IP-based rate limiting – Prevents the same IP address from submitting forms excessively within a configurable time window. Default: 5 submissions per hour. Configurable in Settings.
Honeypot field – An invisible form field that catches automated bots. Bots that fill all fields are silently rejected. Enabled by default, can be toggled in Settings.
Confirmation screen enforcement – When a confirmation screen is configured, the server now verifies that the confirmation screen was actually displayed before allowing completion. Prevents bots from bypassing the confirmation step.
Improvements:
reCAPTCHA v3 score threshold increased from 0.3 to 0.5 (Google’s recommended default) for better spam detection
New “Spam Protection” settings section in the admin panel for configuring rate limiting and honeypot options
Rate limit records are automatically cleaned up after 24 hours
Security:
Added protection against automated SQL injection scanning attacks
Bots that trigger the honeypot receive a fake success response to prevent detection of the security measure
1.1.1
New Features:
Sample form with all supported field types (text, tel, email, radio, checkbox, textarea, select, select multiple) is automatically created on first activation for easy reference
Documentation:
Added cache plugin/CDN compatibility warning
Added CSS styling note (no frontend CSS included)
Marked optional shortcodes in Installation section
Clarified PHP version compatibility (tested on PHP 8.3)
Updated WordPress compatibility to 6.9
1.1.0
New Features:
reCAPTCHA v3 integration – Configure Site Key and Secret Key in LW Simple Forms > Settings. When enabled, reCAPTCHA tokens are automatically generated and verified on form submission. Fails open on API communication errors to avoid blocking legitimate users. Score threshold: 0.5.
PRG (Post-Redirect-Get) pattern for duplicate submission prevention – After form completion, a cookie-based session key is stored and the browser is redirected to a clean URL via 302 redirect. The completion screen is displayed once, and page reload redirects back to the input page.
Improvements:
WordPress reserved word validation now blocks saving (previously only warned) when form field names use reserved query variables (e.g., name, p, s, page). Case-sensitive comparison: Name is allowed, name is blocked.
Extended wp_kses allowed HTML tags to include <form>, <button>, and <textarea> with their common attributes. This ensures confirmation screen buttons and form elements retain their HTML attributes (e.g., class, id).
Frontend CSS externalized – The plugin no longer outputs inline CSS. Error messages and button styles should be defined in your site’s stylesheet.
POST data now properly handled with wp_unslash() to prevent double-escaping issues caused by WordPress wp_magic_quotes() (e.g., I’m no longer becomes I’m).
Improved HTML sanitization warnings – Normalized comparison to avoid false positives from wp_kses removing trailing semicolons in style attributes. Warning messages now show the actual changed lines instead of a generic message.
Updated admin notes to clarify that style attributes are allowed (only script tags are blocked for security).
Confirmation button default label changed from “Confirm Input” to “Confirm”.
Bug Fixes:
Fixed direct submission mode (without confirmation screen) – Replaced query parameter approach (?lwsf_complete=1&key=…) which caused 404 errors due to WordPress interpreting query parameters. Email is now sent within the REST API call, and a flag is returned to JavaScript.
Fixed reCAPTCHA token regeneration – Tokens are now regenerated before the final form submission since reCAPTCHA tokens can only be used once.
Documented incompatibility with async-javascript plugin – The plugin adding async attribute to lwsf.js breaks form functionality. Workaround: exclude lwsf-form-handler in the async-javascript plugin settings.
