=== Analytical Spam Filter ===
Contributors: dalesandro
Tags: spam, antispam, anti-spam, spam blocker, spam filter, block spam, comment filter, comment spam, security, protection
Requires at least: 5.9
Tested up to: 7.0
Requires PHP: 7.1
Stable tag: 1.1.0
License: GPL v2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Stop spam without making your visitors prove they're human. No captchas, no accounts, and no external services required.

== Description ==
Most spam filters make your visitors do the work by solving captchas, clicking image grids, or proving they are human before they can leave a comment. **Analytical Spam Filter** takes a different approach. It analyzes how a submission behaves and blocks spam automatically, with no friction for legitimate visitors.

**Key Features**

* No captchas
* No API keys
* No third-party services
* Privacy-friendly design
* Behavioral spam detection
* IP reputation tracking
* Content fingerprinting
* Cache-compatible operation

Install it, activate it, and it starts working.

Spam is identified by observing behaviors that real visitors naturally exhibit. People take time to read before typing, interact with the page, and use a real browser. Bots often skip those signals. The plugin uses those differences to distinguish legitimate submissions from automated spam without interrupting the user experience.

The plugin uses multiple independent detection techniques on every submission. A bot that bypasses one check is likely to be caught by another. This layered approach improves effectiveness over time. Once a spammer's IP address or message content has been identified, future attempts can be blocked more quickly. Visitors with a previously approved comment are never flagged, regardless of the spam history associated with their IP address.

No visitor data is sent to external spam services, and no account registration or API configuration is required.

All field names added by the plugin are randomized during installation and can be regenerated at any time. This helps prevent bots from targeting the plugin based on known source code signatures. The plugin is compatible with caching plugins when Cache Compatibility is enabled.

**The plugin blocks spam submitted through the default WordPress comment form only.** It is also automatically compatible with the **Micro Contact Form** plugin.

= Blocking Methods =
* **Timestamp Blocking** — Records when the page loaded and when the form was submitted. Submissions that arrive too quickly to have genuinely read the page, or after the token has expired, are blocked.
* **Duration Blocking** — Measures how long the visitor actively spent filling out the form. Bots fill forms almost instantly. Requires Cache Compatibility to be enabled.
* **IP Blocking** — Remembers which IP addresses have been blocked before. Once an address reaches the configured threshold, future submissions are flagged without running the remaining checks. IP addresses with a previously approved comment are never flagged.
* **Content Blocking** — Remembers the content of blocked spam. If the same message appears again from a different IP address, it is flagged immediately. Content that matches a previously approved comment is excluded from the spam history.
* **Honeypot** — Adds a hidden field that legitimate visitors never see or interact with. Bots that fill every available field are caught. Submissions where the field is missing entirely are also flagged.
* **Automated Client Detection** — Blocks submissions from automated tools that do not identify themselves as a real browser. Legitimate visitors send this information automatically.
* **Referer Check** — Blocks submissions that did not originate from a page on your own site.
* **URL / Domain Blocking** — Flags submissions containing more URLs or domain names than the configured limit. Spam comments frequently contain multiple links.
* **JavaScript Check** — When Timestamp or Duration Blocking is active, the plugin can determine whether JavaScript ran when the form loaded. Bots that skip JavaScript are caught automatically.
* **Randomized Field Names** — Hidden field names are randomized during installation and can be regenerated at any time from the settings page, so bots cannot target the plugin based on known field names.
* **Trackback Blocking** — Optionally block all trackbacks, which are a common source of spam.
* **Pingback Blocking** — Optionally block all pingbacks, which are a common source of spam.

= General Options =
* Send e-mail notifications for blocked spam, valid submissions, or all submissions
* Configurable e-mail rate limit to prevent inbox flooding during attacks
* Add spam to the WordPress spam queue, or block and reject it immediately
* Optionally show rejection reasons to the submitter
* Enable Cache Compatibility for caching plugin support and duration blocking
* Regenerate security keys at any time from the settings page

== Installation ==
= Install =
1. Install Analytical Spam Filter through the WordPress.org plugin repository, or by uploading the .zip file via Admin → Plugins → Add New.
2. Activate the plugin on the Admin → Plugins screen.
3. Review and adjust settings on the Admin → Settings → Analytical Spam Filter screen.

= Uninstall =
1. Deactivate the plugin on the Admin → Plugins screen. All plugin files and settings will be retained.
2. Delete the plugin on the Admin → Plugins screen. This permanently removes all plugin files, database tables, and settings.

== Frequently Asked Questions ==
= Why did I still receive a spammy comment? =

The plugin uses behavioral analysis to block automated spam without requiring captchas or other obstacles. While these methods significantly reduce automated spam, they cannot catch every low-quality comment entered manually by a human. Use the diagnostic e-mails to review what the plugin is seeing and adjust settings and thresholds accordingly. The plugin only works with the default WordPress comment form.

= Does it work with other comment plugins? =

No. The plugin only blocks spam submitted through the default WordPress comment form.

= Timestamp blocking is not working. =

If your site uses a caching plugin, make sure the Cache Compatibility option is enabled in the plugin settings. This option requires JavaScript to be enabled in the visitor's browser. Even on sites without a caching plugin, enabling Cache Compatibility adds an additional layer of detection because bots typically do not execute JavaScript.

= Duration blocking is not working. =

Duration Blocking requires the Cache Compatibility option to be active. Without it, the browser cannot determine which hidden field to write the timing data into, so no duration value is recorded. Enable Cache Compatibility and ensure JavaScript is enabled.

= Why am I receiving too many notification e-mails? =

Use the Diagnostic Email Rate Limit setting to control the minimum number of seconds between notification e-mails of the same type. The default is 60 seconds. You can also use the threshold settings in the IP Blocking and Content Blocking sections to suppress repeat notifications from persistent spammers the plugin has already identified.

= How do I rotate the plugin's security keys? =

Go to Admin → Settings → Analytical Spam Filter and click the "Regenerate Security Keys" button at the bottom of the page. This immediately invalidates all existing form tokens. If your site uses a full-page cache, clear it afterward so visitors receive pages containing the new fields.

= What is the difference between "Flag Comment as Spam?" and blocking entirely? =

When "Flag Comment as Spam?" is enabled (the default), blocked submissions are quietly added to the WordPress spam queue where you can review them. When it is disabled, the submitter sees a rejection message immediately and the submission is discarded without being stored anywhere.

== Screenshots ==
1. Analytical Spam Filter admin screen - General Settings.
2. Analytical Spam Filter admin screen - Basic Blocking Techniques.
3. Analytical Spam Filter admin screen - Timestamp Blocking.
4. Analytical Spam Filter admin screen - URL Blocking.
5. Analytical Spam Filter admin screen - IP Blocking.
6. Analytical Spam Filter admin screen - Content Blocking.

== Changelog ==
= 1.1.0 =
* Added configurable diagnostic e-mail rate limiting to prevent inbox flooding during high-volume spam attacks, with suppressed-count reporting in the next e-mail that gets through
* Added "Regenerate Security Keys" button to the settings page to rotate the salt and all randomized field IDs without reinstalling
* Added database indexes to IP and content history tables for improved query performance on busy sites
* Added settings page warnings when incompatible options are active simultaneously: "Use Duration Blocking?" requires "Enable Cache Compatibility?"; "Expose Comment Rejection Reasons to Submitter?" has no effect when "Flag Comment as Spam?" is active
* Honeypot now correctly rejects submissions where the hidden field is absent entirely, not just submissions where it contains data
* URL and domain name blocking no longer applies to logged-in users
* Fixed an edge case where the browser timer value could not be written to the correct field when Cache Compatibility was disabled
* Improved IPv6 address handling in the approved-submitter exemption check
* Fixed a potential silent pass-through when the URL detection regex fails on adversarial input
* Rewrote all settings descriptions in plain language
* Various code quality, security, and maintainability improvements throughout

= 1.0.13 =
* Added setting to send diagnostic notifications for valid submissions only

= 1.0.12 =
* IP blocking enhanced for reverse proxies

= 1.0.11 =
* Corrects a compatibility issue with the Micro Contact Form plugin

= 1.0.10 =
* Strengthened timestamp capability to measure active form entry time

= 1.0.9 =
* Corrected styles for default themes

= 1.0.8 =
* Simplified styling for honeypot fields

= 1.0.7 =
* Corrected issue with gallery block formatting due to hidden field style

= 1.0.6 =
* Corrected warning for undefined variable

= 1.0.5 =
* Corrected missing parameter during initial checks for plugin database tables

= 1.0.4 =
* Updated notification wording when timestamp is invalid

= 1.0.3 =
* Strengthened and simplified URL counting capability
* Strengthened IP sanitization

= 1.0.2 =
* Added settings to stop administrator notifications for repeated spam submissions

= 1.0.1 =
* Minor changes to improve code readability and internationalization

= 1.0.0 =
* Initial Release