Fix: Resolved an issue where form submissions failed on modern desktop browsers (Chrome, Edge, Firefox) by removing the sandbox attribute from canvas fingerprinting iframes to comply with strict security policies against sandbox escaping. (thanks to @khoehne and @heikoppi for reporting it)
Enhancement: Added High Entropy (Gibberish) settings to the plugin’s configuration dashboard allowing fine-tuning of minimum words and consecutive consonants.
Fix: Resolved an issue where the honeyform position dropdown selection did not reflect the saved value.
Fix: Eliminated severe false positives caused by cf7a_get_honeypot_input_names() force-merging legacy common field names (email, zip, phone, name, address, …) into every honeypot check. The function now returns only the names explicitly configured by the administrator, so legitimate form fields can no longer be mistaken for honeypots. (thanks to @heikoppi and @khoehne for reporting it)
Fix: Cleaned up dead code in Filter_Honeypot::process(): removed the unused $mail_tag_text collection and the outer guard that silently suppressed the honeypot check on forms without text-type tags. The filter now reliably checks only the user-configured honeypot field names on every submission.
0.7.5
Enhancement: Added WordPress Comment Spam Protection: Extended the plugin’s capabilities beyond Contact Form 7 to actively protect native WordPress comments against spam.
Enhancement: Added Regex support for spam filtering: You can now use Regular Expressions in your filters, providing advanced and highly flexible rules to catch complex spam patterns. (thanks to @jackrus60 for suggesting it)
Enhancement: Introduced custom Wordlists: Administrators can now define specific keywords to filter, giving more granular control over blocked form submissions.
Security: Improved email header sanitization: Automatically strip newline characters from email headers to prevent Email Header Injection vulnerabilities.
Security: Enhanced overall plugin security with stricter sanitization, validation, and capability checks across the codebase.
Enhancement: Flamingo integration improvements: Enhanced the email resending functionality to ensure better reliability and smoother recovery of false positives.
Enhancement: CF7 SMTP Integration: Added seamless compatibility with SMTP configurations for Contact Form 7, ensuring reliable email delivery.
Fix: Improved action detection: Fixed issues with form submission detection to ensure spam checks are consistently and accurately triggered across various CF7 setups. Also fixes an issue with Flamingo plugin actions (thanks to @jackrus60 for suggesting it)
Fix: Ensure ban reasons are properly formatted: Addressed a bug in cf7a_compress_array to guarantee that logs accurately display the specific reason for rejection.
Fix: Resolved iframe/sandbox restrictions: Added the allow-scripts sandbox attribute to ensure necessary scripts can execute properly in restricted preview environments. (thanks to @oceandigitals for reporting it)
Fix: Restricted widget visibility: Ensured dashboard widgets are now correctly restricted and only visible to users with the appropriate permissions. (thanks to @islp for reporting it)
Enhancement: General code consolidation and major refactoring of the core anti-spam engine for better performance and maintainability.
0.7.4
Fix: Improve message sanitization: handle arrays, skip empty/non-string values, and refine length checks (thanks to @sleepygoth for reporting it)
0.7.3
Fix: Dismissing the “Flamingo Message” notice now works correctly (thanks to @WORX Developer for reporting it)
Enhancement: Improved spam filter performance with additional fallbacks for edge cases
Security: Email strings are now properly sanitized before being sent
Enhancement: New dashboard empty-state view
Enhancement: Added JS selector for allowed/disallowed countries and languages
Typo: Replaced “blacklist” with “blocklist” and “whitelist” with “allowlist” (thanks to @WORX Developer for waning me about this mistake)
Enhancement: New summary table added at the top of the settings page to display form configuration status
Enhancement: Cache compatibility improvements
Enhancement: Removed UCEPROTECT from predefined blocklists: We have optimized the default DNSBL configuration by removing the uceprotect service. This strategic change reduces the risk of false positives for legitimate users hosted on shared environments and improves the overall form submission speed by eliminating redundant DNS queries.
Fix: Fix cf7a_ban_by_ip reason parameter: Addressed a bug where the ban reason was not correctly passed to the blocking function. Logs will now accurately reflect the specific trigger (e.g., Honeypot violation, DNSBL match) that caused an IP ban, restoring full observability for administrators (Thanks to @sdellenb – PR #163).
Compatibility: Implemented a fix for WEBGL_debug_renderer_info in iOS/Safari on newer iOS devices. This resolves potential JavaScript execution errors during browser fingerprinting, ensuring seamless form functionality on iPhones and iPads with strict privacy settings.
Enhancement: Added blueprint.json: Introduced a configuration file for WordPress Playground. Contributors and users can now instantly spin up a browser-based testing environment for the plugin without local setup.
Enhancement: Updated unit tests to display GeoIP database information if available. This enhances local debugging capabilities by verifying that geolocation data is loaded correctly during test runs.
Enhancement: Applied comprehensive PHP linting to the Admin interface files, enforcing WordPress Coding Standards for better maintainability.
0.7.2
Update fallback (thanks for the idea to @lemurnick)
Fix for missing enqueue in some cases (thanks to @ohhcee, @o2xav, @WORX Developer for the feedbacks)
Blocklist filters cleanup
Registers the spam checks individually
Updated encrypt/decrypt function
0.7.1
Fix: Fixes a wrong escape placeholder in the prepare SQL query that was preventing to check if an IP was blocklisted. (thanks to @jackrus60 for the report)
0.7.0
Enhancement: Updated Admin User Interface (UI).
Enhancement: Added a new debug information section to display the status of GeoIP, REST API, and DNSBL functionality.
Enhancement: Blocklist Export Feature: Users can now export the blocklist.
Enhancement: A date column has been added to the blocklist database table.
Fix: The name attribute for Honeypots now correctly reflects the name chosen by the user (thanks to @@developeratworx for reporting this issue!).
Fix: Improved code security by implementing prepared statements for all database queries and adding sanitization and escaping where previously missing.
Fix: Refactored and reorganized the src folder structure for better code organization and maintainability.
Fix: Implemented REST API endpoints for the admin “Tools” section, allowing operations on that page to be performed without reloading.
Fix: General code cleanup was performed throughout the project.
Fix: Fixed the resend mail function (A big thank you to @chrober for reporting this issue!).
0.6.4
Migration from JavaScript to TypeScript for better type safety
Fix: webdriver detection logic returning null instead of boolean
Fix: FormData constructor error with incorrect reference (thanks to @ohhcee for the report)
Improved honeypot (thanks to @theadam123 for feedbacks/testing)
0.3.0
Dashboard widget to display the email received of the last week
Resend email from Flamingo UI (works with mail received after this update)
CF7-AntiSpam version check enhanced (but you will probably have to flush cache anyway when you update this plugin)
Honeyform enhancements
Enhanced activation script
Adds an option to set the number of attempt before ban
Cron unban fix
Referrer verify (under bad ip checks)
0.2.7
avoid to parse multiple times the stored flamingo messages
added under “advanced options” a button to full reset cf7-antispam stored data
language check (allowed/disallowed) based on browser language
0.2.6
New option under “Enable advanced settings -> Severity of anti-spam control” with some prebuilt presets (weak, standard, secure)
Fix install script that in some edge case can fail
Backend script update
Improved Javascript support for older browsers and ios (safari > 9 and internet explorer)
jquery is no longer needed
0.2.5
Bugfix the additional data in the email related to flamingo may not be parsed correctly
New option to disable cf7 reload (/refill) when caching is enabled
Enhanced fingerprint support for chrome on ios
0.2.4
A new section “Advanced Section” that can be unlocked at the end of cf7-antispam options. I will put the more complex options there to make the interface easier.
Improved spam management with flamingo
New automatic options update handler
Selectable encryption cypher
Improved browser detection
Fix installation failure (in very rare conditions) when Flamingo is installed and in mail message there are some non-utf8 characters.
Documentation Update
0.2.3
enhanced fingerprint scripts performance
improving debugging output
solved an issue with some plugins like conditional forms for cf7
improved mobile fingerprinting
0.2.2
fix safari (macos/ios) detection (with a new custom check)
fix max time elepsed check
countermeasures to avoid bayesian poisoning
fix encoding with some languages for generated honeyform/honeypot
reviewed scoring for fingerprinting and dnsbl
0.2.1
enhanced honeyform and honeypot style
fix dnsbl report message
enhanced hidden fields “append on submit” option
with the “extended debug option” on deactivate resets the B8 db
0.2.0
adds HoneyForm to antispam checks
a new option (under fingerprinting) to add the hidden fields with javascript only while submitting
add a options section where the user can define the score of tests
some admin UI cosmetical changes
0.1.1
user customizable scoring options
fix some installation issues on mysql < 5.6
0.1.0
AntiSpam for Contact Form 7 published into WordPress Plugin Directory
Compared to the very early version, I’ve added honeypot, fingerprint bots and automated ip bans (but I need to provide a way to unban even without flamingo).
