=== SolverGuard Spam Shield — Anti-Spam, Bot & Login Protection ===
Contributors:      solverwp
Tags:              anti-spam, spam protection, bot protection, login security, honeypot, recaptcha, comment spam, ip blocker, brute force, wordpress security
Requires at least: 5.8
Tested up to:      7.0
Requires PHP:      7.4
Stable tag:        1.0.2
License:           GPLv2 or later
License URI:       https://www.gnu.org/licenses/gpl-2.0.html

The most complete free WordPress anti-spam plugin. Protects Contact Form 7, comments, login, registration, REST API, and XML-RPC — all in one shield.

== Description ==

**SolverGuard Spam Shield** is the only free WordPress plugin that protects every entry point of your site — contact forms, comment sections, user registrations, login page, REST API, XML-RPC, and your server itself — with zero shortcodes and zero per-form configuration required.

While most anti-spam plugins protect only one area of your site, SolverGuard deploys **30+ independent protection layers** across six major modules. Install it, activate it, and your entire WordPress site is defended immediately.

> **"Set it and forget it" protection — works automatically from the moment you activate."**

---

= 🛡️ MODULE 1: Contact Form 7 Protection =

Six independent spam-fighting layers apply automatically to every CF7 form on your site — no per-form setup needed.

* **🍯 Honeypot** — An invisible hidden field is silently injected into every form. Real users never see it or fill it in. Bots that auto-fill every field get caught instantly and blocked.
* **⏱ Time-Based Check** — Bots submit forms in milliseconds; humans take a few seconds to read and fill out a form. This module blocks submissions that arrive suspiciously fast (bots) or from stale, expired sessions, eliminating both automated attacks and session replay attacks.
* **🚫 IP Blocker** — Block individual IP addresses or entire CIDR network ranges (e.g. `10.0.0.0/8`) from submitting any form on your site. The same block list is automatically shared with comments, login, and registration protection for maximum coverage.
* **🔤 Keyword Filter** — Case-insensitive keyword and phrase matching scans every submitted form field simultaneously. Block spam phrases, competitor names, casino/pharma keywords, or any custom list of prohibited terms.
* **📈 Rate Limiter** — Caps the number of form submissions per IP address within a configurable sliding time window. Stops bots that submit the same form hundreds of times per hour, without ever impacting real users.
* **🤖 Google reCAPTCHA v3** — Silent, frictionless bot scoring via Google's reCAPTCHA v3. No annoying checkboxes or image puzzles for real visitors — the score is calculated invisibly in the background and submissions below your threshold are blocked automatically.

---

= 💬 MODULE 2: Comment Spam Protection =

Ten layers of dedicated comment spam protection, covering every submission path including Gutenberg and headless REST API setups.

* **🍯 Comment Honeypot** — A hidden anti-spam field is injected into every WordPress comment form automatically.
* **⏱ Comment Time Check** — Blocks comments submitted too quickly after page load (bots) or from sessions that expired too long ago.
* **🚫 IP Blocking** — Automatically reuses the shared IP block list — block an IP once, block it everywhere.
* **📈 Comment Rate Limiter** — Separate per-IP rate limiting specifically for comments, independent of form rate limiting.
* **🔤 Comment Keywords** — A global keyword list plus comment-specific blocked phrases. Stop spam before it reaches your moderation queue.
* **🔗 Link Count Limit** — Block comments containing more than a configurable number of hyperlinks — the #1 hallmark of spam comments.
* **📧 Email Domain Blocking** — Block registrations and comments from disposable or known spam email domains. Enter a list of blocked domains and all matching email addresses are automatically rejected.
* **🤖 User-Agent Filtering** — Block comments from known spam bot user-agents. Optionally block requests with no user-agent header at all.
* **⏳ Hold Comments With Author URL** — Automatically sends comments from authors with a URL in their display name to moderation, rather than publishing them instantly.
* **🌐 REST API Protection** — All comment spam checks also apply to submissions made via the WordPress REST API (used by Gutenberg and headless/decoupled WordPress setups).

---

= 🔐 MODULE 3: Login & Brute-Force Protection =

Stop hackers from guessing your password with automated brute-force attacks.

* **🔒 Login Rate Limiting** — After a configurable number of failed login attempts from the same IP, further attempts are blocked for a configurable lockout period. Stops dictionary attacks and credential-stuffing bots cold.
* **⏱ Configurable Lockout** — Set exactly how many failed attempts trigger a lockout, and how many minutes the lockout lasts. Default: 5 attempts, 15-minute lockout.
* **📋 Full Audit Logging** — Every blocked login attempt is logged with the IP address, timestamp, and the reason for the block, so you can see exactly what threats your site faces.

---

= 👤 MODULE 4: Registration Spam Protection =

Block fake accounts and spam bot registrations before they are ever created in your database.

* **🍯 Registration Honeypot** — A hidden field traps bots that auto-fill every registration field.
* **⏱ Registration Time Check** — Blocks registrations submitted impossibly fast or from expired form sessions.
* **📧 Email Domain Blocking** — Block registrations from specific disposable email domains. Subdomain matching included — blocking `spammail.com` also blocks `user@sub.spammail.com`.
* **🔤 Username & Email Keyword Filter** — Blocks registrations with prohibited words in the username or email address.
* **📈 Registration Rate Limiter** — Limits the number of registration attempts per IP in a configurable period.
* **🌐 REST API & XML-RPC Coverage** — Protection applies to ALL registration paths: the standard form, the WordPress REST API, and direct `wp_insert_user()` calls. Fake accounts are blocked before they are ever written to the database, which also prevents WordPress from sending notification emails for blocked registrations.

---

= 🤖 MODULE 5: Advanced Bot Protection =

A dedicated bot-detection engine that runs before WordPress even fully loads — blocking malicious traffic at the earliest possible moment.

* **🕵️ Known Bad Bot Blacklist** — 30+ built-in user-agent signatures covering scrapers (AhrefsBot, SemrushBot, MJ12bot), vulnerability scanners (Nikto, sqlmap, WPScan, Acunetix, Nessus), DDoS tools (Slowloris, LOIC), AI crawlers, and spam bots. Fully customizable with your own additional signatures.
* **🚫 Empty User-Agent Blocking** — Blocks all requests with no User-Agent header — a near-universal sign of automated attack traffic.
* **🔍 Fake Googlebot / Bingbot Detection** — Real Googlebots come from specific Google-owned IP ranges with verifiable reverse DNS. This module performs a live reverse DNS lookup to verify any request claiming to be Googlebot or Bingbot, and blocks fakes that don't pass verification. Protects your server resources from being wasted on impersonators.
* **⚠️ Suspicious URL Pattern Blocking** — Blocks probes for sensitive files and attack patterns including:
  * `/wp-config.php`, `/.env`, `/.git/`, `/.htaccess` access attempts
  * Web shell uploads (`shell.php`, `c99.php`, `r57.php`)
  * Directory traversal attacks (`../../`)
  * SQL injection in URLs (`UNION SELECT`, `DROP TABLE`)
  * XML/XXE injection attempts
  * phpMyAdmin and database tool probes
  * WordPress scanner paths (`/wp-content/uploads/*.php`)
* **🌊 Request Flood Protection** — Sitewide per-IP rate limiting that blocks any IP sending excessive requests within a configurable time window. Stops DDoS and scraping attacks that would otherwise overload your server.
* **🔒 HTTP Method Filter** — Blocks unnecessary and dangerous HTTP methods such as TRACE and CONNECT that are used by certain attack tools.
* **🛡️ Security Headers** — Automatically adds five HTTP security headers to every response:
  * `X-Content-Type-Options: nosniff`
  * `X-Frame-Options: SAMEORIGIN`
  * `X-XSS-Protection: 1; mode=block`
  * `Referrer-Policy: strict-origin-when-cross-origin`
  * `Permissions-Policy: geolocation=(), microphone=(), camera=()`
* **🎭 Hide WordPress Version** — Removes the WordPress version number from page source, RSS feeds, script/style URLs, and HTTP headers — making version-specific exploit scanning much harder.
* **👤 Block Author Enumeration** — Blocks the `?author=1` URL trick that attackers use to discover your WordPress usernames before launching targeted brute-force attacks.
* **✏️ Custom Bot Signatures & URL Patterns** — Add your own custom bot user-agent signatures and URL regex patterns directly from the admin panel.

---

= ⚙️ MODULE 6: General WordPress-Wide Protection =

Site-wide hardening that protects your WordPress installation at the infrastructure level.

* **📡 XML-RPC Protection** — Fully disable XML-RPC (a common DDoS amplification vector), or choose the surgical option: disable only the pingback methods while leaving the rest of XML-RPC available for legitimate use (e.g. mobile apps).
* **🔗 REST API Rate Limiting** — Rate-limit unauthenticated REST API requests per IP to prevent API abuse by bots and scrapers.
* **🚫 REST API User Enumeration Block** — Automatically blocks unauthenticated access to the `/wp/v2/users` REST endpoint, which attackers use to harvest all WordPress usernames on your site.
* **🏓 Trackback & Pingback Spam Blocking** — Block all incoming trackback and pingback requests sitewide. Also removes the `X-Pingback` HTTP header and the pingback URL from your blog info to hide the endpoint from probes.
* **🔗 Comment Author URL Hold** — Automatically sends any comment to moderation when the author's display name contains a URL — a common spam technique.

---

= 📊 Spam Log & Reporting =

* **Full Audit Log** — Every blocked request is logged with the IP address, user-agent, submission data, block reason, and timestamp. Available under **Anti-Spam Protection → Spam Log**.
* **Filter by Module** — Quickly find blocked entries by protection module (honeypot, rate limiter, bot protection, login, registration, etc.).
* **Automatic Log Cleanup** — Set a log retention period in days and old entries are automatically purged. Keep your database clean without manual work.
* **One-Click Log Clear** — Clear all log entries instantly from the admin panel.

---

= ✅ Why Choose SolverGuard Spam Shield? =

| Feature | SolverGuard | Typical Free Plugin |
|---|---|---|
| CF7 Form Protection | ✅ 6 layers | ✅ 1-2 layers |
| Comment Spam Protection | ✅ 10 layers | ✅ Basic |
| Login Brute-Force Protection | ✅ Yes | ❌ No |
| Registration Spam Protection | ✅ Yes | ❌ No |
| Advanced Bot Protection | ✅ 10+ checks | ❌ No |
| XML-RPC & REST API Hardening | ✅ Yes | ❌ No |
| Security Headers | ✅ Yes | ❌ No |
| Hide WordPress Version | ✅ Yes | ❌ No |
| Author Enumeration Block | ✅ Yes | ❌ No |
| Spam Log with Auto-Cleanup | ✅ Yes | ❌ No |
| Zero Configuration Required | ✅ Works instantly | ⚠️ Often requires setup |
| 100% Free | ✅ Yes | ✅ Yes |

---

= Works Automatically — Zero Configuration Required =

All protection layers activate automatically the moment you install and activate the plugin. No shortcodes to add, no per-form configuration, no template edits. Every module can be individually toggled on or off, and all settings are accessible from a single admin page under **Anti-Spam Protection → Settings**.

---

== External Services ==

This plugin optionally integrates with **Google reCAPTCHA v3** for silent spam scoring on Contact Form 7 submissions. This feature is **disabled by default** and must be explicitly enabled by the site administrator by entering their own reCAPTCHA site and secret keys.

**What data is sent and when?**
When reCAPTCHA is enabled, the visitor's reCAPTCHA response token and IP address are sent to Google's servers at the time of a form submission.

**No data is sent to Google if the reCAPTCHA module is disabled.**

* Service: Google reCAPTCHA v3
* Provider: Google LLC
* Terms of Service: https://policies.google.com/terms
* Privacy Policy: https://policies.google.com/privacy

No other data is sent to any external service. All spam detection is performed locally on your own server.

---

== Installation ==

1. Upload the `solverguard-spam-shield` folder to `/wp-content/plugins/`, or install directly via **Plugins → Add New** in your WordPress dashboard.
2. Activate the plugin from **Plugins → Installed Plugins**.
3. Go to **Anti-Spam Protection → Settings** to review and configure each module (all modules are pre-enabled with sensible defaults — no configuration is required to get started).

---

== Frequently Asked Questions ==

= Does this work with all CF7 forms automatically? =

Yes. All six Contact Form 7 protection layers are applied globally to every CF7 form on your site without any per-form configuration. Simply activate the plugin and your forms are protected.

= Do I need Contact Form 7 installed? =

No. The CF7-specific modules (Honeypot, Time Check, Rate Limiter, Keyword Filter, reCAPTCHA) only activate if CF7 is detected. All other modules — bot protection, login protection, registration protection, comment protection, XML-RPC hardening, and security headers — work independently of CF7.

= Will this slow down my website? =

No. The plugin is designed with performance in mind. Bot protection and security checks run before WordPress loads heavy resources, so blocked requests are terminated early. Spam checks are lightweight transient-based lookups. Real visitors on your site will experience no measurable performance impact.

= How do I enable reCAPTCHA v3? =

1. Go to the [Google reCAPTCHA admin console](https://www.google.com/recaptcha/admin).
2. Register a new site with **reCAPTCHA v3**.
3. Copy your **Site Key** and **Secret Key** into the plugin settings under the reCAPTCHA tab.
4. Enable reCAPTCHA v3 and set your score threshold (Google recommends 0.5).

= Can I block entire countries? =

You can block CIDR IP ranges in the IP Blocker tab, which covers known regional IP ranges. For granular country-level blocking, combine this with a Cloudflare firewall rule or similar CDN-based geo-blocking service.

= Does the Login Protection work with WooCommerce and custom login pages? =

Yes. Login rate limiting hooks into WordPress core's authentication system, so it works with any login form that uses the standard WordPress authentication, including WooCommerce My Account, BuddyPress, bbPress, and most membership plugins.

= What is author enumeration and why should I block it? =

Author enumeration is a reconnaissance technique where an attacker visits `yoursite.com/?author=1`, `?author=2`, etc. to discover the usernames of all WordPress users. Once an attacker has your username, they only need to guess the password. Blocking author enumeration is an important first line of defense against targeted brute-force attacks.

= Will blocking XML-RPC break anything? =

It depends on whether you use any tools that rely on XML-RPC (such as older mobile apps, certain desktop publishing tools, or Jetpack). If you are unsure, use the "Disable only pingback" option instead of the full disable — this stops the most common XML-RPC abuse (DDoS pingback amplification) while leaving legitimate XML-RPC functionality intact.

= Can I whitelist my own IP so I'm never locked out? =

You can ensure your own IP is not listed in the IP Blocker. The login rate limiter skips logged-in administrators. If you are ever locked out, you can disable the login rate limiter by deactivating the plugin temporarily via FTP or your hosting file manager.

= Is this plugin compatible with multisite? =

The plugin functions on multisite installations. Network-wide activation applies settings on a per-site basis.

= Does it work with caching plugins? =

Yes. All spam checks run on form submissions and POST requests, which caching plugins do not cache. Your page caching is not affected.

---

== Screenshots ==

1. **Settings Page** — All modules in a single, clean tabbed admin panel. Toggle individual features on or off instantly.
2. **Spam Log** — Full audit log showing blocked requests with IP, module, reason, and timestamp.
3. **Bot Protection Settings** — Granular control over all bot detection layers.
4. **Registration Spam Settings** — Email domain blocking, honeypot, rate limiting, and keyword filtering for registration.
5. **Login Protection Settings** — Configure failed attempt limits and lockout duration.

---

== Changelog ==

= 1.0.2 =
* Added Advanced Bot Protection module with 10 detection layers.
* Added Login brute-force rate limiting.
* Added Registration Spam Protection (honeypot, time check, email domain blocking, rate limiter).
* Added General WordPress hardening (XML-RPC control, REST API rate limiting, user enumeration blocking, trackback/pingback blocking).
* Added Security Headers (X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy).
* Added WordPress version hiding.
* Added author enumeration blocking.
* Added Fake Googlebot / Bingbot detection via reverse DNS.
* Added suspicious URL pattern blocking (SQL injection, directory traversal, shell upload probes).
* Added request flood protection (sitewide per-IP rate limiting).
* Added REST API user enumeration blocking.
* Improved spam log with filtering and auto-cleanup.

= 1.0.0 =
* Initial release with CF7 honeypot, time check, IP blocker, keyword filter, rate limiter, reCAPTCHA v3, and comment spam protection.

---

== Upgrade Notice ==

= 1.0.2 =
Major update adding login protection, registration spam protection, advanced bot protection, XML-RPC hardening, security headers, and more. All new modules are enabled by default with safe settings. Review your settings after upgrading.