Analytical Spam Filter
| 开发者 | dalesandro |
|---|---|
| 更新时间 | 2026年6月7日 00:39 |
| PHP版本: | 7.1 及以上 |
| WordPress版本: | 7.0 |
| 版权: | GPL v2 or later |
| 版权网址: | 版权信息 |
详情介绍:
- No captchas
- No API keys
- No third-party services
- Privacy-friendly design
- Behavioral spam detection
- IP reputation tracking
- Content fingerprinting
- Cache-compatible operation
- Timestamp Blocking — Records when the page loaded and when the form was submitted. Submissions that arrive too quickly to have genuinely read the page, or after the token has expired, are blocked.
- Duration Blocking — Measures how long the visitor actively spent filling out the form. Bots fill forms almost instantly. Requires Cache Compatibility to be enabled.
- IP Blocking — Remembers which IP addresses have been blocked before. Once an address reaches the configured threshold, future submissions are flagged without running the remaining checks. IP addresses with a previously approved comment are never flagged.
- Content Blocking — Remembers the content of blocked spam. If the same message appears again from a different IP address, it is flagged immediately. Content that matches a previously approved comment is excluded from the spam history.
- Honeypot — Adds a hidden field that legitimate visitors never see or interact with. Bots that fill every available field are caught. Submissions where the field is missing entirely are also flagged.
- Automated Client Detection — Blocks submissions from automated tools that do not identify themselves as a real browser. Legitimate visitors send this information automatically.
- Referer Check — Blocks submissions that did not originate from a page on your own site.
- URL / Domain Blocking — Flags submissions containing more URLs or domain names than the configured limit. Spam comments frequently contain multiple links.
- JavaScript Check — When Timestamp or Duration Blocking is active, the plugin can determine whether JavaScript ran when the form loaded. Bots that skip JavaScript are caught automatically.
- Randomized Field Names — Hidden field names are randomized during installation and can be regenerated at any time from the settings page, so bots cannot target the plugin based on known field names.
- Trackback Blocking — Optionally block all trackbacks, which are a common source of spam.
- Pingback Blocking — Optionally block all pingbacks, which are a common source of spam.
- Send e-mail notifications for blocked spam, valid submissions, or all submissions
- Configurable e-mail rate limit to prevent inbox flooding during attacks
- Add spam to the WordPress spam queue, or block and reject it immediately
- Optionally show rejection reasons to the submitter
- Enable Cache Compatibility for caching plugin support and duration blocking
- Regenerate security keys at any time from the settings page
安装:
- Install Analytical Spam Filter through the WordPress.org plugin repository, or by uploading the .zip file via Admin → Plugins → Add New.
- Activate the plugin on the Admin → Plugins screen.
- Review and adjust settings on the Admin → Settings → Analytical Spam Filter screen.
- Deactivate the plugin on the Admin → Plugins screen. All plugin files and settings will be retained.
- Delete the plugin on the Admin → Plugins screen. This permanently removes all plugin files, database tables, and settings.
屏幕截图:
常见问题:
Why did I still receive a spammy comment?
The plugin uses behavioral analysis to block automated spam without requiring captchas or other obstacles. While these methods significantly reduce automated spam, they cannot catch every low-quality comment entered manually by a human. Use the diagnostic e-mails to review what the plugin is seeing and adjust settings and thresholds accordingly. The plugin only works with the default WordPress comment form.
Does it work with other comment plugins?
No. The plugin only blocks spam submitted through the default WordPress comment form.
Timestamp blocking is not working.
If your site uses a caching plugin, make sure the Cache Compatibility option is enabled in the plugin settings. This option requires JavaScript to be enabled in the visitor's browser. Even on sites without a caching plugin, enabling Cache Compatibility adds an additional layer of detection because bots typically do not execute JavaScript.
Duration blocking is not working.
Duration Blocking requires the Cache Compatibility option to be active. Without it, the browser cannot determine which hidden field to write the timing data into, so no duration value is recorded. Enable Cache Compatibility and ensure JavaScript is enabled.
Why am I receiving too many notification e-mails?
Use the Diagnostic Email Rate Limit setting to control the minimum number of seconds between notification e-mails of the same type. The default is 60 seconds. You can also use the threshold settings in the IP Blocking and Content Blocking sections to suppress repeat notifications from persistent spammers the plugin has already identified.
How do I rotate the plugin's security keys?
Go to Admin → Settings → Analytical Spam Filter and click the "Regenerate Security Keys" button at the bottom of the page. This immediately invalidates all existing form tokens. If your site uses a full-page cache, clear it afterward so visitors receive pages containing the new fields.
What is the difference between "Flag Comment as Spam?" and blocking entirely?
When "Flag Comment as Spam?" is enabled (the default), blocked submissions are quietly added to the WordPress spam queue where you can review them. When it is disabled, the submitter sees a rejection message immediately and the submission is discarded without being stored anywhere.
更新日志:
- Fixed compatibility issue with Micro Contact Form
- Added configurable diagnostic e-mail rate limiting to prevent inbox flooding during high-volume spam attacks, with suppressed-count reporting in the next e-mail that gets through
- Added "Regenerate Security Keys" button to the settings page to rotate the salt and all randomized field IDs without reinstalling
- Added database indexes to IP and content history tables for improved query performance on busy sites
- Added settings page warnings when incompatible options are active simultaneously: "Use Duration Blocking?" requires "Enable Cache Compatibility?"; "Expose Comment Rejection Reasons to Submitter?" has no effect when "Flag Comment as Spam?" is active
- Honeypot now correctly rejects submissions where the hidden field is absent entirely, not just submissions where it contains data
- URL and domain name blocking no longer applies to logged-in users
- Fixed an edge case where the browser timer value could not be written to the correct field when Cache Compatibility was disabled
- Improved IPv6 address handling in the approved-submitter exemption check
- Fixed a potential silent pass-through when the URL detection regex fails on adversarial input
- Rewrote all settings descriptions in plain language
- Various code quality, security, and maintainability improvements throughout
- Added setting to send diagnostic notifications for valid submissions only
- IP blocking enhanced for reverse proxies
- Corrects a compatibility issue with the Micro Contact Form plugin
- Strengthened timestamp capability to measure active form entry time
- Corrected styles for default themes
- Simplified styling for honeypot fields
- Corrected issue with gallery block formatting due to hidden field style
- Corrected warning for undefined variable
- Corrected missing parameter during initial checks for plugin database tables
- Updated notification wording when timestamp is invalid
- Strengthened and simplified URL counting capability
- Strengthened IP sanitization
- Added settings to stop administrator notifications for repeated spam submissions
- Minor changes to improve code readability and internationalization
- Initial Release