Samurai Honeypot for Forms

1.1.5

• Improved: Conditional script loading — anti-spam JavaScript and CSS are now only output on pages that contain a CF7 or WPForms form (shortcode or Gutenberg block), reducing unnecessary DOM output on all other pages
• New: samhp_force_enqueue filter — allows themes/plugins to force-load the anti-spam script on pages where forms are rendered outside post content (e.g. widgets, custom templates)

1.1.4

• Improved: PoW submit guard — disable submit button during Proof of Work computation to prevent premature submission
• Improved: PoW loading spinner shown only when computation exceeds 500 ms (no visual noise for low difficulty)
• Improved: PoW abort mechanism — stale PoW computations from previous submissions and token refreshes are immediately cancelled via generation counter, preventing CPU contention
• Fixed: Race condition where old token refresh could cancel new PoW computation after form re-injection

1.1.3

• Fixed: Flamingo compatibility — removed incorrect bool type hint on wpcf7_flamingo_submit_if filter callback that caused a fatal TypeError on PHP 8.x when Flamingo is active
• Fixed: Quarantine Log table now auto-creates on plugin update (previously only on fresh activation, causing empty log on updated sites)

1.1.2

• Improved: Flamingo protection filter added to prevent database bloat (block Tier 2/3 from being saved to Flamingo)
• Improved: Quarantine Log now explicitly sets created_at timestamp

1.1.1

• Improved: Settings page reorganized into three tabs (General, Rules & Access, Documentation)
• Improved: Quarantine Log explanation expanded with detailed 3-Tier Triage information
• Improved: Defense Layers Overview and REST API Status moved to dedicated Documentation tab

1.1.0

• New: 3-Tier Triage System — Pass (Tier 1), Quarantine (Tier 2), Drop (Tier 3)
• New: Built-in Quarantine Log with WP_List_Table UI (Settings > Quarantine Log)
• New: Local database table (wp_samhp_logs) with FIFO hard cap of 1,000 rows
• New: Tier 3 Drop — submissions scoring 100+ are silently dropped without any database write to prevent DB bloat during mass attacks
• New: “Delete All Logs” action with nonce protection and confirmation dialog
• New: Quarantine Log link on the main settings page
• New: Defense Layers Overview table updated with 3-Tier Triage description
• Improved: Silent Kill hooks for CF7 and WPForms now implement the 3-Tier logic
• Improved: WPForms Silent Kill now blocks both email and entry save (Pro DB write + Lite Connect)
• Removed: Flamingo integration completely removed — replaced by the built-in Quarantine Log to prevent database bloat during mass attacks
• Improved: readme.txt updated with false positive warnings and 3-Tier documentation

1.0.0

• Initial release
• 15-layer score-based spam detection with Silent Kill
• Contact Form 7 & WPForms (Lite & Pro) support with multi-adapter architecture
• Stateless HMAC-SHA256 signed tokens with IP and Form ID binding
• Proof of Work with Web Crypto API
• Hash-verified behavioral entropy analysis with uniqueness tracking
• Headless browser detection (client-side) and Headless Browser UA Block (server-side)
• UA Age Detection — Chrome version age scoring (+10/+20/+30) to catch bots with outdated User-Agent strings
• Atomic replay protection (INSERT IGNORE / wp_cache_add)
• WPForms AJAX post-submit token refresh (wpformsAjaxSubmitSuccess)
• IPv6 /64 normalization for rate limiting
• Trusted proxy validation (Cloudflare + RFC 1918) with X-Forwarded-For rightmost-IP parsing
• IP Whitelist / Blacklist with CIDR support and Whitelist Logged-in Users option
• Content Rules: URL limit detection, BBCode detection, WordPress Disallowed Keys matching
• Per-form skip support (CF7 Additional Settings / WPForms Skip Form IDs)
• Multiple forms per page support
• GDPR Compliant (Cookie-less & IP Hashing)