REST_Request $request ): WP_REST_Re
 		try {
 			$translation = $this->service->handle_translation( $object_id, $text, $target_lang, $user_has_cache_capability, $cached_translation );
 
-			if ( empty( $translation ) ) {
+			if ( array() === $translation ) {
 				throw new Exception( 'Failed to translate text.', 500 );
 			}
 		} catch ( Exception $e ) {
@@ -93,7 +93,7 @@ protected function is_rate_limit_exceeded(): bool
 	{
 		$client_ip = $this->get_client_ip();
 
-		if ( empty( $client_ip ) ) {
+		if ( '' === $client_ip ) {
 			return true;
 		}
 

From d4bc1099c034cd3dccec328d877ca699313b64ee Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Tue, 26 May 2026 09:40:36 +0200
Subject: [PATCH 15/30] chore: update README files

---
 README.md  | 114 ++++++++++++++++++++++++++++++++++++++---------------
 readme.txt |  39 +++++++++++++++---
 2 files changed, 116 insertions(+), 37 deletions(-)

diff --git a/README.md b/README.md
index e0d4127..9563c0f 100644
--- a/README.md
+++ b/README.md
@@ -22,21 +22,29 @@ When providing translations to website visitors, you can configure which languag
 
 Each object that is translated will store its cached translation in the `wp_postmeta` table within the database. This caching mechanism ensures that translations are efficiently reused, reducing unnecessary API requests to DeepL and saving costs.
 
-- **Serving Cached Translations:** If a cached translation is newer than the `post_modified` date of the object, the cached version is served.
-- **Fetching New Translations:** When the `post_modified` date of the object is more recent than the cached translation, a new translation is fetched from DeepL. Once retrieved, this translation is immediately cached for future use.
+-   **Serving Cached Translations:** If a cached translation is newer than the `post_modified` date of the object, the cached version is served.
+-   **Fetching New Translations:** When the `post_modified` date of the object is more recent than the cached translation, a new translation is fetched from DeepL. Once retrieved, this translation is immediately cached for future use.
+-   **Cache Authorization:** Only logged-in users with the `edit_posts` capability (or a custom capability configured via the `yard::deepl/cache_capability` filter) are permitted to create new cache entries. Requests from users without this capability will still return a translation from DeepL, but the result will not be stored in the cache.
 
 This approach minimizes the number of API calls to DeepL, ensuring translations are kept up to date only when necessary.
 
+### Admin: Cache Metabox
+
+A metabox labeled **Yard DeepL** is displayed on the edit screen of supported post types (default: `page`). It provides two options:
+
+-   **Disable translation cache:** When checked, the cache is bypassed for this object. Useful for posts with dynamic content that should always be translated fresh.
+-   **Clear translation cache:** When checked and the post is saved, all cached translations for this object are deleted.
+
 ## External Services
 
 This plugin connects to the DeepL API to provide translations for content.
 
-- **Service:** DeepL API (<https://www.deepl.com>)
-- **Purpose:** To translate text from one language to another based on the provided target language.
-- **Data Sent:** Text content for translation, the target language code, and the DeepL API key (handled securely and never exposed to users).
-- **Conditions:** Data is sent when a request for translation is initiated.
-- **Privacy Policy:** [DeepL Privacy Policy](https://www.deepl.com/privacy)
-- **Terms of Service:** [DeepL Terms of Service](https://www.deepl.com/pro-license)
+-   **Service:** DeepL API (<https://www.deepl.com>)
+-   **Purpose:** To translate text from one language to another based on the provided target language.
+-   **Data Sent:** Text content for translation, the target language code, and the DeepL API key (handled securely and never exposed to users).
+-   **Conditions:** Data is sent when a request for translation is initiated.
+-   **Privacy Policy:** [DeepL Privacy Policy](https://www.deepl.com/privacy)
+-   **Terms of Service:** [DeepL Terms of Service](https://www.deepl.com/pro-license)
 
 ## Installation
 
@@ -62,12 +70,20 @@ If you need to work with development dependencies, follow these steps:
 
 The API endpoints registered by this plugin are secured using a WordPress nonce. The nonce is passed to the front-end using the `wp_localize_script` function and is stored in a global JavaScript object `ydpl` which contains the following properties:
 
-- `ydpl_translate_post_id`: The ID of the post to be translated.
-- `ydpl_rest_translate_url`: The URL of the API endpoint for translation requests.
-- `ydpl_supported_languages`: The list of languages supported for translation.
-- `ydpl_api_request_nonce`: The nonce used for API validation.
+-   `ydpl_translate_post_id`: The ID of the post to be translated.
+-   `ydpl_rest_translate_url`: The URL of the API endpoint for translation requests.
+-   `ydpl_supported_languages`: The list of languages supported for translation.
+-   `ydpl_api_request_nonce`: The nonce used for API validation.
+
+When making requests to the API, ensure that the nonce is included in the request headers. The header should be named `X-WP-Nonce`, and it should contain a nonce created with the `wp_rest` action (available via `ydpl.ydpl_api_request_nonce` on the front-end).
+
+#### Rate Limiting
 
-When making requests to the API, ensure that the nonce is included in the request headers. The header should be named `nonce`, and it should contain the value of `ydpl_api_request_nonce`.
+To prevent abuse, unauthenticated requests (or requests from users without the cache capability) are limited to **3 requests per 60 seconds** per IP address. Authenticated users with the required cache capability (default: `edit_posts`) are exempt from this rate limit.
+
+#### Cache Capability
+
+Only users with the `edit_posts` capability can trigger cache creation. This can be customized using the `yard::deepl/cache_capability` filter (see [Filters](#filters)).
 
 #### Example
 
@@ -75,41 +91,77 @@ When making requests to the API, ensure that the nonce is included in the reques
 
 ```javascript
 var xhr = new XMLHttpRequest();
-xhr.open('POST', ydpl.ydpl_rest_translate_url, true);
+xhr.open( 'POST', ydpl.ydpl_rest_translate_url, true );
 
 // Set request headers
-xhr.setRequestHeader('Content-Type', 'application/json');
-xhr.setRequestHeader('nonce', ydpl.ydpl_api_request_nonce);
+xhr.setRequestHeader( 'Content-Type', 'application/json' );
+xhr.setRequestHeader( 'X-WP-Nonce', ydpl.ydpl_api_request_nonce );
 
 // Handle response
 xhr.onreadystatechange = function () {
-    if (xhr.readyState === 4 && xhr.status === 200) {
-        console.log('Translation:', JSON.parse(xhr.responseText));
-    } else if (xhr.readyState === 4) {
-        console.error('Error:', xhr.statusText);
-    }
+	if ( xhr.readyState === 4 && xhr.status === 200 ) {
+		console.log( 'Translation:', JSON.parse( xhr.responseText ) );
+	} else if ( xhr.readyState === 4 ) {
+		console.error( 'Error:', xhr.statusText );
+	}
 };
 
 // Prepare and send the request body
-var data = JSON.stringify({
-    text: ["Look another test"],
-    target_lang: "DE"
-});
+var data = JSON.stringify( {
+	text: [ 'Look another test' ],
+	target_lang: 'DE',
+} );
 
-xhr.send(data);
+xhr.send( data );
 ```
 
 ##### Response
 
 ```javascript
 [
-    {
-        "text": "Look another test!",
-        "translation": "Sehen Sie sich einen weiteren Test an!"
-    }
-]
+	{
+		text: 'Look another test!',
+		translation: 'Sehen Sie sich einen weiteren Test an!',
+	},
+];
 ```
 
+## Filters
+
+| Filter                                             | Default        | Description                                                                                                                               |
+| -------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
+| `yard::deepl/cache_capability`                     | `'edit_posts'` | The WordPress capability required to create cache entries. Users without this capability receive translations but results are not cached. |
+| `yard::deepl/cache_metabox_post_types`             | `['page']`     | Post types on which the Yard DeepL cache metabox is displayed.                                                                            |
+| ~~`yard::deepl/disable_cache_metabox_post_types`~~ | —              | **Deprecated.** Use `yard::deepl/cache_metabox_post_types` instead.                                                                       |
+
+## Changelog
+
+### NEXT (unreleased)
+
+-   Add: same-origin check for REST API requests
+-   Add: rate limiting for unauthenticated / low-privilege requests (3 req / 60 s per IP)
+-   Add: cache creation restricted to users with `edit_posts` capability (configurable via filter)
+-   Add: `yard::deepl/cache_capability` filter
+-   Change: deprecated `yard::deepl/disable_cache_metabox_post_types` in favour of `yard::deepl/cache_metabox_post_types`
+-   Change: nonce validation now also accepts the standard `wp_rest` nonce action as a fallback
+
+### 1.1.0 (Jan 31, 2025)
+
+-   Add: disable DeepL translation cache metabox
+-   Change: use init hook in plugin bootstrap construct, fixes translations for WordPress 6.7
+
+### 1.0.2 (Jan 08, 2025)
+
+-   Change: update all occurrences of 'deepl' to 'DeepL' for consistency
+
+### 1.0.1 (Jan 07, 2025)
+
+-   Change: processed corrections
+
+### 1.0.0 (Oct 18, 2024)
+
+-   Init: first release!
+
 ## About us
 
 [![banner](https://raw.githubusercontent.com/yardinternet/.github/refs/heads/main/profile/assets/small-banner-github.svg)](https://www.yard.nl/werken-bij/)
diff --git a/readme.txt b/readme.txt
index 8b53d2a..5c910ba 100644
--- a/readme.txt
+++ b/readme.txt
@@ -22,9 +22,17 @@ Each object that is translated will store its cached translation in the `wp_post
 
 * Serving Cached Translations: If a cached translation is newer than the `post_modified` date of the object, the cached version is served.
 * Fetching New Translations: When the `post_modified` date of the object is more recent than the cached translation, a new translation is fetched from DeepL. Once retrieved, this translation is immediately cached for future use.
+* Cache Authorization: Only logged-in users with the `edit_posts` capability (or a custom capability configured via the `yard::deepl/cache_capability` filter) are permitted to create new cache entries. Requests from users without this capability will still return a translation from DeepL, but the result will not be stored in the cache.
 
 This approach minimizes the number of API calls to DeepL, ensuring translations are kept up to date only when necessary.
 
+= Admin: Cache Metabox =
+
+A metabox labeled Yard DeepL is displayed on the edit screen of supported post types (default: page). It provides two options:
+
+* Disable translation cache: When checked, the cache is bypassed for this object. Useful for posts with dynamic content that should always be translated fresh.
+* Clear translation cache: When checked and the post is saved, all cached translations for this object are deleted.
+
 == External Services ==
 
 This plugin connects to the DeepL API to provide translations for content.
@@ -43,7 +51,7 @@ This plugin connects to the DeepL API to provide translations for content.
 
 == Usage ==
 
-## Security
+= Security =
 
 The API endpoints registered by this plugin are secured using a WordPress nonce. The nonce is passed to the front-end using the `wp_localize_script` function and is stored in a global JavaScript object `ydpl` which contains the following properties:
 
@@ -52,18 +60,22 @@ The API endpoints registered by this plugin are secured using a WordPress nonce.
 * `ydpl_supported_languages`: The list of languages supported for translation.
 * `ydpl_api_request_nonce`: The nonce used for API validation.
 
-When making requests to the API, ensure that the nonce is included in the request headers. The header should be named `nonce`, and it should contain the value of `ydpl_api_request_nonce`.
+When making requests to the API, ensure that the nonce is included in the request headers. The header should be named `X-WP-Nonce`, and it should contain a nonce created with the `wp_rest` action (available via `ydpl.ydpl_api_request_nonce` on the front-end).
+
+Rate limiting: Unauthenticated requests (or requests from users without the cache capability) are limited to 3 requests per 60 seconds per IP address. Authenticated users with the required cache capability (default: edit_posts) are exempt from this rate limit.
+
+Cache capability: Only users with the `edit_posts` capability can trigger cache creation. This can be customized using the `yard::deepl/cache_capability` filter.
 
-## Example
+= Example =
 
-### Request
+Request:
 
     var xhr = new XMLHttpRequest();
     xhr.open('POST', ydpl.ydpl_rest_translate_url, true);
 
     // Set request headers
     xhr.setRequestHeader('Content-Type', 'application/json');
-    xhr.setRequestHeader('nonce', ydpl.ydpl_api_request_nonce);
+    xhr.setRequestHeader('X-WP-Nonce', ydpl.ydpl_api_request_nonce);
 
     // Handle response
     xhr.onreadystatechange = function () {
@@ -82,7 +94,7 @@ When making requests to the API, ensure that the nonce is included in the reques
 
     xhr.send(data);
 
-### Response
+Response:
 
     [
         {
@@ -91,8 +103,23 @@ When making requests to the API, ensure that the nonce is included in the reques
         }
     ]
 
+== Filters ==
+
+* `yard::deepl/cache_capability` (default: `edit_posts`) — The WordPress capability required to create cache entries. Users without this capability receive translations but results are not cached.
+* `yard::deepl/cache_metabox_post_types` (default: `['page']`) — Post types on which the Yard DeepL cache metabox is displayed.
+* `yard::deepl/disable_cache_metabox_post_types` — Deprecated. Use `yard::deepl/cache_metabox_post_types` instead.
+
 == Changelog ==
 
+= NEXT: unreleased =
+
+* Add: same-origin check for REST API requests
+* Add: rate limiting for unauthenticated / low-privilege requests (3 req / 60 s per IP)
+* Add: cache creation restricted to users with `edit_posts` capability (configurable via filter)
+* Add: `yard::deepl/cache_capability` filter
+* Change: deprecated `yard::deepl/disable_cache_metabox_post_types` in favour of `yard::deepl/cache_metabox_post_types`
+* Change: nonce validation now also accepts the standard `wp_rest` nonce action as a fallback
+
 = 1.1.0: Jan 31, 2025 =
 
 * Add: disable DeepL translation cache metabox

From 68c4177e7076536c9501f2e958a78f4ac04966c7 Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Tue, 26 May 2026 10:26:39 +0200
Subject: [PATCH 16/30] refactor: duplicated cached translation lookup

---
 src/Controllers/RestAPIController.php | 4 ++--
 src/Services/TranslationService.php   | 4 +++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/Controllers/RestAPIController.php b/src/Controllers/RestAPIController.php
index c769bb3..9a067a0 100644
--- a/src/Controllers/RestAPIController.php
+++ b/src/Controllers/RestAPIController.php
@@ -60,10 +60,10 @@ public function handle_translate_request( WP_REST_Request $request ): WP_REST_Re
 		}
 
 		$user_has_cache_capability = current_user_can( apply_filters( 'yard::deepl/cache_capability', 'edit_posts' ) );
-		$cached_translation        = ( 0 < $object_id ) ? $this->service->get_cached_translation( $object_id, $target_lang ) : null;
+		$cached_translation        = ( 0 < $object_id ) ? ( $this->service->get_cached_translation( $object_id, $target_lang ) ?? array() ) : null;
 
 		// Apply rate limit check if object ID is absent or translation is not cached when an object ID is present.
-		if ( is_null( $cached_translation ) ) {
+		if ( ! $cached_translation ) {
 			if ( $this->is_rate_limit_exceeded() && ! $user_has_cache_capability ) {
 				return $this->set_failure_response( 429, 'Rate limit exceeded.' );
 			}
diff --git a/src/Services/TranslationService.php b/src/Services/TranslationService.php
index bc33165..dd06f1b 100644
--- a/src/Services/TranslationService.php
+++ b/src/Services/TranslationService.php
@@ -41,7 +41,9 @@ public function handle_translation( int $object_id, array $text, string $target_
 	 */
 	public function handle_translation_with_object_id( int $object_id, array $text, string $target_lang, bool $cache = false, ?array $cached_translation = null ): array
 	{
-		$cached_translation = $cached_translation ?? $this->get_cached_translation( $object_id, $target_lang );
+		if ( null === $cached_translation ) {
+			$cached_translation = $this->get_cached_translation( $object_id, $target_lang );
+		}
 
 		if ( $cached_translation ) {
 			return $cached_translation;

From 83907afd47c4a179103f29502c011667c563a692 Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Tue, 26 May 2026 10:31:34 +0200
Subject: [PATCH 17/30] refactor: include port in same origin validations

---
 src/Controllers/RestAPIController.php | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/src/Controllers/RestAPIController.php b/src/Controllers/RestAPIController.php
index 9a067a0..5a6ee83 100644
--- a/src/Controllers/RestAPIController.php
+++ b/src/Controllers/RestAPIController.php
@@ -135,9 +135,24 @@ protected function is_same_origin( string $origin ): bool
 			return false;
 		}
 
-		return ( $home['scheme'] ?? '' ) === ( $parsed['scheme'] ?? '' )
+		$home_scheme   = $home['scheme'] ?? '';
+		$parsed_scheme = $parsed['scheme'] ?? '';
+
+		return $home_scheme === $parsed_scheme
 			&& ( $home['host'] ?? '' ) === ( $parsed['host'] ?? '' )
-			&& ( $home['port'] ?? null ) === ( $parsed['port'] ?? null );
+			&& $this->normalize_port( $home['port'] ?? null, $home_scheme ) === $this->normalize_port( $parsed['port'] ?? null, $parsed_scheme );
+	}
+
+	/**
+	 * @since NEXT
+	 */
+	protected function normalize_port( ?int $port, string $scheme ): int
+	{
+		if ( null !== $port ) {
+			return $port;
+		}
+
+		return 'https' === $scheme ? 443 : 80;
 	}
 
 	/**

From 01dead294c97101b2df9610bd29b992b8456a5ec Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Tue, 26 May 2026 13:07:44 +0200
Subject: [PATCH 18/30] chore: update translation files

---
 languages/yard-deepl-nl_NL.mo            | Bin 3107 -> 2884 bytes
 languages/yard-deepl-nl_NL.po            |  32 +++++++----------------
 languages/yard-deepl.pot                 |   7 ++---
 src/Providers/MetaBoxServiceProvider.php |   2 +-
 4 files changed, 13 insertions(+), 28 deletions(-)

diff --git a/languages/yard-deepl-nl_NL.mo b/languages/yard-deepl-nl_NL.mo
index 7ca9f5c987ac798a96cd13626757b786a0c087ba..96f1fa1855a82689c9adf07d599ea5606f05359b 100644
GIT binary patch
delta 905
zcmZwFPe>GD7{~E9cGdA;(rUIvD`KWnjLpub$*8B@Q%Xwg2Cg6uvWbUQu&qM`bLrBd
zKd^`gFOdg@4hmi>5DL5~ow@`ay%e7GB6#!r%lFu_%;$aIdEV!Jo|#!o?zX>giwwW(
zF<sBC#T4^;?8Y|i$IF<-E}X(7zQh__M(tb0X8ed(aSL;}kJqpzeja}d6U@E1iOeMi
zSr!~DU>(k&5<a#*K^;^<74`xf@D(cl9cupyYTpODzK)99M4j^$Q}_cFcNnMtb_T~R
zs6&TSl&AxhxEHx)?%4IasEwnjLUO3M2i8aUn)wVC@vmLavPtn{sDcXEin9>|C8*%=
z1s*A?fX^(-?|23GQH37h4Ln7?niN4w=p$#DQT+ErQLm_g_pyxX{0l1n7pj2hfWbuu
zCrD0HLz(Kh8I>?$O(M0K4kXmv#768#{wCm}`#IG8F;t#BD(@8P+XzvGEF$?M^M-*s
ztfD&lgi7$ux`#^e6Pxh2UH@Y}LLGc+ReKxE>u?&kP>nQEtvXLwQ`oAEeGGKKNaJ=-
zd?!|Iak{D_PH}E>BJXCGN?~PTvFzr;N-5~{J%7;k23$X#Py0doUXae*_PoIJ8YU;)
jho$EWPyZ7;nD>T)j2~nMZ0vYgo_`k3lW%+3c^f+eKiXI;

delta 1111
zcmYMzPe{{Y9LMpm&23ix$(&QS_0L)9bosN%s?|ZLOHr;v5Evd7h#=BI@ZjmUQ<M-1
zJ1BI>@Q^_WGAP742;sF;vRfDNQWqigqR{)Z9_iuteO}L=J-_eo`SbgIi!Qa#Mf}@l
zmIzQ$x@*ls*n`K>!wBZE74z7MW7v)_Fo^F^_r1pkT)__ff_HEWV;E<!#%HNc<E^0i
z)=VQ$M;#V0j1#DYQ_dOWvLclx_8d>(9BTX<)cs4S`#!q<GHTp9>N%Tu1}ms>dqLkU
zO5>0YtuR8b5~WayGsxuart2R<F1t&mi9AG&8*x6xm;9c<5&Yx&^9<7X$EXPvumvZ5
z8eCSSYOG;PQ4^S_l8aPr_yIN14NPJMbu<U4gw14U4VFNyv=enigLn@gpjN(s8vhA3
z0e^!=BaI)ZiEN`*{2P^U*SU`@#txBZS}j>lVgu4;9jO14sQ*)_JQ-Bp>!^2Q2sM#m
zB)@NyG_=Ag)QV<N3En!FQ3+PD9@kv|rt>@M!4>CET;}%<KEc<_QVaQoblI-+09$yz
zg~_T1#E}!IZm;_w`1QYBps5w8bP?Tz-eMJx(B!qH%5{v;uJ#d^h;xLFLkm#R*KvhN
z@ce3tQ)?HrHCnxjX04a<GSN$@oc%|&PEqTu)2>gSm`XpP9Z_i_&J#U^R)31nap_%R
z11zR9(l>onE*>?k91DC6l#1cj=wRBrk@m8W2Cn6<4&*Y~UeC*UUTG_oth--$Ha=Y#
PA1m#JM$4bWuL6Go2>exW

diff --git a/languages/yard-deepl-nl_NL.po b/languages/yard-deepl-nl_NL.po
index 7aeb36b..656267f 100644
--- a/languages/yard-deepl-nl_NL.po
+++ b/languages/yard-deepl-nl_NL.po
@@ -2,30 +2,27 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/yard-deepl\n"
-"POT-Creation-Date: 2026-05-21T12:17:13+00:00\n"
-"PO-Revision-Date: 2024-09-06T17:21:36+00:00\n"
 "Last-Translator: \n"
 "Language-Team: \n"
-"Language: \n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+"POT-Creation-Date: 2026-05-21T12:17:13+00:00\n"
+"PO-Revision-Date: 2026-05-26T08:32:35+00:00\n"
+"Language: \n"
 
 #. Plugin Name of the plugin
-#: yard-deepl.php:8 src/Providers/SettingsServiceProvider.php:44
+#: yard-deepl.php:8
+#: src/Providers/MetaBoxServiceProvider.php:34
+#: src/Providers/SettingsServiceProvider.php:44
 #: src/Providers/SettingsServiceProvider.php:45
 msgid "Yard DeepL"
 msgstr "Yard DeepL"
 
 #. Description of the plugin
 #: yard-deepl.php:9
-msgid ""
-"This plugin registers secure API endpoints that allow you to request "
-"translations directly from DeepL without exposing your Deepl API-key"
-msgstr ""
-"Deze plugin registreert beveiligde API-eindpunten waarmee je vertalingen "
-"direct bij DeepL kunt opvragen zonder je DeepL API-sleutel bloot te stellen "
-"aan de buitenwereld"
+msgid "This plugin registers secure API endpoints that allow you to request translations directly from DeepL without exposing your Deepl API-key"
+msgstr "Deze plugin registreert beveiligde API-eindpunten waarmee je vertalingen direct bij DeepL kunt opvragen zonder je DeepL API-sleutel bloot te stellen aan de buitenwereld"
 
 #. Author of the plugin
 #: yard-deepl.php:11
@@ -169,10 +166,6 @@ msgstr "Chinees (vereenvoudigd)"
 msgid "Chinese (Traditional)"
 msgstr "Chinees (traditioneel)"
 
-#: src/Providers/MetaBoxServiceProvider.php:34
-msgid "Yard Deepl"
-msgstr ""
-
 #: src/Providers/MetaBoxServiceProvider.php:71
 msgid "Disable translation cache when this object contains dynamic content."
 msgstr "Schakel de vertalingscache uit wanneer dit object dynamische inhoud bevat."
@@ -213,14 +206,9 @@ msgstr "website"
 #. Translators: %s is the link to the Deepl API documentation website.
 #: src/Views/admin/partials/settings/settings-description-general.php:16
 #, php-format
-msgid "To query the Deepl API, an API key is required. You can find more "
-"information on their %s."
-msgstr "Om de Deepl API te bevragen, is een API-sleutel vereist. Meer informatie "
-"vind je op hun %s."
+msgid "To query the Deepl API, an API key is required. You can find more information on their %s."
+msgstr "Om de Deepl API te bevragen, is een API-sleutel vereist. Meer informatie vind je op hun %s."
 
 #: src/Views/admin/settings-page.php:15
 msgid "Save"
 msgstr "Opslaan"
-
-#~ msgid "Yard | Digital"
-#~ msgstr "Yard | Digital"
diff --git a/languages/yard-deepl.pot b/languages/yard-deepl.pot
index 15dbc9e..1a3dd34 100644
--- a/languages/yard-deepl.pot
+++ b/languages/yard-deepl.pot
@@ -9,13 +9,14 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"POT-Creation-Date: 2026-05-21T12:17:13+00:00\n"
+"POT-Creation-Date: 2026-05-26T08:32:32+00:00\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.12.0\n"
 "X-Domain: yard-deepl\n"
 
 #. Plugin Name of the plugin
 #: yard-deepl.php:8
+#: src/Providers/MetaBoxServiceProvider.php:34
 #: src/Providers/SettingsServiceProvider.php:44
 #: src/Providers/SettingsServiceProvider.php:45
 msgid "Yard DeepL"
@@ -168,10 +169,6 @@ msgstr ""
 msgid "Chinese (Traditional)"
 msgstr ""
 
-#: src/Providers/MetaBoxServiceProvider.php:34
-msgid "Yard Deepl"
-msgstr ""
-
 #: src/Providers/MetaBoxServiceProvider.php:71
 msgid "Disable translation cache when this object contains dynamic content."
 msgstr ""
diff --git a/src/Providers/MetaBoxServiceProvider.php b/src/Providers/MetaBoxServiceProvider.php
index 842bc85..aec7f0f 100644
--- a/src/Providers/MetaBoxServiceProvider.php
+++ b/src/Providers/MetaBoxServiceProvider.php
@@ -31,7 +31,7 @@ public function register_meta_boxes(): void
 	{
 		add_meta_box(
 			'yard-deepl',
-			__( 'Yard Deepl', 'yard-deepl' ),
+			__( 'Yard DeepL', 'yard-deepl' ),
 			array( $this, 'render_meta_boxes' ),
 			$this->get_cache_metabox_post_types(),
 			'side',

From bbe4238d72748d085d2fab5a6d7aaa522706e81a Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Tue, 26 May 2026 13:44:04 +0200
Subject: [PATCH 19/30] refactor: move controller validation logic to
 register_rest_route validate_callback

---
 src/Controllers/RestAPIController.php    | 10 ----------
 src/Providers/RestAPIServiceProvider.php | 10 +++++++++-
 2 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/src/Controllers/RestAPIController.php b/src/Controllers/RestAPIController.php
index 5a6ee83..4b56c1f 100644
--- a/src/Controllers/RestAPIController.php
+++ b/src/Controllers/RestAPIController.php
@@ -49,16 +49,6 @@ public function handle_translate_request( WP_REST_Request $request ): WP_REST_Re
 			return $this->set_failure_response( 403, 'Invalid origin. Origin does not match the site URL.' );
 		}
 
-		// Are required by Deepl.
-		if ( array() === $text || 1 > strlen( $target_lang ) ) {
-			return $this->set_failure_response( 400, 'Invalid input parameters.' );
-		}
-
-		// Is required when configured as such in the plugin settings.
-		if ( $this->options->rest_api_param_object_id_is_mandatory() && 0 === $object_id ) {
-			return $this->set_failure_response( 400, 'Invalid input parameters.' );
-		}
-
 		$user_has_cache_capability = current_user_can( apply_filters( 'yard::deepl/cache_capability', 'edit_posts' ) );
 		$cached_translation        = ( 0 < $object_id ) ? ( $this->service->get_cached_translation( $object_id, $target_lang ) ?? array() ) : null;
 
diff --git a/src/Providers/RestAPIServiceProvider.php b/src/Providers/RestAPIServiceProvider.php
index 115d7de..072de7f 100644
--- a/src/Providers/RestAPIServiceProvider.php
+++ b/src/Providers/RestAPIServiceProvider.php
@@ -54,6 +54,7 @@ public function register_routes()
 						'type'              => 'array',
 						'default'           => array(),
 						'required'          => true,
+						'minItems'          => 1,
 						'sanitize_callback' => function ( $value, $request, $param ) {
 							return array_map( 'sanitize_text_field', $value );
 						},
@@ -61,6 +62,7 @@ public function register_routes()
 					'target_lang' => array(
 						'description'       => 'The target language in which the provided text should be translated to.',
 						'type'              => 'string',
+						'minLength'         => 2,
 						'default'           => 'NL',
 						'required'          => true,
 						'sanitize_callback' => function ( $value, $request, $param ) {
@@ -71,7 +73,13 @@ public function register_routes()
 						'description'       => 'The ID of the object to translate.',
 						'required'          => $this->options->rest_api_param_object_id_is_mandatory(),
 						'validate_callback' => function ( $value, $request, $param ) {
-							return is_numeric( $value );
+							if ( ! is_numeric( $value ) ) {
+								return false;
+							}
+
+							$value = intval( $value );
+
+							return $value >= 0;
 						},
 						'sanitize_callback' => function ( $value, $request, $param ) {
 							return intval( $value );

From 44554df2b06af1dccf561ed63072a9654525e4d0 Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Wed, 27 May 2026 16:29:58 +0200
Subject: [PATCH 20/30] refactor: verify existence of connected post for valid
 object IDs

---
 src/Controllers/RestAPIController.php | 12 +++++++++++-
 src/Services/TranslationService.php   |  8 +++-----
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/src/Controllers/RestAPIController.php b/src/Controllers/RestAPIController.php
index 4b56c1f..2b913b5 100644
--- a/src/Controllers/RestAPIController.php
+++ b/src/Controllers/RestAPIController.php
@@ -12,6 +12,7 @@
 use Exception;
 use WP_REST_Request;
 use WP_REST_Response;
+use YDPL\Exceptions\ObjectNotFoundException;
 use YDPL\Services\TranslationService;
 use YDPL\Singletons\SiteOptionsSingleton;
 use YDPL\Traits\ErrorLog;
@@ -50,7 +51,16 @@ public function handle_translate_request( WP_REST_Request $request ): WP_REST_Re
 		}
 
 		$user_has_cache_capability = current_user_can( apply_filters( 'yard::deepl/cache_capability', 'edit_posts' ) );
-		$cached_translation        = ( 0 < $object_id ) ? ( $this->service->get_cached_translation( $object_id, $target_lang ) ?? array() ) : null;
+
+		if ( 0 < $object_id ) {
+			try {
+				$cached_translation = $this->service->get_cached_translation( $object_id, $target_lang ) ?? array();
+			} catch ( ObjectNotFoundException $e ) {
+				return $this->set_failure_response( 404, 'Object not found.' );
+			}
+		} else {
+			$cached_translation = null;
+		}
 
 		// Apply rate limit check if object ID is absent or translation is not cached when an object ID is present.
 		if ( ! $cached_translation ) {
diff --git a/src/Services/TranslationService.php b/src/Services/TranslationService.php
index dd06f1b..0a7052b 100644
--- a/src/Services/TranslationService.php
+++ b/src/Services/TranslationService.php
@@ -70,13 +70,11 @@ public function handle_translation_without_object_id( array $text, string $targe
 
 	/**
 	 * @since NEXT
+	 *
+	 * @throws ObjectNotFoundException
 	 */
 	public function get_cached_translation( int $object_id, string $target_lang ): ?array
 	{
-		try {
-			return $this->repository->get_cached_translation( $object_id, $target_lang );
-		} catch ( ObjectNotFoundException $e ) {
-			return null;
-		}
+		return $this->repository->get_cached_translation( $object_id, $target_lang );
 	}
 }

From cb53eeeb8e28bab0f0a6a4c670882e08c8bc8824 Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Wed, 27 May 2026 16:30:50 +0200
Subject: [PATCH 21/30] refactor: delete cached translations

---
 src/Providers/MetaBoxServiceProvider.php   |  9 ++------
 src/Repositories/TranslationRepository.php | 24 ++++++++++++++++++++++
 2 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/src/Providers/MetaBoxServiceProvider.php b/src/Providers/MetaBoxServiceProvider.php
index aec7f0f..1850798 100644
--- a/src/Providers/MetaBoxServiceProvider.php
+++ b/src/Providers/MetaBoxServiceProvider.php
@@ -12,6 +12,7 @@
 }
 
 use YDPL\Contracts\ServiceProviderInterface;
+use YDPL\Repositories\TranslationRepository;
 
 /**
  * @since 1.1.0
@@ -116,13 +117,7 @@ private function clear_translation_cache( int $post_id ): void
 			return;
 		}
 
-		$meta_keys = get_post_meta( $post_id );
-
-		foreach ( $meta_keys as $key => $value ) {
-			if ( strpos( $key, '_translation_' ) === 0 ) {
-				delete_post_meta( $post_id, $key );
-			}
-		}
+		( new TranslationRepository() )->delete_cached_translations( $post_id );
 	}
 
 	/**
diff --git a/src/Repositories/TranslationRepository.php b/src/Repositories/TranslationRepository.php
index 7e1d3a8..20e7f05 100644
--- a/src/Repositories/TranslationRepository.php
+++ b/src/Repositories/TranslationRepository.php
@@ -55,6 +55,30 @@ protected function translated_object_exists( string $object_id ): bool
 		return $object instanceof WP_Post;
 	}
 
+	/**
+	 * Deletes all cached translations and their modified timestamps for every language.
+	 *
+	 * Removes both the cached translation data (_translation_<lang>) and the
+	 * staleness timestamp (_translation_modified_<lang>) written by store_translation().
+	 * Returns silently when the object does not exist.
+	 *
+	 * @since NEXT
+	 */
+	public function delete_cached_translations( int $object_id ): void
+	{
+		if ( ! $this->translated_object_exists( $object_id ) ) {
+			return;
+		}
+
+		$meta_keys = array_keys( get_post_meta( $object_id ) );
+
+		foreach ( $meta_keys as $key ) {
+			if ( 0 === strpos( $key, '_translation_' ) || 0 === strpos( $key, '_translation_modified_' ) ) {
+				delete_post_meta( $object_id, $key );
+			}
+		}
+	}
+
 	/**
 	 * @since 0.0.1
 	 *

From 3d5c5e21fec43f6b85cc2755fadc026f16700334 Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Wed, 27 May 2026 16:33:02 +0200
Subject: [PATCH 22/30] refactor: remove redundant esc_attr() wrapper around
 checked()

---
 src/Providers/MetaBoxServiceProvider.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Providers/MetaBoxServiceProvider.php b/src/Providers/MetaBoxServiceProvider.php
index 1850798..2e7fc53 100644
--- a/src/Providers/MetaBoxServiceProvider.php
+++ b/src/Providers/MetaBoxServiceProvider.php
@@ -71,7 +71,7 @@ private function translation_cache_metaboxes( WP_Post $post ): string
 		$html .= '<div class="ydpl-metabox-row">';
 		$html .= sprintf( '<p>%s</p>', esc_html__( 'Disable translation cache when this object contains dynamic content.', 'yard-deepl' ) );
 		$html .= '<label for="ydpl_disable_deepl_translation_cache">';
-		$html .= sprintf( '<input type="checkbox" name="ydpl_disable_deepl_translation_cache" id="ydpl_disable_deepl_translation_cache" value="1"%s />', esc_attr( checked( $cache_is_disabled, 1, false ) ) );
+		$html .= sprintf( '<input type="checkbox" name="ydpl_disable_deepl_translation_cache" id="ydpl_disable_deepl_translation_cache" value="1"%s />', checked( $cache_is_disabled, 1, false ) );
 		$html .= sprintf( ' %s</label></div>', esc_html__( 'Disable translation cache?', 'yard-deepl' ) );
 
 		$html .= '<div class="ydpl-metabox-row">';

From 78c551b93ff902f2cc569254f481bd12aed424e0 Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Wed, 27 May 2026 16:48:35 +0200
Subject: [PATCH 23/30] chore: update translation files

---
 languages/yard-deepl-nl_NL.mo | Bin 2884 -> 3167 bytes
 languages/yard-deepl-nl_NL.po |  14 +++++++-------
 languages/yard-deepl.pot      |  12 ++++++------
 3 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/languages/yard-deepl-nl_NL.mo b/languages/yard-deepl-nl_NL.mo
index 96f1fa1855a82689c9adf07d599ea5606f05359b..c54f677bb25be9da6340fda7e63f981b36402aec 100644
GIT binary patch
delta 1168
zcmZ|OJ4};N7{>8eTUselX%z}+r4$t9CJjckgSQgG#eso@6cZ}}Y%s<I#6d#R1Sd8F
z(J(rwF(EOU#<(bpmqjC+E(SJnaK(kB@&D9AoIL4!e&6L>-g8dB_tl#<xs9;*fl(5~
zVdC)~vlO;@s3>Q=W<ETNrFa1k;s91*2IF`KYj6ci@Fl9>YplREti{jRgFmp&EN88>
zR)=1yFkZ$GW^f-)qaWu`11>lhk)PeCQeqD=fR9k^S5f`*sD5wU^LMCrpD@Jy_LYk$
z4}PK=`lzb00=2>>)Idqpz$qko8+6Zyke{Wgl*lzyyBp3KT;zTZN72hmz0XjUGQVZH
zP)5_J3Fq+uE+IdAN)_Z-o}&_ZOC>*2MQ|OJ@D?^=0d+)iveCHR$lB}@YG?aUM>UGM
z0WNNHp&eL5b@+}-U<-q|gGwa8ORYSN8ZhFFB8#&|WNvH0GVDUS+IjcB-@P9~jgt<r
z{~Guz5A-Lwj!I+}HNg^Ug)68Py+BRy!TAN%{~MO$rhER&xs6J!;4C4lXWW<L6?|33
z{%fKTy=h|+XB>4D?Wmndp(YwZPNKNY?gQcOUuob{3pq(N5yuJrsa5oaX%QMvW9=n^
zI{!A}7*S8?T$rO+^tp5p`Ycrr5!wyykaj^u$t%%jqLolN@|R-WLaj4zchC6bilviU
zJ9AEV`-vEFg3vBh5;`~isdSDyD}Cd;<>>B(<?B4Xo~rcN%tUNH)-#oznjO0tyO^E4
hHGX$F<NLk5;I9pI4<}9~yG|z)o%tvJd;f18{R23?UGM+^

delta 904
zcmZwFPe_w-9LMorY_`p5v1PWxiI`#(kNx&6S3K%zqk}?;Y=Q~m4huY_pu<B5JJh8^
z1c`L0Lv$(Xpx`Av8FWcHc@aDmcu_j(LBX5vkN&_*W6xf{=lAFP=Xv%w^|QJ5CmCKe
zd@NTB*M|$bV;nm7BEvNIG3>x5?8d8@$95dW6wYHEE~3u8$42~w*KrvOxPdo}shP{+
zvjev=$%4fM<}r#TjNmvb;8W)_RH7=Xu;*BhFH!s7pw7QTo%`tKKcn_7VS@Z-jX|1;
z->8lMuo(|f9Y)EbK&`02UC5HT>*nvF&h?`TDWLW}a*p6D?#J;7?z#CqhhpS6gA7zr
z39sM;DnJ!`c^&hp0=_dTf8aITKoz=!H}M$tYSL^{JRiwr`tkIMqFzx62XG2&>U@=f
z4s4+c*uhJ9gv2y;w55(4Q2~?A6jGaMMYftwjAJ+QH32_bFQC>3QE`f>xT7(izy2I$
zCRE5YD#2@1hYP5VzM%rFJAa`9Y+?g$yZK$`J}U9CQ{8>xK7wPojLOpxZ#(NeN!iSq
zH0lZ5LM7;nujIlHLkn*sheJg#KT|1JC#R>pLb+NA+I;KhJlo^>nPSEdGWUZ__KvlI
gwe>@fz2VB-<m`X;=8E<~koALX&&t>63q@`@0kAJs`2YX_

diff --git a/languages/yard-deepl-nl_NL.po b/languages/yard-deepl-nl_NL.po
index 656267f..34c1d93 100644
--- a/languages/yard-deepl-nl_NL.po
+++ b/languages/yard-deepl-nl_NL.po
@@ -8,12 +8,12 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "POT-Creation-Date: 2026-05-21T12:17:13+00:00\n"
-"PO-Revision-Date: 2026-05-26T08:32:35+00:00\n"
+"PO-Revision-Date: 2026-05-27T14:36:10+00:00\n"
 "Language: \n"
 
 #. Plugin Name of the plugin
 #: yard-deepl.php:8
-#: src/Providers/MetaBoxServiceProvider.php:34
+#: src/Providers/MetaBoxServiceProvider.php:35
 #: src/Providers/SettingsServiceProvider.php:44
 #: src/Providers/SettingsServiceProvider.php:45
 msgid "Yard DeepL"
@@ -27,7 +27,7 @@ msgstr "Deze plugin registreert beveiligde API-eindpunten waarmee je vertalingen
 #. Author of the plugin
 #: yard-deepl.php:11
 msgid "Yard | Digital Agency"
-msgstr ""
+msgstr "Yard | Digital Agency"
 
 #. Author URI of the plugin
 #: yard-deepl.php:12
@@ -166,19 +166,19 @@ msgstr "Chinees (vereenvoudigd)"
 msgid "Chinese (Traditional)"
 msgstr "Chinees (traditioneel)"
 
-#: src/Providers/MetaBoxServiceProvider.php:71
+#: src/Providers/MetaBoxServiceProvider.php:72
 msgid "Disable translation cache when this object contains dynamic content."
 msgstr "Schakel de vertalingscache uit wanneer dit object dynamische inhoud bevat."
 
-#: src/Providers/MetaBoxServiceProvider.php:74
+#: src/Providers/MetaBoxServiceProvider.php:75
 msgid "Disable translation cache?"
 msgstr "Vertalingscache uitschakelen?"
 
-#: src/Providers/MetaBoxServiceProvider.php:77
+#: src/Providers/MetaBoxServiceProvider.php:78
 msgid "Clear cached translations on save."
 msgstr "Verwijder vertaalcache bij opslaan."
 
-#: src/Providers/MetaBoxServiceProvider.php:80
+#: src/Providers/MetaBoxServiceProvider.php:81
 msgid "Clear translation cache?"
 msgstr "Vertaalcache wissen?"
 
diff --git a/languages/yard-deepl.pot b/languages/yard-deepl.pot
index 1a3dd34..b7a623a 100644
--- a/languages/yard-deepl.pot
+++ b/languages/yard-deepl.pot
@@ -9,14 +9,14 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"POT-Creation-Date: 2026-05-26T08:32:32+00:00\n"
+"POT-Creation-Date: 2026-05-27T14:36:10+00:00\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.12.0\n"
 "X-Domain: yard-deepl\n"
 
 #. Plugin Name of the plugin
 #: yard-deepl.php:8
-#: src/Providers/MetaBoxServiceProvider.php:34
+#: src/Providers/MetaBoxServiceProvider.php:35
 #: src/Providers/SettingsServiceProvider.php:44
 #: src/Providers/SettingsServiceProvider.php:45
 msgid "Yard DeepL"
@@ -169,19 +169,19 @@ msgstr ""
 msgid "Chinese (Traditional)"
 msgstr ""
 
-#: src/Providers/MetaBoxServiceProvider.php:71
+#: src/Providers/MetaBoxServiceProvider.php:72
 msgid "Disable translation cache when this object contains dynamic content."
 msgstr ""
 
-#: src/Providers/MetaBoxServiceProvider.php:74
+#: src/Providers/MetaBoxServiceProvider.php:75
 msgid "Disable translation cache?"
 msgstr ""
 
-#: src/Providers/MetaBoxServiceProvider.php:77
+#: src/Providers/MetaBoxServiceProvider.php:78
 msgid "Clear cached translations on save."
 msgstr ""
 
-#: src/Providers/MetaBoxServiceProvider.php:80
+#: src/Providers/MetaBoxServiceProvider.php:81
 msgid "Clear translation cache?"
 msgstr ""
 

From 8bf0feab20b2d85a4f949da428a79d114a68ef53 Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Wed, 27 May 2026 17:06:30 +0200
Subject: [PATCH 24/30] feat: add cached translations admin columns to
 configured post types

---
 assets/css/admin-columns.css                  |  21 ++++
 dist/admin-columns.asset.php                  |   1 +
 dist/admin-columns.css                        |   1 +
 dist/admin-columns.js                         |   0
 dist/editor-rtl.css                           |   1 -
 dist/editor.asset.php                         |   2 +-
 languages/yard-deepl-nl_NL.mo                 | Bin 3167 -> 3362 bytes
 languages/yard-deepl-nl_NL.po                 |  12 ++
 languages/yard-deepl.pot                      |  12 ++
 src/Bootstrap.php                             |   2 +
 src/Providers/AdminColumnsServiceProvider.php | 116 ++++++++++++++++++
 src/Providers/MetaBoxServiceProvider.php      |  18 +--
 src/Repositories/TranslationRepository.php    |  31 +++++
 src/Traits/CachePostTypesTrait.php            |  36 ++++++
 webpack.config.js                             |   1 +
 15 files changed, 237 insertions(+), 17 deletions(-)
 create mode 100644 assets/css/admin-columns.css
 create mode 100644 dist/admin-columns.asset.php
 create mode 100644 dist/admin-columns.css
 create mode 100644 dist/admin-columns.js
 delete mode 100644 dist/editor-rtl.css
 create mode 100644 src/Providers/AdminColumnsServiceProvider.php
 create mode 100644 src/Traits/CachePostTypesTrait.php

diff --git a/assets/css/admin-columns.css b/assets/css/admin-columns.css
new file mode 100644
index 0000000..47e82c8
--- /dev/null
+++ b/assets/css/admin-columns.css
@@ -0,0 +1,21 @@
+.ydpl-cache-badges {
+	display: flex;
+	flex-wrap: wrap;
+	gap: 3px;
+}
+
+.ydpl-cache-badge {
+	display: inline-block;
+	background: #00a32a;
+	color: #fff;
+	font-size: 10px;
+	line-height: 1;
+	padding: 3px 6px;
+	border-radius: 3px;
+	font-weight: 600;
+	letter-spacing: 0.03em;
+}
+
+.ydpl-cache-status--none {
+	color: #8c8f94;
+}
diff --git a/dist/admin-columns.asset.php b/dist/admin-columns.asset.php
new file mode 100644
index 0000000..7fec830
--- /dev/null
+++ b/dist/admin-columns.asset.php
@@ -0,0 +1 @@
+<?php return array('dependencies' => array(), 'version' => '627ab9de44a2edc68940');
diff --git a/dist/admin-columns.css b/dist/admin-columns.css
new file mode 100644
index 0000000..b3b7b1a
--- /dev/null
+++ b/dist/admin-columns.css
@@ -0,0 +1 @@
+.ydpl-cache-badges{display:flex;flex-wrap:wrap;gap:3px}.ydpl-cache-badge{background:#00a32a;border-radius:3px;color:#fff;display:inline-block;font-size:10px;font-weight:600;letter-spacing:.03em;line-height:1;padding:3px 6px}.ydpl-cache-status--none{color:#8c8f94}
diff --git a/dist/admin-columns.js b/dist/admin-columns.js
new file mode 100644
index 0000000..e69de29
diff --git a/dist/editor-rtl.css b/dist/editor-rtl.css
deleted file mode 100644
index 5f390b4..0000000
--- a/dist/editor-rtl.css
+++ /dev/null
@@ -1 +0,0 @@
-.ydpl-metabox-row:not(:first-child){margin-top:1rem}.ydpl-metabox-row>p{font-weight:500}
diff --git a/dist/editor.asset.php b/dist/editor.asset.php
index 8712eb1..c31ee19 100644
--- a/dist/editor.asset.php
+++ b/dist/editor.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array(), 'version' => '1e80dfdc79e5d8f97eba');
+<?php return array('dependencies' => array(), 'version' => '045a517d31b6755cceb1');
diff --git a/languages/yard-deepl-nl_NL.mo b/languages/yard-deepl-nl_NL.mo
index c54f677bb25be9da6340fda7e63f981b36402aec..0aff44b081d777a3ec73f90734f75b1895b96650 100644
GIT binary patch
delta 1318
zcmYM!T}V@59LMozx~a`&OUrC&owBq{vlk)gqHc;s7ur=pZ*bU-Qygco%_tJqMMP#@
z4WX+f>!RqYW)Kz>c2RcG3sjUr+C@}!(;IYC(f2ox^k@I)bI#fG{+w;PZZwj6SM47*
zL<d<<-t`$1#Y3eO#4*1yWq2It;YnPCXK^u(;3~X@b@&<s_zl(W7tY7OxD-Qtxf7c(
zVoc8TaiIpMDXQ@tF2oV6z#CYO<ERcNJSUNlc}Ag$y}}^Qpz41?wf})?_uG43%8lw(
zVlCsFS}vCGpba(fE^NU4$j9_k)ZzeY#d%c6*H8o9L>6bpz32Ckk9kC)i9JQtd*k^Y
z2f6=@2N>UE_*MfyK~<cgP{U8CnSMtN{0D2WhS9k+%~-{8wWB7qoklW>TF_q9#Cxz2
zbEu=cjOzC`=GYbUfD27v5_N`eaS#4P?ZgghtHEIkO`r#>Z~!%tA=D1!QT<);yofB)
zTtQ9jI#%Ks(zUrCWdBv+u~*?as-r1X$J5A5Vm_i?o)TK?WvWL_tOYgTZq$l9Q7i05
z4S2%y6so`T7{X!i`Di8kUz`~aG?6jSJ9w4*2|S2>v{J)|6dLdaGAA?T`2lrAUr{?$
z#w;~p1UaE%v`{vA*J2IXsPiu&wH*p|zMf><V(2(Flj>9}UQX($HjxVbV%CxRwQA*a
zvD&-PPg7x$t>ju#v5ee6YJAhCg4jZ8o5N%~sWa{%SC9&=P^(gCx3uLt9)<op6l_3o
zXY}GNAUBdavXx{rsn8K?*NMVb|0Q3m6|-YKPTb0-Z8wv&v%M)dV>(k-(smR5cEZV6
zv6S20o9ItF@xsf%kT3kd;%wW(k@AYtZBfT@t%Nh%n`0ey(pfv%>n0r66u;tbw!&O*
fPCCvwsdOek9cU<=2@d)~`_#xz7W>GDLtXy>|F@C6

delta 1122
zcmYMzO>B%o7{Kva-R^34TXubHRTtgXS3i8jfw~YCp+tI<R$@ueAdzelNh8_Btv6{y
zdK3{PO@wU3g<gaU;UZi_<Dw3(PLjs|zeY^nXMXS3%seymzW3Va+p1sl$=iXlljtDs
zCqfv+z6L7Fo@59q9Ka^rk1KHqS78}Tcn#Zd1{?7y+U_~F;2f^OcX$xLV|xhI(97F4
zI7F4lW0=D-F2xF_aRTk|W^@uc!YwKjyMxVm7kz&gZC^v%y@>Z;q3^xL9OH*ioD{k7
z1AQ??wHjN{8Fr%`?L|8tM3N6j<Naae2qRP`avFW_VssoQxt_pLO!Cm@WvV8|4`ZB|
zQ3W0F2Cl#<<OmO_TG^JzXd*AE^bJ)3KcEROU>7c;TT~(&``wMqEgV2s_At6tqgWl{
z<O(OQz#Q7(3!1<Jw&HIzk!Bt`^E}#NAzDNx7rKzKLl0(f7t%EBi_ee5=fh|}Bh9S8
z9iQTcAIW(%k*nwcQ|Jt5&>1~J2Y4NQkGB7eS)7mee@1_yi7iGO$?6f;Sv-l)GOWJ?
z<!H@2p%5*hThWiM#2`A*31lbg%N&0YuKt%!PMyehqMO)4_)%N@!<>Zu+1C=H)&1`y
zHWBLy_k}U)#ouKc;csbKOSl@YkgH%Zc@y1C^b(eJf2r3!)b4qIyvHwBFFUARnE|hs
z5gUlDgsZTeaNqo>+(-AyfBawB=t-@Te3(d&Uq3f?;mqaf&P=g(DRnkc`<6~M)H*V=
KiRq8o<9`5d9#KaC

diff --git a/languages/yard-deepl-nl_NL.po b/languages/yard-deepl-nl_NL.po
index 34c1d93..cd26301 100644
--- a/languages/yard-deepl-nl_NL.po
+++ b/languages/yard-deepl-nl_NL.po
@@ -209,6 +209,18 @@ msgstr "website"
 msgid "To query the Deepl API, an API key is required. You can find more information on their %s."
 msgstr "Om de Deepl API te bevragen, is een API-sleutel vereist. Meer informatie vind je op hun %s."
 
+#: src/Providers/AdminColumnsServiceProvider.php:53
+msgid "Translation cache"
+msgstr "Vertaalcache"
+
+#: src/Providers/AdminColumnsServiceProvider.php:70
+msgid "No languages configured"
+msgstr "Geen talen geconfigureerd"
+
+#: src/Providers/AdminColumnsServiceProvider.php:77
+msgid "No cached translations"
+msgstr "Geen gecachede vertalingen"
+
 #: src/Views/admin/settings-page.php:15
 msgid "Save"
 msgstr "Opslaan"
diff --git a/languages/yard-deepl.pot b/languages/yard-deepl.pot
index b7a623a..19c25bc 100644
--- a/languages/yard-deepl.pot
+++ b/languages/yard-deepl.pot
@@ -212,6 +212,18 @@ msgstr ""
 msgid "To query the Deepl API, an API key is required. You can find more information on their %s."
 msgstr ""
 
+#: src/Providers/AdminColumnsServiceProvider.php:53
+msgid "Translation cache"
+msgstr ""
+
+#: src/Providers/AdminColumnsServiceProvider.php:70
+msgid "No languages configured"
+msgstr ""
+
+#: src/Providers/AdminColumnsServiceProvider.php:77
+msgid "No cached translations"
+msgstr ""
+
 #: src/Views/admin/settings-page.php:15
 msgid "Save"
 msgstr ""
diff --git a/src/Bootstrap.php b/src/Bootstrap.php
index 20abea2..1c0cfaf 100644
--- a/src/Bootstrap.php
+++ b/src/Bootstrap.php
@@ -9,6 +9,7 @@
 	exit;
 }
 
+use YDPL\Providers\AdminColumnsServiceProvider;
 use YDPL\Providers\AssetsServiceProvider;
 use YDPL\Providers\MetaBoxServiceProvider;
 use YDPL\Providers\RestAPIServiceProvider;
@@ -71,6 +72,7 @@ protected function get_providers(): array
 			new SettingsServiceProvider(),
 			new RestAPIServiceProvider(),
 			new MetaBoxServiceProvider(),
+			new AdminColumnsServiceProvider(),
 		);
 	}
 
diff --git a/src/Providers/AdminColumnsServiceProvider.php b/src/Providers/AdminColumnsServiceProvider.php
new file mode 100644
index 0000000..72e1f89
--- /dev/null
+++ b/src/Providers/AdminColumnsServiceProvider.php
@@ -0,0 +1,116 @@
+<?php
+
+namespace YDPL\Providers;
+
+/**
+ * Exit when accessed directly.
+ */
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
+use YDPL\Contracts\ServiceProviderInterface;
+use YDPL\Repositories\TranslationRepository;
+use YDPL\Traits\CachePostTypesTrait;
+
+/**
+ * Registers a "Translation cache" column on the list screen of every post type
+ * that has DeepL cache support enabled. Each row shows which of the configured
+ * target languages already have a valid, non-stale cached translation so editors
+ * can spot at a glance which posts will trigger a live DeepL API call.
+ *
+ * @since NEXT
+ */
+class AdminColumnsServiceProvider implements ServiceProviderInterface
+{
+	use CachePostTypesTrait;
+
+	protected TranslationRepository $repository;
+
+	public function __construct()
+	{
+		$this->repository = new TranslationRepository();
+	}
+
+	/**
+	 * @since NEXT
+	 */
+	public function register(): void
+	{
+		foreach ( $this->get_cache_metabox_post_types() as $post_type ) {
+			add_filter( "manage_{$post_type}_posts_columns", array( $this, 'add_column' ) );
+			add_action( "manage_{$post_type}_posts_custom_column", array( $this, 'render_column' ), 10, 2 );
+		}
+
+		add_action( 'admin_enqueue_scripts', array( $this, 'enqueue_styles' ) );
+	}
+
+	/**
+	 * @since NEXT
+	 */
+	public function add_column( array $columns ): array
+	{
+		$columns['ydpl_translation_cache'] = __( 'Translation cache', 'yard-deepl' );
+
+		return $columns;
+	}
+
+	/**
+	 * @since NEXT
+	 */
+	public function render_column( string $column, int $post_id ): void
+	{
+		if ( 'ydpl_translation_cache' !== $column ) {
+			return;
+		}
+
+		$configured_languages = ydpl_resolve_from_container( 'ydpl.site_options' )->configured_supported_languages();
+
+		if ( array() === $configured_languages ) {
+			echo '<span class="ydpl-cache-status ydpl-cache-status--none" aria-label="' . esc_attr__( 'No languages configured', 'yard-deepl' ) . '">—</span>';
+
+			return;
+		}
+
+		$cached_languages = $this->repository->get_cached_languages( $post_id, $configured_languages );
+
+		if ( array() === $cached_languages ) {
+			echo '<span class="ydpl-cache-status ydpl-cache-status--none" aria-label="' . esc_attr__( 'No cached translations', 'yard-deepl' ) . '">—</span>';
+
+			return;
+		}
+
+		echo '<div class="ydpl-cache-badges">';
+		foreach ( $cached_languages as $lang ) {
+			printf(
+				'<span class="ydpl-cache-badge">%s</span>',
+				esc_html( $lang )
+			);
+		}
+		echo '</div>';
+	}
+
+	/**
+	 * @since NEXT
+	 */
+	public function enqueue_styles( string $hook_suffix ): void
+	{
+		if ( 'edit.php' !== $hook_suffix ) {
+			return;
+		}
+
+		$screen = get_current_screen();
+
+		if ( ! $screen || ! in_array( $screen->post_type, $this->get_cache_metabox_post_types(), true ) ) {
+			return;
+		}
+
+		$path         = ydpl_asset_path( 'admin-columns.asset.php' );
+		$script_asset = file_exists( $path ) ? require $path : array(
+			'dependencies' => array(),
+			'version'      => round( microtime( true ) ),
+		);
+
+		wp_enqueue_style( 'ydpl-admin-columns', ydpl_asset_url( 'admin-columns.css' ), $script_asset['dependencies'] ?? array(), $script_asset['version'] );
+	}
+}
diff --git a/src/Providers/MetaBoxServiceProvider.php b/src/Providers/MetaBoxServiceProvider.php
index 2e7fc53..68e5312 100644
--- a/src/Providers/MetaBoxServiceProvider.php
+++ b/src/Providers/MetaBoxServiceProvider.php
@@ -13,12 +13,15 @@
 
 use YDPL\Contracts\ServiceProviderInterface;
 use YDPL\Repositories\TranslationRepository;
+use YDPL\Traits\CachePostTypesTrait;
 
 /**
  * @since 1.1.0
  */
 class MetaBoxServiceProvider implements ServiceProviderInterface
 {
+	use CachePostTypesTrait;
+
 	public function register(): void
 	{
 		add_action( 'add_meta_boxes', array( $this, 'register_meta_boxes' ), 999 );
@@ -143,19 +146,4 @@ private function should_handle_saved_metabox_values( int $post_id ): bool
 
 		return true;
 	}
-
-	/**
-	 * @since NEXT
-	 */
-	private function get_cache_metabox_post_types(): array
-	{
-		$post_types = apply_filters_deprecated(
-			'yard::deepl/disable_cache_metabox_post_types',
-			array( array( 'page' ) ),
-			'NEXT',
-			'yard::deepl/cache_metabox_post_types'
-		);
-
-		return apply_filters( 'yard::deepl/cache_metabox_post_types', $post_types );
-	}
 }
diff --git a/src/Repositories/TranslationRepository.php b/src/Repositories/TranslationRepository.php
index 20e7f05..3466a9c 100644
--- a/src/Repositories/TranslationRepository.php
+++ b/src/Repositories/TranslationRepository.php
@@ -45,6 +45,37 @@ public function get_cached_translation( int $object_id, string $target_lang ): ?
 		return $cached_translation;
 	}
 
+	/**
+	 * Returns the language codes from $language_codes that have a valid, non-stale cache entry.
+	 *
+	 * Fetches all post meta in one call for efficiency. A language is considered
+	 * cached when its translation data exists and its modified timestamp is at
+	 * least as recent as the post's own post_modified date.
+	 *
+	 * @since NEXT
+	 */
+	public function get_cached_languages( int $object_id, array $language_codes ): array
+	{
+		if ( ! $this->translated_object_exists( $object_id ) ) {
+			return array();
+		}
+
+		$post_modified = get_post_field( 'post_modified', $object_id );
+		$all_meta      = get_post_meta( $object_id );
+		$cached        = array();
+
+		foreach ( $language_codes as $lang ) {
+			$translation_value    = $all_meta[ "_translation_$lang" ][0] ?? null;
+			$translation_modified = $all_meta[ "_translation_modified_$lang" ][0] ?? null;
+
+			if ( $translation_value && $translation_modified && strtotime( $translation_modified ) >= strtotime( $post_modified ) ) {
+				$cached[] = $lang;
+			}
+		}
+
+		return $cached;
+	}
+
 	/**
 	 * @since 0.0.1
 	 */
diff --git a/src/Traits/CachePostTypesTrait.php b/src/Traits/CachePostTypesTrait.php
new file mode 100644
index 0000000..a1197d0
--- /dev/null
+++ b/src/Traits/CachePostTypesTrait.php
@@ -0,0 +1,36 @@
+<?php
+
+namespace YDPL\Traits;
+
+/**
+ * Exit when accessed directly.
+ */
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
+/**
+ * Provides the list of post types that have DeepL cache support enabled.
+ *
+ * Shared between MetaBoxServiceProvider and AdminColumnsServiceProvider so
+ * both always operate on the same set of post types.
+ *
+ * @since NEXT
+ */
+trait CachePostTypesTrait
+{
+	/**
+	 * @since NEXT
+	 */
+	protected function get_cache_metabox_post_types(): array
+	{
+		$post_types = apply_filters_deprecated(
+			'yard::deepl/disable_cache_metabox_post_types',
+			array( array( 'page' ) ),
+			'NEXT',
+			'yard::deepl/cache_metabox_post_types'
+		);
+
+		return apply_filters( 'yard::deepl/cache_metabox_post_types', $post_types );
+	}
+}
diff --git a/webpack.config.js b/webpack.config.js
index 19ef71a..d3d6ddc 100644
--- a/webpack.config.js
+++ b/webpack.config.js
@@ -5,6 +5,7 @@ const defaultConfig = require( '@wordpress/scripts/config/webpack.config' ); //
 module.exports = {
 	...defaultConfig,
 	entry: {
+		'admin-columns': [ './assets/css/admin-columns.css' ],
 		editor: [ './assets/css/editor.css' ],
 		main: [ './assets/js/translation.js' ],
 	},

From 7de91932a7d80b624193c70808b6bcef00f5e619 Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Thu, 28 May 2026 13:58:51 +0200
Subject: [PATCH 25/30] feat: add translation cache status column with
 per-language uncached call tracking

---
 assets/css/admin-columns.css                  |  22 +++++++-
 dist/admin-columns.asset.php                  |   2 +-
 dist/admin-columns.css                        |   2 +-
 languages/yard-deepl-nl_NL.mo                 | Bin 3362 -> 3463 bytes
 languages/yard-deepl-nl_NL.po                 |   9 ++-
 languages/yard-deepl.pot                      |   9 ++-
 src/Providers/AdminColumnsServiceProvider.php |  44 +++++++++++----
 src/Repositories/TranslationRepository.php    |  53 +++++++++++++++---
 src/Services/TranslationService.php           |   4 ++
 9 files changed, 119 insertions(+), 26 deletions(-)

diff --git a/assets/css/admin-columns.css b/assets/css/admin-columns.css
index 47e82c8..c8949b2 100644
--- a/assets/css/admin-columns.css
+++ b/assets/css/admin-columns.css
@@ -5,9 +5,9 @@
 }
 
 .ydpl-cache-badge {
-	display: inline-block;
-	background: #00a32a;
-	color: #fff;
+	display: inline-flex;
+	align-items: center;
+	gap: 4px;
 	font-size: 10px;
 	line-height: 1;
 	padding: 3px 6px;
@@ -16,6 +16,22 @@
 	letter-spacing: 0.03em;
 }
 
+.ydpl-cache-badge--cached {
+	background: #00a32a;
+	color: #fff;
+}
+
+.ydpl-cache-badge--uncached {
+	background: #f0f0f1;
+	color: #3c434a;
+}
+
+.ydpl-badge-count {
+	font-weight: 400;
+	font-size: 9px;
+	opacity: 0.7;
+}
+
 .ydpl-cache-status--none {
 	color: #8c8f94;
 }
diff --git a/dist/admin-columns.asset.php b/dist/admin-columns.asset.php
index 7fec830..f74de63 100644
--- a/dist/admin-columns.asset.php
+++ b/dist/admin-columns.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array(), 'version' => '627ab9de44a2edc68940');
+<?php return array('dependencies' => array(), 'version' => '1d877b8f32d5c2ebba6e');
diff --git a/dist/admin-columns.css b/dist/admin-columns.css
index b3b7b1a..18ae8fd 100644
--- a/dist/admin-columns.css
+++ b/dist/admin-columns.css
@@ -1 +1 @@
-.ydpl-cache-badges{display:flex;flex-wrap:wrap;gap:3px}.ydpl-cache-badge{background:#00a32a;border-radius:3px;color:#fff;display:inline-block;font-size:10px;font-weight:600;letter-spacing:.03em;line-height:1;padding:3px 6px}.ydpl-cache-status--none{color:#8c8f94}
+.ydpl-cache-badges{display:flex;flex-wrap:wrap;gap:3px}.ydpl-cache-badge{align-items:center;border-radius:3px;display:inline-flex;font-size:10px;font-weight:600;gap:4px;letter-spacing:.03em;line-height:1;padding:3px 6px}.ydpl-cache-badge--cached{background:#00a32a;color:#fff}.ydpl-cache-badge--uncached{background:#f0f0f1;color:#3c434a}.ydpl-badge-count{font-size:9px;font-weight:400;opacity:.7}.ydpl-cache-status--none{color:#8c8f94}
diff --git a/languages/yard-deepl-nl_NL.mo b/languages/yard-deepl-nl_NL.mo
index 0aff44b081d777a3ec73f90734f75b1895b96650..633fbe36ec8fb0497ec25914fe3dd633600bcc75 100644
GIT binary patch
delta 1269
zcmZA1Pe_zO7{~EPcT3kbGgq^9)!xcgQ)}H!p+jv4DHN|Av`g#mQqZ!N5r~%;Pi2=*
zT{~oi2cyH%p+f{BUP1`Z5d{i$5JC{568ipL$3qVD%xB)$dFTK7qUBM-|I!eCW~4!)
zl~}1TyN<;W1?h3v>@?2fVO+upma!4vV-v2U+I`0p7(HZ0whjt?*Mmnejd9H2u$gb;
zR9blP9Le^Mq5(hPF<i%L+`uZ_LUp*~{EK7@@lq3uU=7Al?b}h`cOuzR?)?zfFuq-(
za-2VmU^CuA4LpNw_yozeNTGIbP%B<Vb^IAM&?d5Y+j8%>k!*h`G_gt=sa>tJ5$74-
zTB%InE7ZUh^h(uYs1FmU6(vyv_hSsNq1sJg9mh6_X`b)%5mj4oE}<6o7PWviJcAqP
z>kO;uT?4dHXe+x>6FHAM%d0qw<ER~ZiDX-*&_vd-4!@x$^b@rczfk?{Iz!RD9f_bO
zSRZBosau?a$ym}gNVx_>sE#tIj)zfqWejzRZlf;M9BN`uQ3Jk4t+<R@;78PeU!6Zt
z{cT6t|5_@)-5;uW2xf*lySUTCMV`CxCVoP)^)b2zyo4;$GR{%dQQbi8&|TDkK5|k)
z>ZR<``R}JrDjkG=dFo6_lc*##n37gKKxkF%#7RQGmOesBgY^*FHBDeYC8=B>bnZ&0
zh;xL0R!=1T_ESNPb9Y`uZMW`1KXH^8Bs@Y%mr1*&q}A!JB=kViaVW9i;D~h`^@J{{
z?u!0bben02y)D%F2Pv8N9+q<1+?_(+%Vmp2JNV*3c_zFXPV+jOElp1q?s>CQrF>zU
T)_kPq?tP*3-(Sj?Bb%XrC4*~C

delta 1168
zcmXxkOGuPa6u|MLGg&%jr8U`TPfN=(d$_JmVYG;LL62<+E+Z%srbQIJRwA@Y&=!TO
z(jYV_3@lspfCw`v1EZo%FKAQY|3BOgbMEh(&+p!Q?!Di5p<$p<d{>+83!;N;B=46+
zbmGwr4RI<PQGuti63^mNyoAfJAJ^estj8&whu_hDzi}b{!xdP~ANOE079xt#&4nG#
z)70V>T!Q_$0B_@b97P8lPfjAActK-fudxbe(C5FR{ePnU{-paEzW7`Y^UNQ4E|znn
z4V`!|uEaygCr;Aju?JmoFFNoobfP=R;$k%2e}H`A35|t4N1uC>{D2qv{sj*+f1Kd2
zPW%jgaE8W?pV3NxpcDVaI;>-ME~5o&IIecIpj~v*PIN&B(Zaj135)2_4Wi@T!y>y9
zkGQaaN%Rcg;(q*v?!<1Mw!<+R3+Tcc>_H2;jP5`$I^MP9b!3ro11)R_b2x$w9S^J6
ze;;_79(aikG>s1Y9(hUP6Z-O$)7zJ+5iP70op2wz;sfXkkE0WwNuEQ;yNcD=m+lYb
z*#A;x+^~?5<QU%M`#2uKZhG1AF^v<xLTZZX<VW;~zM(r*L6uHeKu)L>t+dVQS~ieP
zo_{&%b{G!6nPlElcpN)O2X)1(NRMheY50rTMEYxW<^N-Sy6~rItRc6M8%d*q+)6rs
zwAm0lNw;}1*-m=K9pq}#aD}eQaJSrYkH_$ThrtGvcE%TP5xI@@$kviAq~Q^}>qJ=$
N4`nB^!-JKxnK|!oTJZn?

diff --git a/languages/yard-deepl-nl_NL.po b/languages/yard-deepl-nl_NL.po
index cd26301..047fa8d 100644
--- a/languages/yard-deepl-nl_NL.po
+++ b/languages/yard-deepl-nl_NL.po
@@ -217,10 +217,17 @@ msgstr "Vertaalcache"
 msgid "No languages configured"
 msgstr "Geen talen geconfigureerd"
 
-#: src/Providers/AdminColumnsServiceProvider.php:77
+#: src/Providers/AdminColumnsServiceProvider.php:105
 msgid "No cached translations"
 msgstr "Geen gecachede vertalingen"
 
+#. Translators: %d is the number of uncached DeepL API calls made for this post and language.
+#: src/Providers/AdminColumnsServiceProvider.php:94
+msgid "%d uncached call"
+msgid_plural "%d uncached calls"
+msgstr[0] "%d aanroep zonder cache"
+msgstr[1] "%d aanroepen zonder cache"
+
 #: src/Views/admin/settings-page.php:15
 msgid "Save"
 msgstr "Opslaan"
diff --git a/languages/yard-deepl.pot b/languages/yard-deepl.pot
index 19c25bc..ff8ff77 100644
--- a/languages/yard-deepl.pot
+++ b/languages/yard-deepl.pot
@@ -220,10 +220,17 @@ msgstr ""
 msgid "No languages configured"
 msgstr ""
 
-#: src/Providers/AdminColumnsServiceProvider.php:77
+#: src/Providers/AdminColumnsServiceProvider.php:105
 msgid "No cached translations"
 msgstr ""
 
+#. Translators: %d is the number of uncached DeepL API calls made for this post and language.
+#: src/Providers/AdminColumnsServiceProvider.php:94
+msgid "%d uncached call"
+msgid_plural "%d uncached calls"
+msgstr[0] ""
+msgstr[1] ""
+
 #: src/Views/admin/settings-page.php:15
 msgid "Save"
 msgstr ""
diff --git a/src/Providers/AdminColumnsServiceProvider.php b/src/Providers/AdminColumnsServiceProvider.php
index 72e1f89..5348a8b 100644
--- a/src/Providers/AdminColumnsServiceProvider.php
+++ b/src/Providers/AdminColumnsServiceProvider.php
@@ -67,27 +67,47 @@ public function render_column( string $column, int $post_id ): void
 		$configured_languages = ydpl_resolve_from_container( 'ydpl.site_options' )->configured_supported_languages();
 
 		if ( array() === $configured_languages ) {
-			echo '<span class="ydpl-cache-status ydpl-cache-status--none" aria-label="' . esc_attr__( 'No languages configured', 'yard-deepl' ) . '">—</span>';
+			echo '<span class="ydpl-cache-status--none" aria-label="' . esc_attr__( 'No languages configured', 'yard-deepl' ) . '">—</span>';
 
 			return;
 		}
 
-		$cached_languages = $this->repository->get_cached_languages( $post_id, $configured_languages );
+		$column_data     = $this->repository->get_column_data( $post_id, $configured_languages );
+		$cached_langs    = $column_data['cached_languages'];
+		$uncached_counts = $column_data['uncached_request_counts'];
+
+		$badges = '';
+
+		foreach ( $configured_languages as $lang ) {
+			if ( in_array( $lang, $cached_langs, true ) ) {
+				$badges .= sprintf(
+					'<span class="ydpl-cache-badge ydpl-cache-badge--cached">%s</span>',
+					esc_html( $lang )
+				);
+			} elseif ( isset( $uncached_counts[ $lang ] ) ) {
+				$count   = $uncached_counts[ $lang ];
+				$badges .= sprintf(
+					'<span class="ydpl-cache-badge ydpl-cache-badge--uncached" title="%s">%s <span class="ydpl-badge-count">%s</span></span>',
+					esc_attr(
+						sprintf(
+							/* translators: %d: number of uncached DeepL API calls made for this post and language */
+							_n( '%d uncached call', '%d uncached calls', $count, 'yard-deepl' ),
+							$count
+						)
+					),
+					esc_html( $lang ),
+					esc_html( number_format_i18n( $count ) )
+				);
+			}
+		}
 
-		if ( array() === $cached_languages ) {
-			echo '<span class="ydpl-cache-status ydpl-cache-status--none" aria-label="' . esc_attr__( 'No cached translations', 'yard-deepl' ) . '">—</span>';
+		if ( '' === $badges ) {
+			echo '<span class="ydpl-cache-status--none" aria-label="' . esc_attr__( 'No cached translations', 'yard-deepl' ) . '">—</span>';
 
 			return;
 		}
 
-		echo '<div class="ydpl-cache-badges">';
-		foreach ( $cached_languages as $lang ) {
-			printf(
-				'<span class="ydpl-cache-badge">%s</span>',
-				esc_html( $lang )
-			);
-		}
-		echo '</div>';
+		echo '<div class="ydpl-cache-badges">' . $badges . '</div>';
 	}
 
 	/**
diff --git a/src/Repositories/TranslationRepository.php b/src/Repositories/TranslationRepository.php
index 3466a9c..f84b87c 100644
--- a/src/Repositories/TranslationRepository.php
+++ b/src/Repositories/TranslationRepository.php
@@ -46,23 +46,31 @@ public function get_cached_translation( int $object_id, string $target_lang ): ?
 	}
 
 	/**
-	 * Returns the language codes from $language_codes that have a valid, non-stale cache entry.
+	 * Returns data needed to render the admin list-table column in a single meta fetch.
 	 *
-	 * Fetches all post meta in one call for efficiency. A language is considered
-	 * cached when its translation data exists and its modified timestamp is at
-	 * least as recent as the post's own post_modified date.
+	 * 'cached_languages'        — ISO codes from $language_codes whose cache is valid and non-stale.
+	 * 'uncached_request_counts' — map of ISO code => cumulative uncached visitor API calls, only for
+	 *                             languages that have at least one recorded call.
 	 *
 	 * @since NEXT
+	 *
+	 * @return array{ cached_languages: string[], uncached_request_counts: array<string, int> }
 	 */
-	public function get_cached_languages( int $object_id, array $language_codes ): array
+	public function get_column_data( int $object_id, array $language_codes ): array
 	{
+		$empty = array(
+			'cached_languages'        => array(),
+			'uncached_request_counts' => array(),
+		);
+
 		if ( ! $this->translated_object_exists( $object_id ) ) {
-			return array();
+			return $empty;
 		}
 
 		$post_modified = get_post_field( 'post_modified', $object_id );
 		$all_meta      = get_post_meta( $object_id );
 		$cached        = array();
+		$counts        = array();
 
 		foreach ( $language_codes as $lang ) {
 			$translation_value    = $all_meta[ "_translation_$lang" ][0] ?? null;
@@ -71,9 +79,39 @@ public function get_cached_languages( int $object_id, array $language_codes ): a
 			if ( $translation_value && $translation_modified && strtotime( $translation_modified ) >= strtotime( $post_modified ) ) {
 				$cached[] = $lang;
 			}
+
+			$count = (int) ( $all_meta[ "_ydpl_uncached_request_count_$lang" ][0] ?? 0 );
+
+			if ( 0 < $count ) {
+				$counts[ $lang ] = $count;
+			}
+		}
+
+		return array(
+			'cached_languages'        => $cached,
+			'uncached_request_counts' => $counts,
+		);
+	}
+
+	/**
+	 * Increments the per-language count of uncached visitor API calls for this post.
+	 *
+	 * Only called for requests from visitors who lack cache-write capability, so the
+	 * count reflects API spend that caching would have prevented. Returns silently
+	 * when the object does not exist.
+	 *
+	 * @since NEXT
+	 */
+	public function increment_uncached_request_count( int $object_id, string $target_lang ): void
+	{
+		if ( ! $this->translated_object_exists( $object_id ) ) {
+			return;
 		}
 
-		return $cached;
+		$key     = "_ydpl_uncached_request_count_$target_lang";
+		$current = (int) get_post_meta( $object_id, $key, true );
+
+		update_post_meta( $object_id, $key, $current + 1 );
 	}
 
 	/**
@@ -123,5 +161,6 @@ public function store_translation( int $object_id, string $target_lang, array $t
 
 		update_post_meta( $object_id, "_translation_$target_lang", $translation );
 		update_post_meta( $object_id, "_translation_modified_$target_lang", current_time( 'mysql' ) );
+		delete_post_meta( $object_id, "_ydpl_uncached_request_count_$target_lang" );
 	}
 }
diff --git a/src/Services/TranslationService.php b/src/Services/TranslationService.php
index 0a7052b..fbc44dc 100644
--- a/src/Services/TranslationService.php
+++ b/src/Services/TranslationService.php
@@ -51,6 +51,10 @@ public function handle_translation_with_object_id( int $object_id, array $text,
 
 		$translation = $this->handle_translation_without_object_id( $text, $target_lang );
 
+		if ( ! $cache ) {
+			$this->repository->increment_uncached_request_count( $object_id, $target_lang );
+		}
+
 		if ( $cache ) {
 			$this->repository->store_translation( $object_id, $target_lang, $translation );
 		}

From 12e44153f5f217909613df295aea1824a93e01fb Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Thu, 28 May 2026 14:09:29 +0200
Subject: [PATCH 26/30] refactor: verify type of value variable in
 sanitize_callback

---
 src/Providers/RestAPIServiceProvider.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/Providers/RestAPIServiceProvider.php b/src/Providers/RestAPIServiceProvider.php
index 072de7f..05be3df 100644
--- a/src/Providers/RestAPIServiceProvider.php
+++ b/src/Providers/RestAPIServiceProvider.php
@@ -56,6 +56,10 @@ public function register_routes()
 						'required'          => true,
 						'minItems'          => 1,
 						'sanitize_callback' => function ( $value, $request, $param ) {
+							if ( ! is_array( $value ) ) {
+								return $value;
+							}
+
 							return array_map( 'sanitize_text_field', $value );
 						},
 					),

From 348e9192abbea63943754a90af182b54335994ce Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Thu, 28 May 2026 14:10:36 +0200
Subject: [PATCH 27/30] refactor: verify if the current user can edit this post
 and custom metaboxes

---
 src/Providers/MetaBoxServiceProvider.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/Providers/MetaBoxServiceProvider.php b/src/Providers/MetaBoxServiceProvider.php
index 68e5312..1ac4c0a 100644
--- a/src/Providers/MetaBoxServiceProvider.php
+++ b/src/Providers/MetaBoxServiceProvider.php
@@ -133,6 +133,11 @@ private function should_handle_saved_metabox_values( int $post_id ): bool
 			return false;
 		}
 
+		// Verify the current user can edit this post.
+		if ( ! current_user_can( 'edit_post', $post_id ) ) {
+			return false;
+		}
+
 		// Skip autosave to avoid overwriting values during revisions or autosaves.
 		if ( defined( 'DOING_AUTOSAVE' ) && DOING_AUTOSAVE ) {
 			return false;

From 30398bcd281f8a9af9e5cf6922dfa61a4925b460 Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Thu, 28 May 2026 14:11:23 +0200
Subject: [PATCH 28/30] fix: recalculation of strtotime(post_modified) on every
 iteration

---
 src/Repositories/TranslationRepository.php | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/Repositories/TranslationRepository.php b/src/Repositories/TranslationRepository.php
index f84b87c..5038d8f 100644
--- a/src/Repositories/TranslationRepository.php
+++ b/src/Repositories/TranslationRepository.php
@@ -67,16 +67,17 @@ public function get_column_data( int $object_id, array $language_codes ): array
 			return $empty;
 		}
 
-		$post_modified = get_post_field( 'post_modified', $object_id );
-		$all_meta      = get_post_meta( $object_id );
-		$cached        = array();
-		$counts        = array();
+		$post_modified           = get_post_field( 'post_modified', $object_id );
+		$post_modified_timestamp = strtotime( $post_modified );
+		$all_meta                = get_post_meta( $object_id );
+		$cached                  = array();
+		$counts                  = array();
 
 		foreach ( $language_codes as $lang ) {
 			$translation_value    = $all_meta[ "_translation_$lang" ][0] ?? null;
 			$translation_modified = $all_meta[ "_translation_modified_$lang" ][0] ?? null;
 
-			if ( $translation_value && $translation_modified && strtotime( $translation_modified ) >= strtotime( $post_modified ) ) {
+			if ( $translation_value && $translation_modified && strtotime( $translation_modified ) >= $post_modified_timestamp ) {
 				$cached[] = $lang;
 			}
 
@@ -117,7 +118,7 @@ public function increment_uncached_request_count( int $object_id, string $target
 	/**
 	 * @since 0.0.1
 	 */
-	protected function translated_object_exists( string $object_id ): bool
+	protected function translated_object_exists( int $object_id ): bool
 	{
 		$object = get_post( $object_id );
 

From 43916f4deb70c9a18f077ac3a89a5ea05e7d209b Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Thu, 28 May 2026 15:23:37 +0200
Subject: [PATCH 29/30] refactor: extract is_cache_disabled() and apply
 disable-flag to all cache operations

---
 src/Repositories/TranslationRepository.php | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/Repositories/TranslationRepository.php b/src/Repositories/TranslationRepository.php
index 5038d8f..43414f6 100644
--- a/src/Repositories/TranslationRepository.php
+++ b/src/Repositories/TranslationRepository.php
@@ -28,9 +28,7 @@ public function get_cached_translation( int $object_id, string $target_lang ): ?
 			throw new ObjectNotFoundException( 'Translated object not found.', 404 );
 		}
 
-		$is_disabled = get_post_meta( $object_id, 'ydpl_disable_deepl_translation_cache', true );
-
-		if ( ! is_string( $is_disabled ) || ( 0 < strlen( $is_disabled ) && '1' === $is_disabled ) ) {
+		if ( $this->is_cache_disabled( $object_id ) ) {
 			return null;
 		}
 
@@ -63,7 +61,7 @@ public function get_column_data( int $object_id, array $language_codes ): array
 			'uncached_request_counts' => array(),
 		);
 
-		if ( ! $this->translated_object_exists( $object_id ) ) {
+		if ( ! $this->translated_object_exists( $object_id ) || $this->is_cache_disabled( $object_id ) ) {
 			return $empty;
 		}
 
@@ -105,7 +103,7 @@ public function get_column_data( int $object_id, array $language_codes ): array
 	 */
 	public function increment_uncached_request_count( int $object_id, string $target_lang ): void
 	{
-		if ( ! $this->translated_object_exists( $object_id ) ) {
+		if ( ! $this->translated_object_exists( $object_id ) || $this->is_cache_disabled( $object_id ) ) {
 			return;
 		}
 
@@ -160,8 +158,19 @@ public function store_translation( int $object_id, string $target_lang, array $t
 			throw new ObjectNotFoundException( 'Translated object not found.', 404 );
 		}
 
+		if ( $this->is_cache_disabled( $object_id ) ) {
+			return;
+		}
+
 		update_post_meta( $object_id, "_translation_$target_lang", $translation );
 		update_post_meta( $object_id, "_translation_modified_$target_lang", current_time( 'mysql' ) );
 		delete_post_meta( $object_id, "_ydpl_uncached_request_count_$target_lang" );
 	}
+
+	protected function is_cache_disabled( int $object_id ): bool
+	{
+		$is_disabled = get_post_meta( $object_id, 'ydpl_disable_deepl_translation_cache', true );
+
+		return is_string( $is_disabled ) && 0 < strlen( $is_disabled ) && '1' === $is_disabled;
+	}
 }

From f4ebbce9981b8eefb259b71dd3b18ef75f724476 Mon Sep 17 00:00:00 2001
From: Mike van den Hoek <mike.vandenhoek@yard.nl>
Date: Thu, 28 May 2026 15:34:48 +0200
Subject: [PATCH 30/30] chore: update readme files

---
 README.md  | 13 ++++++++++++-
 readme.txt | 13 ++++++++++++-
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 9563c0f..cf7627c 100644
--- a/README.md
+++ b/README.md
@@ -9,7 +9,7 @@ Requires at least: 6.0
 Requires PHP: 8.0
 Stable tag: 1.1.0
 Tags: deepl, translating, secure
-Tested up to: 6.7.1
+Tested up to: 6.8.5
 
 This plugin registers secure API endpoints that allow you to request translations directly from DeepL without exposing your DeepL API-key.
 
@@ -35,6 +35,16 @@ A metabox labeled **Yard DeepL** is displayed on the edit screen of supported po
 -   **Disable translation cache:** When checked, the cache is bypassed for this object. Useful for posts with dynamic content that should always be translated fresh.
 -   **Clear translation cache:** When checked and the post is saved, all cached translations for this object are deleted.
 
+### Admin: Translation Cache Column
+
+A **Translation cache** column is added to the post list screen of all supported post types. Its purpose is to notify editors which posts should be cached as soon as possible to avoid unnecessary DeepL API costs.
+
+-   **Green badge per language** (e.g. `NL`, `EN-US`): a valid, up-to-date cached translation exists for that language. Visitor requests are served from cache at no cost.
+-   **Grey badge with a count per language** (e.g. `EN-US 42`): no cache exists for that language and visitors have triggered that many live DeepL API calls. Hovering the badge shows the full count as a tooltip. These posts are the most urgent to cache.
+-   **—**: the post has never been requested for translation, or caching is disabled for this post.
+
+The uncached call count is only incremented for visitor requests (users without cache-write capability) and is automatically reset per language once a cache entry is stored. Posts with the **Disable translation cache** option enabled are excluded from the column entirely.
+
 ## External Services
 
 This plugin connects to the DeepL API to provide translations for content.
@@ -142,6 +152,7 @@ xhr.send( data );
 -   Add: rate limiting for unauthenticated / low-privilege requests (3 req / 60 s per IP)
 -   Add: cache creation restricted to users with `edit_posts` capability (configurable via filter)
 -   Add: `yard::deepl/cache_capability` filter
+-   Add: Translation cache column on post list screens showing cached languages and per-language uncached call counts, to help editors prioritise which posts to cache
 -   Change: deprecated `yard::deepl/disable_cache_metabox_post_types` in favour of `yard::deepl/cache_metabox_post_types`
 -   Change: nonce validation now also accepts the standard `wp_rest` nonce action as a fallback
 
diff --git a/readme.txt b/readme.txt
index 5c910ba..efd0cf0 100644
--- a/readme.txt
+++ b/readme.txt
@@ -8,7 +8,7 @@ Requires at least: 6.0
 Requires PHP: 8.0
 Stable tag: 1.1.0
 Tags: deepl, translating, secure
-Tested up to: 6.7.1
+Tested up to: 6.8.5
 
 This plugin registers secure API endpoints that allow you to request translations directly from DeepL without exposing your DeepL API-key.
 
@@ -33,6 +33,16 @@ A metabox labeled Yard DeepL is displayed on the edit screen of supported post t
 * Disable translation cache: When checked, the cache is bypassed for this object. Useful for posts with dynamic content that should always be translated fresh.
 * Clear translation cache: When checked and the post is saved, all cached translations for this object are deleted.
 
+= Admin: Translation Cache Column =
+
+A Translation cache column is added to the post list screen of all supported post types. Its purpose is to notify editors which posts should be cached as soon as possible to avoid unnecessary DeepL API costs.
+
+* Green badge per language (e.g. NL, EN-US): a valid, up-to-date cached translation exists for that language. Visitor requests are served from cache at no cost.
+* Grey badge with a count per language (e.g. EN-US 42): no cache exists for that language and visitors have triggered that many live DeepL API calls. Hovering the badge shows the full count as a tooltip. These posts are the most urgent to cache.
+* —: the post has never been requested for translation, or caching is disabled for this post.
+
+The uncached call count is only incremented for visitor requests (users without cache-write capability) and is automatically reset per language once a cache entry is stored. Posts with the Disable translation cache option enabled are excluded from the column entirely.
+
 == External Services ==
 
 This plugin connects to the DeepL API to provide translations for content.
@@ -117,6 +127,7 @@ Response:
 * Add: rate limiting for unauthenticated / low-privilege requests (3 req / 60 s per IP)
 * Add: cache creation restricted to users with `edit_posts` capability (configurable via filter)
 * Add: `yard::deepl/cache_capability` filter
+* Add: Translation cache column on post list screens showing cached languages and per-language uncached call counts, to help editors prioritise which posts to cache
 * Change: deprecated `yard::deepl/disable_cache_metabox_post_types` in favour of `yard::deepl/cache_metabox_post_types`
 * Change: nonce validation now also accepts the standard `wp_rest` nonce action as a fallback