GB Anti-Spam for Contact Form 7

Plugin Banner

GB Anti-Spam for Contact Form 7

by gregbialowas

Download
Description

GB Anti-Spam for Contact Form 7 adds a lightweight security layer to Contact Form 7 forms without CAPTCHA.

Features:
* Honeypot field protection
* Timing-based bot detection
* Request integrity token
* IP rate limiting
* Automatic injection (no manual form editing required)

Designed to be lightweight and compatible with caching and performance plugins.

  1. Upload plugin to WordPress
  2. Activate plugin
  3. Works automatically with all Contact Form 7 forms
Does it require editing forms?

No. Everything is injected automatically.

Does it slow down the site?

No noticeable impact.

2.1.0

  • Refactored core validation into structured pipeline architecture (validate() now acts as orchestration layer)
  • Introduced modular detection stages: context collection, honeypot, timing, nonce, fingerprint, rate limiting, field analysis, payload analysis, scoring, and final decision
  • Replaced flat string-based signals with structured signal objects (type + optional field metadata)
  • Added unified scoring engine with centralized weight map for all detection signals
  • Introduced hard-block vs score-based decision separation (critical threats bypass scoring)
  • Split validation logic into dedicated methods for each detection layer for improved maintainability
  • Improved field-level analysis with structured output (URL, emoji, markup, Cyrillic, length detection per field)
  • Introduced dedicated payload analysis layer for cross-field pattern detection (SQL injection, XSS, command injection, spam keywords)
  • Centralized spam keyword detection into reusable helper method
  • Improved rate limiting mechanism with explicit signal output (rate_limited)
  • Added structured debug logging including score value alongside signals, IP, user agent, and sanitized submission data
  • Enhanced logging safety with improved data sanitization and truncation limits
  • Improved observability of validation flow through explicit stage separation and consistent signal output format
  • Reduced coupling between detection logic and validation decision logic
  • Maintained backward compatibility with existing Contact Form 7 validation filter

2.0.0

  • Complete redesign of anti-spam engine architecture
  • Replaced legacy scoring system with structured signals-based detection model
  • Introduced unified signals[] system as primary validation output
  • Split validation logic into layered detection system (hard-block, behavioral signals, content analysis)
  • Added per-field validation engine via analyze_field() method
  • Introduced helper-based security detection functions (SQL injection, XSS, command injection)
  • Added structured JSON logging system for all CF7 submission attempts
  • Improved rate limiting mechanism based on IP tracking
  • Added detection for URLs, emojis, HTML/BBCode markup, and Cyrillic content
  • Separated detection logic from final blocking decision
  • Improved observability with detailed request-level debug output
  • Prepared internal architecture for future rule weighting and per-field validation engine expansion
  • Improved overall maintainability and extensibility of the plugin core

1.2.0

  • Major refactor of anti-spam engine
  • Added hard firewall layer using wpcf7_before_send_mail
  • Introduced unified payload inspection (email, URL, injection patterns)
  • Removed client-side hash-based token system in favor of WP nonce
  • Improved scoring logic and reduced redundant validation checks
  • Fixed CF7 bypass allowing spam submissions to reach mail layer
  • Improved debug logging system with configurable file path

1.1.0

  • Replaced JS-based token mechanism with secure WordPress nonce validation (wp_create_nonce / wp_verify_nonce)
  • Removed insecure client-side hash-based token generation
  • Added human interaction signal detection (mouse, keyboard, touch events)
  • Improved fingerprinting method for better bot anomaly detection
  • Added universal payload inspection for SQL injection, XSS, and command injection patterns across all form fields
  • Improved rate limiting logic with stricter thresholds per IP
  • Enhanced honeypot detection reliability across all CF7 forms

1.0.5

  • Improved validation scoring system for spam detection
  • Added additional heuristic checks for automated bot submissions
  • Optimized transient-based rate limiting mechanism

1.0.0

  • Initial release
  • Basic honeypot protection
  • Timing-based submission validation
  • Lightweight fingerprint detection
Back to top