=== LukaCodes AntiSpam Shield === Contributors: Luka2013 Tags: spam, recaptcha, wpforms, turnstile, anti-spam Requires at least: 6.0 Tested up to: 6.9 Requires PHP: 8.0 Donate link: https://www.paypal.com/donate/?hosted_button_id=942LJ42XE4HVW Stable tag: 1.1.3 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html Block comment spam, brute-force logins and bot registrations with reCAPTCHA v3 or Cloudflare Turnstile. Lightweight, no bloat. == Description == **LukaCodes AntiSpam Shield** is a lightweight, no-bloat plugin that protects your WordPress comment section **and contact forms** from spam. Five independent tools, one settings page. [Read the full documentation](https://lukacodes.com/comment-shield-docs/). * **Disable Website Field** — Removes the URL/website field from the comment form. Works with all themes, including those that hardcode the field (CSS fallback included). * **Strip Links from Comments** — Automatically removes all `` hyperlinks from comment content — both on display and before saving to the database. Spammers get zero benefit from posting links. * **reCAPTCHA v3** — Adds Google's invisible bot-score protection. No checkbox, no puzzle, no friction for real users. Bots are silently blocked server-side. * **Cloudflare Turnstile** — A privacy-friendly CAPTCHA alternative. Mutually exclusive with reCAPTCHA v3 — enabling one automatically disables the other. * **Login Shield** — Adds CAPTCHA to the WordPress login form (`wp-login.php`). Stops brute-force bots silently. * **Registration Shield** — Adds CAPTCHA to the WordPress registration form. Blocks bot account creation. * **WPForms Integration** — Apply the same CAPTCHA protection to WPForms Lite — using the same keys you already configured, no extra setup. All features are **independent** — enable only what you need. = Login & Registration Shield = Version 1.1.2 adds CAPTCHA protection to `wp-login.php`: * **Login Shield** — Hooks into `wp_authenticate_user` for server-side verification after credentials are checked. Returns a `WP_Error` if CAPTCHA fails — WordPress displays it as a normal login error. * **Registration Shield** — Hooks into `registration_errors` to add CAPTCHA validation during registration. Works alongside all other WordPress registration validations. Both are independently togglable in the settings panel. Admins already logged in are never affected. = WPForms Integration = Version 1.1.0 introduces CAPTCHA protection for **WPForms Lite**: * Hooks into `wpforms_display_submit_before` to inject the CAPTCHA widget before the submit button. * Hooks into `wpforms_process` for server-side token verification. * Works with both reCAPTCHA v3 (invisible) and Cloudflare Turnstile (visible widget). Note: WPForms Pro includes its own native CAPTCHA integration — this feature is intended for **WPForms Lite** users only. = Why AntiSpam Shield? = Most anti-spam plugins are heavy, require accounts, or add ugly CAPTCHAs. LukaCodes AntiSpam Shield is different: * ~30 KB total — no external libraries, no jQuery dependency * Settings page with **live key testing** — verify your reCAPTCHA or Turnstile keys before enabling * **Link stripping preview** — paste any comment text and see exactly what gets removed * Graceful fallback: if Google's or Cloudflare's API is unreachable, comments are held for moderation (never lost) * Trusted users (administrators) bypass CAPTCHA checks automatically * **Mutual exclusion**: reCAPTCHA v3 and Cloudflare Turnstile cannot be active at the same time * WP Coding Standards compliant — fully escaped output, nonce-protected AJAX = reCAPTCHA v3 — How it works = When a visitor submits a form, JavaScript silently requests a score token from Google. The token is sent with the submission and verified server-side against your minimum score threshold (configurable from 0.1 to 1.0). No user interaction required. = Cloudflare Turnstile — How it works = A Turnstile widget is rendered inside the form. When the visitor completes the challenge, a token is submitted and verified server-side against the Cloudflare API. == Installation == 1. Upload the `lukacodes-comment-shield` folder to `/wp-content/plugins/` 2. Activate the plugin through **Plugins → Installed Plugins** 3. Go to **Settings → AntiSpam Shield** to configure your options = reCAPTCHA v3 Setup = 1. Visit [Google reCAPTCHA Admin Console](https://www.google.com/recaptcha/admin/create) 2. Create a new site — select **Score based (v3)** 3. Add your domain to the allowed domains list 4. Copy the **Site Key** and **Secret Key** into the plugin settings 5. Use the built-in **🔍 Test Keys** button to verify connectivity before enabling 6. Enable reCAPTCHA v3, set your minimum score, and save = Cloudflare Turnstile Setup = 1. Visit [Cloudflare Turnstile Dashboard](https://dash.cloudflare.com/?to=/:account/turnstile) 2. Create a new site and select your widget type (Managed recommended) 3. Copy the **Site Key** and **Secret Key** into the plugin settings 4. Use the built-in **🔍 Test Turnstile Keys** button to verify connectivity before enabling 5. Enable Cloudflare Turnstile and save — reCAPTCHA v3 will be disabled automatically = Contact Forms Setup = No extra setup needed. Once reCAPTCHA v3 or Cloudflare Turnstile is configured, go to the **Contact Forms** section in the settings and toggle on each plugin you want to protect. The admin panel shows which form plugins are currently installed and active on your site. == Frequently Asked Questions == = Does this require a Google account? = Only if you use reCAPTCHA v3. You need a Google account to obtain keys from the [reCAPTCHA Admin Console](https://www.google.com/recaptcha/admin/create). The service is free. Cloudflare Turnstile requires a free Cloudflare account instead. = Can I use both reCAPTCHA and Turnstile at the same time? = No — they are mutually exclusive. Enabling one will automatically disable the other, both in the settings UI and on the server. = Does this protect the login and registration forms? = Yes. Enable "Login Shield" and/or "Registration Shield" in the **Login & Registration** section of the settings panel. The same reCAPTCHA v3 or Turnstile keys are reused — no extra setup needed. Administrators are never blocked. = Does this protect WPForms Lite without extra keys? = Yes. The same reCAPTCHA v3 or Turnstile keys you enter for comment protection are reused automatically for WPForms Lite. No additional setup required. = What happens if Google's or Cloudflare's API is unreachable? = The comment or form submission is held for moderation instead of being rejected. You will never lose a genuine submission due to an API outage. = Does it work with custom themes that hardcode the URL field? = Yes. The plugin removes the field from WordPress's form array and also injects CSS as a fallback. = Does this work with caching plugins? = Yes. All CAPTCHA logic runs client-side (JS) and server-side (PHP on submission). Caching does not interfere. = Do I need all features? = No. Each feature has its own toggle. Enable only what your site needs. == Screenshots == 1. The main settings dashboard with Comment Options, reCAPTCHA, Turnstile, Login & Registration, and WPForms sections. 2. WPForms integration panel — shows detection status and toggle. 3. reCAPTCHA key tester — real-time verification against Google API. 4. Turnstile key tester — real-time verification against Cloudflare API. 5. Plugin status panel — at-a-glance view of current configuration. == Changelog == = 1.1.3 = * Added: Option to disable comments on all posts sitewide * Added: Option to disable comments on all pages sitewide * Fixed: WPForms CAPTCHA hook changed to wpforms_process_before — form submission is now blocked before email is sent when token is missing/invalid * Fixed: Key tester now validates that reCAPTCHA / Turnstile keys are registered for this site's domain * Fixed: Keys from a different domain now show a clear "Domain mismatch" error instead of a false "keys look correct" result * Improved: Turnstile key tester now passes sitekey to Cloudflare API to enable domain-level validation * Improved: Greek (el) translation updated to 100% — all strings now translated * Bumped version to 1.1.3 = 1.1.2 = * Added Login Shield: CAPTCHA protection for wp-login.php login form * Added Registration Shield: CAPTCHA protection for wp-login.php registration form * Login and Registration shields are independently togglable in the settings panel * Both shields reuse existing reCAPTCHA v3 / Turnstile keys — no additional setup required * Added Login Shield and Register Shield rows to Plugin Status panel * Updated POT template with all new i18n strings * Updated Greek (el) translation with all new strings * Bumped version to 1.1.2 = 1.1.0 = * Added WPForms Lite integration: reCAPTCHA v3 and Cloudflare Turnstile protection for WPForms forms * WPForms protection reuses existing CAPTCHA keys — no additional setup required * Added WPForms panel in admin: auto-detects if WPForms is installed, toggle to enable/disable * Added WPForms Shield row to Plugin Status panel * Updated POT template with all new i18n strings * Updated Greek (el) translation with all new strings * Bumped version to 1.1.0 = 1.0.1 = * Added Cloudflare Turnstile as a second CAPTCHA option (privacy-friendly alternative to reCAPTCHA) * Added mutual exclusion logic: enabling reCAPTCHA disables Turnstile and vice versa * Added server-side Turnstile token verification with moderation fallback * Added live Turnstile key tester in the settings panel * Updated uninstall.php to clean up Turnstile options on deletion = 0.3 = * Added server-side reCAPTCHA verification with action and hostname validation * Added fallback: holds comment for moderation if Google API is unreachable * Added `COMMSH_VERSION` constant and activation hook to seed default options * Improved score threshold: configurable from 0.1 to 1.0 with live slider = 0.2 = * Integrated Google reCAPTCHA v3 invisible protection on comment form * Added real-time key testing against Google API * Added live link stripping preview with before/after diff * Fixed double-submission bug on slow connections = 0.1 = * Initial release * Remove website field from comment form (filter + CSS fallback) * Strip HTML links from comments on display and before saving to database == Upgrade Notice == = 1.1.3 = Fixes key tester false-positive: keys from a different domain no longer show as valid. Recommended update for all users. = 1.1.2 = Plugin renamed to LukaCodes AntiSpam Shield. Adds CAPTCHA for login and registration forms. Fixes debug message in WPForms integration. Recommended update for all users. = 1.1.0 = Adds CAPTCHA protection for WPForms Lite — using your existing reCAPTCHA v3 or Turnstile keys. Recommended update for WPForms Lite users. == Third-Party Services == This plugin optionally uses the following third-party services: = Google reCAPTCHA v3 = A service provided by Google LLC. * **What it does:** Detects bots and spam on your comment form and contact forms without user interaction. * **When data is sent:** Only when reCAPTCHA v3 is enabled. A token is sent to `https://www.google.com/recaptcha/api/siteverify` on each form submission. * **What data is sent:** The visitor's IP address and a reCAPTCHA token. * **Google Privacy Policy:** https://policies.google.com/privacy * **Google Terms of Service:** https://policies.google.com/terms = Cloudflare Turnstile = A service provided by Cloudflare, Inc. * **What it does:** Presents a privacy-friendly CAPTCHA widget on comment and contact forms. * **When data is sent:** Only when Cloudflare Turnstile is enabled. A token is sent to `https://challenges.cloudflare.com/turnstile/v0/siteverify` on each form submission. * **What data is sent:** The visitor's IP address and a Turnstile token. * **Cloudflare Privacy Policy:** https://www.cloudflare.com/privacypolicy/ * **Cloudflare Terms of Service:** https://www.cloudflare.com/website-terms/ Both services are entirely optional. If you do not enter API keys or enable either CAPTCHA, no data is sent to any third party.