AntiSpam for Contact Form 7

0.7.5

• Enhancement: Added WordPress Comment Spam Protection: Extended the plugin’s capabilities beyond Contact Form 7 to actively protect native WordPress comments against spam.
• Enhancement: Added Regex support for spam filtering: You can now use Regular Expressions in your filters, providing advanced and highly flexible rules to catch complex spam patterns. (thanks to @jackrus60 for suggesting it)
• Enhancement: Introduced custom Wordlists: Administrators can now define specific keywords to filter, giving more granular control over blocked form submissions.
• Security: Improved email header sanitization: Automatically strip newline characters from email headers to prevent Email Header Injection vulnerabilities.
• Security: Enhanced overall plugin security with stricter sanitization, validation, and capability checks across the codebase.
• Enhancement: Flamingo integration improvements: Enhanced the email resending functionality to ensure better reliability and smoother recovery of false positives.
• Enhancement: CF7 SMTP Integration: Added seamless compatibility with SMTP configurations for Contact Form 7, ensuring reliable email delivery.
• Fix: Improved action detection: Fixed issues with form submission detection to ensure spam checks are consistently and accurately triggered across various CF7 setups. Also fixes an issue with Flamingo plugin actions (thanks to @jackrus60 for suggesting it)
• Fix: Ensure ban reasons are properly formatted: Addressed a bug in cf7a_compress_array to guarantee that logs accurately display the specific reason for rejection.
• Fix: Resolved iframe/sandbox restrictions: Added the allow-scripts sandbox attribute to ensure necessary scripts can execute properly in restricted preview environments. (thanks to @oceandigitals for reporting it)
• Fix: Restricted widget visibility: Ensured dashboard widgets are now correctly restricted and only visible to users with the appropriate permissions. (thanks to @islp for reporting it)
• Enhancement: General code consolidation and major refactoring of the core anti-spam engine for better performance and maintainability.

0.7.4

• Fix: Improve message sanitization: handle arrays, skip empty/non-string values, and refine length checks (thanks to @sleepygoth for reporting it)

0.7.3

• Fix: Dismissing the “Flamingo Message” notice now works correctly (thanks to @WORX Developer for reporting it)
• Enhancement: Improved spam filter performance with additional fallbacks for edge cases
• Security: Email strings are now properly sanitized before being sent
• Enhancement: New dashboard empty-state view
• Enhancement: Added JS selector for allowed/disallowed countries and languages
• Typo: Replaced “blacklist” with “blocklist” and “whitelist” with “allowlist” (thanks to @WORX Developer for waning me about this mistake)
• Enhancement: New summary table added at the top of the settings page to display form configuration status
• Enhancement: Cache compatibility improvements
• Enhancement: Removed UCEPROTECT from predefined blocklists: We have optimized the default DNSBL configuration by removing the uceprotect service. This strategic change reduces the risk of false positives for legitimate users hosted on shared environments and improves the overall form submission speed by eliminating redundant DNS queries.
• Fix: Fix cf7a_ban_by_ip reason parameter: Addressed a bug where the ban reason was not correctly passed to the blocking function. Logs will now accurately reflect the specific trigger (e.g., Honeypot violation, DNSBL match) that caused an IP ban, restoring full observability for administrators (Thanks to @sdellenb – PR #163).
• Compatibility: Implemented a fix for WEBGL_debug_renderer_info in iOS/Safari on newer iOS devices. This resolves potential JavaScript execution errors during browser fingerprinting, ensuring seamless form functionality on iPhones and iPads with strict privacy settings.
• Enhancement: Added blueprint.json: Introduced a configuration file for WordPress Playground. Contributors and users can now instantly spin up a browser-based testing environment for the plugin without local setup.
• Enhancement: Updated unit tests to display GeoIP database information if available. This enhances local debugging capabilities by verifying that geolocation data is loaded correctly during test runs.
• Enhancement: Applied comprehensive PHP linting to the Admin interface files, enforcing WordPress Coding Standards for better maintainability.

0.7.2

• Update fallback (thanks for the idea to @lemurnick)
• Fix for missing enqueue in some cases (thanks to @ohhcee, @o2xav, @WORX Developer for the feedbacks)
• Blocklist filters cleanup
• Registers the spam checks individually
• Updated encrypt/decrypt function

0.7.1

• Fix: Fixes a wrong escape placeholder in the prepare SQL query that was preventing to check if an IP was blocklisted. (thanks to @jackrus60 for the report)

0.7.0

• Enhancement: Updated Admin User Interface (UI).
• Enhancement: Added a new debug information section to display the status of GeoIP, REST API, and DNSBL functionality.
• Enhancement: Blocklist Export Feature: Users can now export the blocklist.
• Enhancement: A date column has been added to the blocklist database table.
• Fix: The name attribute for Honeypots now correctly reflects the name chosen by the user (thanks to @@developeratworx for reporting this issue!).
• Fix: Improved code security by implementing prepared statements for all database queries and adding sanitization and escaping where previously missing.
• Fix: Refactored and reorganized the src folder structure for better code organization and maintainability.
• Fix: Implemented REST API endpoints for the admin “Tools” section, allowing operations on that page to be performed without reloading.
• Fix: General code cleanup was performed throughout the project.
• Fix: Fixed the resend mail function (A big thank you to @chrober for reporting this issue!).

0.6.4

• Migration from JavaScript to TypeScript for better type safety
• Fix: webdriver detection logic returning null instead of boolean
• Fix: FormData constructor error with incorrect reference (thanks to @ohhcee for the report)
• Fix: WebGL renderer null reference causing indexOf errors
• Fix: FormData support condition logic inverted
• Fix: as suggested by @filipr fixed the issue with the additional data in the email related to flamingo (thanks to @apterix for the bug report)
• Enhancement: Added MutationObserver support for dynamically loaded forms (implemented @dmbur idea, thanks!)
• Enhancement: Added duplicate form processing prevention
• Enhancement: Wrapped main execution in IIFE to prevent global scope pollution
• Enhancement: Improved browser compatibility with graceful fallbacks
• Enhancement: Enhanced canvas fingerprinting with proper error handling
• Performance: Moved form-specific variables inside loops to prevent cross-contamination
• Performance: Added proper type annotations and safer innerHTML assignments
• Tests: switch to Playwright tests

0.6.3

• Quick fix for null is not an object (evaluating ‘document.getElementById(“cf7a_download_button”) (bug report, thanks to @WebCodePoet)

0.6.2

• Fix/honeyform init (bug report, thanks to @silas2209)
• Fix/mailbox_protection_multiple_send option not initializated (bug report, thanks to @oceandigitals)
• Import and export options metabox (feature request, @Wendihihihi)
• Fixes the plugin update function that was removing the “enabled” flag…
• Resend to custom email address (bug report, thanks to @oceandigitals and @Wendihihihi)
• Admin options page ui updates
• Dnsbl removes some default servers and adds additional notes
• B8 moved as plugin library
• startup optimization

0.6.0

• Fix: new config validator: unsafe email (Zodiac1978)
• Fix: Warning- Uninitialized string (bug report, thanks to @benjaminvandenberg)
• Fix: false positives due to language_incoherence (bug report, thanks to @benjaminvandenberg fixed by @gardenboi)
• Feature Request: exception list for honeyforms (@linuxlurak close by @gardenboi)
• Fix: mail resend didn’t work (bug report, thanks to @oceandigitals)
• Enhancement: Remove mail duplicates if users sent multiple
• Enhancement: General UI enahancements
• Enhancement: Rewrote the plugin core to keep it up to date with modern loading methods

0.5.0

• Fixed compatibility with php 8.2

0.4.6

• PHP 8.2 support (bug report, thanks @senjoralfonso)
• Fix “internal_server_error” when message is empty (pull request, thanks @MeliEve #42)
• Maintenance – updated dependencies CI and coding standards

0.4.5

• Enhanced language detection using the http headers accepted language (bug report, thanks @senjoralfonso #33)
• Multisite compatibility #34 (bug report, thanks @pluspol #34)
• Replaced domDocument with a regexp for more reliability (bug report, thanks @jensdiep and @georgr #35)
• Whitelist Feature request: whitelisting (feature requests, thanks @jensdiep #36)
• Settings page card style (enhancement, thanks @emilycestmoi)
• Fix for automatic unban initial settings, in some cases it might not have been “disabled”

0.4.4

• Adds the @mirekdlugosz fix for flamingo metadata regex
• Better Honeypot default input name field handling
• Fixed ‘ban forever’ that was replacing the list of banned IPs instead of adding the selected one
• Add a new check in oder to verify the http protocol since bots usually connects with HTTP/1.X

0.4.3

• Fixes an issue with honeypot placeholder (thanks to @ardsoms and @edodemo for the report)
• User enumeration protection
• Xmlrpc bruteforce protection
• Http headers obfuscation
• Add a new filter (cf7a_additional_max_honeypots) to limit the number of automatic honeypots (default: 5)

0.4.2

• Dashboard widget updated (adds a new filter ‘cf7a_dashboard_max_mail_count’ to limit the maximum value of displayed mail, default 25)
• UI enhancements – labels in the flamingo inbound page and the blocklist table
• Displays a random security tip at the top of cf7-antispam settings
• Standalone geoip check (previously it was mandatory to enable the language checks in order to enable geo-ip)
• Under certain conditions an automatic ban is carried out and the e-mail is not processed to avoid unnecessary consumption of resources
• German translation – thanks to @fhwebdesign and @senjoralfonso

0.4.1

• Honeyform updated and enhanced
• updated dnsbl servers (removed spfbl.net, bogons.cymru.com – added spamrats.com)
• improved iOS detection

0.4.0

• Adds geoip antispam filter
• Updated dashboard widget
• Updated settings and frontend scripts
• Improved honeypot (thanks to @theadam123 for feedbacks/testing)

0.3.0

• Dashboard widget to display the email received of the last week
• Resend email from Flamingo UI (works with mail received after this update)
• CF7-AntiSpam version check enhanced (but you will probably have to flush cache anyway when you update this plugin)
• Honeyform enhancements
• Enhanced activation script
• Adds an option to set the number of attempt before ban
• Cron unban fix
• Referrer verify (under bad ip checks)

0.2.7

• avoid to parse multiple times the stored flamingo messages
• added under “advanced options” a button to full reset cf7-antispam stored data
• language check (allowed/disallowed) based on browser language

0.2.6

• New option under “Enable advanced settings -> Severity of anti-spam control” with some prebuilt presets (weak, standard, secure)
• Fix install script that in some edge case can fail
• Backend script update
• Improved Javascript support for older browsers and ios (safari > 9 and internet explorer)
• jquery is no longer needed

0.2.5

• Bugfix the additional data in the email related to flamingo may not be parsed correctly
• New option to disable cf7 reload (/refill) when caching is enabled
• Enhanced fingerprint support for chrome on ios

0.2.4

• A new section “Advanced Section” that can be unlocked at the end of cf7-antispam options. I will put the more complex options there to make the interface easier.
• Improved spam management with flamingo
• New automatic options update handler
• Selectable encryption cypher
• Improved browser detection
• Fix installation failure (in very rare conditions) when Flamingo is installed and in mail message there are some non-utf8 characters.
• Documentation Update

0.2.3

• enhanced fingerprint scripts performance
• improving debugging output
• solved an issue with some plugins like conditional forms for cf7
• improved mobile fingerprinting

0.2.2

• fix safari (macos/ios) detection (with a new custom check)
• fix max time elepsed check
• countermeasures to avoid bayesian poisoning
• fix encoding with some languages for generated honeyform/honeypot
• reviewed scoring for fingerprinting and dnsbl

0.2.1

• enhanced honeyform and honeypot style
• fix dnsbl report message
• enhanced hidden fields “append on submit” option
• with the “extended debug option” on deactivate resets the B8 db

0.2.0

• adds HoneyForm to antispam checks
• a new option (under fingerprinting) to add the hidden fields with javascript only while submitting
• add a options section where the user can define the score of tests
• some admin UI cosmetical changes

0.1.1

• user customizable scoring options
• fix some installation issues on mysql < 5.6

0.1.0

• AntiSpam for Contact Form 7 published into WordPress Plugin Directory
• Compared to the very early version, I’ve added honeypot, fingerprint bots and automated ip bans (but I need to provide a way to unban even without flamingo).
• Documentation

0.0.1

• This is the first release