=== AntiSpam Shield by LukaCodes ===
Contributors: Luka2013
Tags: spam, recaptcha, wpforms, turnstile, anti-spam
Requires at least: 6.0
Tested up to: 7.0
Requires PHP: 8.0
Donate link: https://www.paypal.com/donate/?hosted_button_id=942LJ42XE4HVW
Stable tag: 1.1.4
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Block comment spam, brute-force logins and bot registrations with reCAPTCHA v3 or Cloudflare Turnstile. Lightweight, no bloat.

== Description ==

**AntiSpam Shield by LukaCodes** is a lightweight, no-bloat plugin that protects your WordPress comment section **and contact forms** from spam. Six independent tools, one settings page. [Read the full documentation](https://lukacodes.com/comment-shield-docs/).

* **Disable Website Field** — Removes the URL/website field from the comment form. Works with all themes, including those that hardcode the field (CSS fallback included).
* **Strip Links from Comments** — Automatically removes all `<a href>` hyperlinks from comment content — both on display and before saving to the database. Spammers get zero benefit from posting links.
* **reCAPTCHA v3** — Adds Google's invisible bot-score protection. No checkbox, no puzzle, no friction for real users. Bots are silently blocked server-side.
* **Cloudflare Turnstile** — A privacy-friendly CAPTCHA alternative. Mutually exclusive with reCAPTCHA v3 — enabling one automatically disables the other.
* **Login Shield** — Adds CAPTCHA to the WordPress login form (`wp-login.php`). Stops brute-force bots silently.
* **Registration Shield** — Adds CAPTCHA to the WordPress registration form. Blocks bot account creation.
* **WPForms Integration** — Apply the same CAPTCHA protection to WPForms Lite — using the same keys you already configured, no extra setup.
* **Easy Contact Form by LukaCodes Integration** — Apply the same CAPTCHA protection to forms created with the companion Easy Contact Form plugin.

All features are **independent** — enable only what you need.

= Login & Registration Shield =

Version 1.1.2 adds CAPTCHA protection to `wp-login.php`:

* **Login Shield** — Hooks into `wp_authenticate_user` for server-side verification after credentials are checked. Returns a `WP_Error` if CAPTCHA fails — WordPress displays it as a normal login error.
* **Registration Shield** — Hooks into `registration_errors` to add CAPTCHA validation during registration. Works alongside all other WordPress registration validations.

Both are independently togglable in the settings panel. Admins already logged in are never affected.

= WPForms Integration =

Version 1.1.0 introduces CAPTCHA protection for **WPForms Lite**:

* Hooks into `wpforms_display_submit_before` to inject the CAPTCHA widget before the submit button.
* Hooks into `wpforms_process` for server-side token verification.
* Works with both reCAPTCHA v3 (invisible) and Cloudflare Turnstile (visible widget).

Note: WPForms Pro includes its own native CAPTCHA integration — this feature is intended for **WPForms Lite** users only.

= Easy Contact Form by LukaCodes Integration =

Version 1.1.4 adds CAPTCHA protection for forms created with [Easy Contact Form by LukaCodes](https://wordpress.org/plugins/lukacodes-easy-contact-form/):

* Injects the CAPTCHA widget (Turnstile) or invisible token (reCAPTCHA v3) into every Easy Contact Form on the page.
* Hooks into Easy Contact Form's `lukacodes_comment_shield_check` filter for server-side token verification before the submission is processed or emails are sent.
* Uses the same CAPTCHA keys you already configured — no extra setup.
* When a token fails, the user sees a CAPTCHA-specific error message inline; the submission is never stored or emailed.

= Why AntiSpam Shield? =

Most anti-spam plugins are heavy, require accounts, or add ugly CAPTCHAs. AntiSpam Shield by LukaCodes is different:

* ~30 KB total — no external libraries, no jQuery dependency
* Settings page with **live key testing** — verify your reCAPTCHA or Turnstile keys before enabling
* **Link stripping preview** — paste any comment text and see exactly what gets removed
* Graceful fallback: if Google's or Cloudflare's API is unreachable, comments are held for moderation (never lost)
* Trusted users (administrators) bypass CAPTCHA checks automatically
* **Mutual exclusion**: reCAPTCHA v3 and Cloudflare Turnstile cannot be active at the same time
* WP Coding Standards compliant — fully escaped output, nonce-protected AJAX

= reCAPTCHA v3 — How it works =

When a visitor submits a form, JavaScript silently requests a score token from Google. The token is sent with the submission and verified server-side against your minimum score threshold (configurable from 0.1 to 1.0). No user interaction required.

= Cloudflare Turnstile — How it works =

A Turnstile widget is rendered inside the form. When the visitor completes the challenge, a token is submitted and verified server-side against the Cloudflare API.

== Installation ==

1. Upload the `lukacodes-comment-shield` folder to `/wp-content/plugins/`
2. Activate the plugin through **Plugins → Installed Plugins**
3. Go to **Settings → AntiSpam Shield** to configure your options

= reCAPTCHA v3 Setup =

1. Visit [Google reCAPTCHA Admin Console](https://www.google.com/recaptcha/admin/create)
2. Create a new site — select **Score based (v3)**
3. Add your domain to the allowed domains list
4. Copy the **Site Key** and **Secret Key** into the plugin settings
5. Use the built-in **🔍 Test Keys** button to verify connectivity before enabling
6. Enable reCAPTCHA v3, set your minimum score, and save

= Cloudflare Turnstile Setup =

1. Visit [Cloudflare Turnstile Dashboard](https://dash.cloudflare.com/?to=/:account/turnstile)
2. Create a new site and select your widget type (Managed recommended)
3. Copy the **Site Key** and **Secret Key** into the plugin settings
4. Use the built-in **🔍 Test Turnstile Keys** button to verify connectivity before enabling
5. Enable Cloudflare Turnstile and save — reCAPTCHA v3 will be disabled automatically

= Contact Forms Setup =

No extra setup needed. Once reCAPTCHA v3 or Cloudflare Turnstile is configured, go to the **Contact Forms** section in the settings and toggle on each plugin you want to protect. The admin panel shows which form plugins are currently installed and active on your site. Currently supported: **WPForms Lite** and **Easy Contact Form by LukaCodes**.

== Frequently Asked Questions ==

= Does this require a Google account? =
Only if you use reCAPTCHA v3. You need a Google account to obtain keys from the [reCAPTCHA Admin Console](https://www.google.com/recaptcha/admin/create). The service is free. Cloudflare Turnstile requires a free Cloudflare account instead.

= Can I use both reCAPTCHA and Turnstile at the same time? =
No — they are mutually exclusive. Enabling one will automatically disable the other, both in the settings UI and on the server.

= Does this protect the login and registration forms? =
Yes. Enable "Login Shield" and/or "Registration Shield" in the **Login & Registration** section of the settings panel. The same reCAPTCHA v3 or Turnstile keys are reused — no extra setup needed. Administrators are never blocked.

= Does this protect WPForms Lite without extra keys? =
Yes. The same reCAPTCHA v3 or Turnstile keys you enter for comment protection are reused automatically for WPForms Lite. No additional setup required.

= Does this protect Easy Contact Form by LukaCodes? =
Yes. Install the [Easy Contact Form by LukaCodes](https://wordpress.org/plugins/lukacodes-easy-contact-form/) plugin, configure your forms there, then enable the "Easy Contact Form by LukaCodes" toggle in the Contact Forms section. The same CAPTCHA keys are reused. Failed CAPTCHA submissions are rejected before any email is sent or submission is stored.

= What happens if Google's or Cloudflare's API is unreachable? =
The comment or form submission is held for moderation instead of being rejected. You will never lose a genuine submission due to an API outage.

= Does it work with custom themes that hardcode the URL field? =
Yes. The plugin removes the field from WordPress's form array and also injects CSS as a fallback.

= Does this work with caching plugins? =
Yes. All CAPTCHA logic runs client-side (JS) and server-side (PHP on submission). Caching does not interfere.

= Do I need all features? =
No. Each feature has its own toggle. Enable only what your site needs.

== Screenshots ==

1. The main settings dashboard with Comment Options, reCAPTCHA, Turnstile, Login & Registration, and WPForms sections.
2. WPForms integration panel — shows detection status and toggle.
3. reCAPTCHA key tester — real-time verification against Google API.
4. Turnstile key tester — real-time verification against Cloudflare API.
5. Plugin status panel — at-a-glance view of current configuration.

== Changelog ==

= 1.1.4 =
* Changed: Plugin display name renamed to "AntiSpam Shield by LukaCodes"
* Tested: Confirmed compatible with WordPress 7.0
* Added: Integration with Easy Contact Form by LukaCodes — injects CAPTCHA widget into every `.lecf-form` on the page and verifies tokens server-side via the `lukacodes_comment_shield_check` filter
* Added: New toggle "Easy Contact Form by LukaCodes" under the Contact Forms settings section
* Added: New "Easy Contact Form Shield" status row in the Plugin Status panel
* Bumped version to 1.1.4

= 1.1.3 =
* Added: Option to disable comments on all posts sitewide
* Added: Option to disable comments on all pages sitewide
* Fixed: WPForms CAPTCHA hook changed to wpforms_process_before — form submission is now blocked before email is sent when token is missing/invalid
* Fixed: Key tester now validates that reCAPTCHA / Turnstile keys are registered for this site's domain
* Fixed: Keys from a different domain now show a clear "Domain mismatch" error instead of a false "keys look correct" result
* Improved: Turnstile key tester now passes sitekey to Cloudflare API to enable domain-level validation
* Improved: Greek (el) translation updated to 100% — all strings now translated
* Bumped version to 1.1.3

= 1.1.2 =
* Added Login Shield: CAPTCHA protection for wp-login.php login form
* Added Registration Shield: CAPTCHA protection for wp-login.php registration form
* Login and Registration shields are independently togglable in the settings panel
* Both shields reuse existing reCAPTCHA v3 / Turnstile keys — no additional setup required
* Added Login Shield and Register Shield rows to Plugin Status panel
* Updated POT template with all new i18n strings
* Updated Greek (el) translation with all new strings
* Bumped version to 1.1.2

= 1.1.0 =
* Added WPForms Lite integration: reCAPTCHA v3 and Cloudflare Turnstile protection for WPForms forms
* WPForms protection reuses existing CAPTCHA keys — no additional setup required
* Added WPForms panel in admin: auto-detects if WPForms is installed, toggle to enable/disable
* Added WPForms Shield row to Plugin Status panel
* Updated POT template with all new i18n strings
* Updated Greek (el) translation with all new strings
* Bumped version to 1.1.0

= 1.0.1 =
* Added Cloudflare Turnstile as a second CAPTCHA option (privacy-friendly alternative to reCAPTCHA)
* Added mutual exclusion logic: enabling reCAPTCHA disables Turnstile and vice versa
* Added server-side Turnstile token verification with moderation fallback
* Added live Turnstile key tester in the settings panel
* Updated uninstall.php to clean up Turnstile options on deletion

= 0.3 =
* Added server-side reCAPTCHA verification with action and hostname validation
* Added fallback: holds comment for moderation if Google API is unreachable
* Added `COMMSH_VERSION` constant and activation hook to seed default options
* Improved score threshold: configurable from 0.1 to 1.0 with live slider

= 0.2 =
* Integrated Google reCAPTCHA v3 invisible protection on comment form
* Added real-time key testing against Google API
* Added live link stripping preview with before/after diff
* Fixed double-submission bug on slow connections

= 0.1 =
* Initial release
* Remove website field from comment form (filter + CSS fallback)
* Strip HTML links from comments on display and before saving to database

== Upgrade Notice ==

= 1.1.3 =
Fixes key tester false-positive: keys from a different domain no longer show as valid. Recommended update for all users.

= 1.1.2 =
Plugin renamed to LukaCodes AntiSpam Shield. Adds CAPTCHA for login and registration forms. Fixes debug message in WPForms integration. Recommended update for all users.

= 1.1.0 =
Adds CAPTCHA protection for WPForms Lite — using your existing reCAPTCHA v3 or Turnstile keys. Recommended update for WPForms Lite users.

== Third-Party Services ==

This plugin optionally uses the following third-party services:

= Google reCAPTCHA v3 =

A service provided by Google LLC.

* **What it does:** Detects bots and spam on your comment form and contact forms without user interaction.
* **When data is sent:** Only when reCAPTCHA v3 is enabled. A token is sent to `https://www.google.com/recaptcha/api/siteverify` on each form submission.
* **What data is sent:** The visitor's IP address and a reCAPTCHA token.
* **Google Privacy Policy:** https://policies.google.com/privacy
* **Google Terms of Service:** https://policies.google.com/terms

= Cloudflare Turnstile =

A service provided by Cloudflare, Inc.

* **What it does:** Presents a privacy-friendly CAPTCHA widget on comment and contact forms.
* **When data is sent:** Only when Cloudflare Turnstile is enabled. A token is sent to `https://challenges.cloudflare.com/turnstile/v0/siteverify` on each form submission.
* **What data is sent:** The visitor's IP address and a Turnstile token.
* **Cloudflare Privacy Policy:** https://www.cloudflare.com/privacypolicy/
* **Cloudflare Terms of Service:** https://www.cloudflare.com/website-terms/

Both services are entirely optional. If you do not enter API keys or enable either CAPTCHA, no data is sent to any third party.
