SolverGuard Spam Shield — Anti-Spam, Bot & Login Protection

설명

SolverGuard Spam Shield is the only free WordPress plugin that protects every entry point of your site — contact forms, comment sections, user registrations, login page, REST API, XML-RPC, and your server itself — with zero shortcodes and zero per-form configuration required.

While most anti-spam plugins protect only one area of your site, SolverGuard deploys 30+ independent protection layers across six major modules. Install it, activate it, and your entire WordPress site is defended immediately.

“Set it and forget it” protection — works automatically from the moment you activate.”

🛡️ MODULE 1: Contact Form 7 Protection

Six independent spam-fighting layers apply automatically to every CF7 form on your site — no per-form setup needed.

• 🍯 Honeypot — An invisible hidden field is silently injected into every form. Real users never see it or fill it in. Bots that auto-fill every field get caught instantly and blocked.
• ⏱ Time-Based Check — Bots submit forms in milliseconds; humans take a few seconds to read and fill out a form. This module blocks submissions that arrive suspiciously fast (bots) or from stale, expired sessions, eliminating both automated attacks and session replay attacks.
• 🚫 IP Blocker — Block individual IP addresses or entire CIDR network ranges (e.g. 10.0.0.0/8) from submitting any form on your site. The same block list is automatically shared with comments, login, and registration protection for maximum coverage.
• 🔤 Keyword Filter — Case-insensitive keyword and phrase matching scans every submitted form field simultaneously. Block spam phrases, competitor names, casino/pharma keywords, or any custom list of prohibited terms.
• 📈 Rate Limiter — Caps the number of form submissions per IP address within a configurable sliding time window. Stops bots that submit the same form hundreds of times per hour, without ever impacting real users.
• 🤖 Google reCAPTCHA v3 — Silent, frictionless bot scoring via Google’s reCAPTCHA v3. No annoying checkboxes or image puzzles for real visitors — the score is calculated invisibly in the background and submissions below your threshold are blocked automatically.

💬 MODULE 2: Comment Spam Protection

Ten layers of dedicated comment spam protection, covering every submission path including Gutenberg and headless REST API setups.

• 🍯 Comment Honeypot — A hidden anti-spam field is injected into every WordPress comment form automatically.
• ⏱ Comment Time Check — Blocks comments submitted too quickly after page load (bots) or from sessions that expired too long ago.
• 🚫 IP Blocking — Automatically reuses the shared IP block list — block an IP once, block it everywhere.
• 📈 Comment Rate Limiter — Separate per-IP rate limiting specifically for comments, independent of form rate limiting.
• 🔤 Comment Keywords — A global keyword list plus comment-specific blocked phrases. Stop spam before it reaches your moderation queue.
• 🔗 Link Count Limit — Block comments containing more than a configurable number of hyperlinks — the #1 hallmark of spam comments.
• 📧 Email Domain Blocking — Block registrations and comments from disposable or known spam email domains. Enter a list of blocked domains and all matching email addresses are automatically rejected.
• 🤖 User-Agent Filtering — Block comments from known spam bot user-agents. Optionally block requests with no user-agent header at all.
• ⏳ Hold Comments With Author URL — Automatically sends comments from authors with a URL in their display name to moderation, rather than publishing them instantly.
• 🌐 REST API Protection — All comment spam checks also apply to submissions made via the WordPress REST API (used by Gutenberg and headless/decoupled WordPress setups).

🔐 MODULE 3: Login & Brute-Force Protection

Stop hackers from guessing your password with automated brute-force attacks.

• 🔒 Login Rate Limiting — After a configurable number of failed login attempts from the same IP, further attempts are blocked for a configurable lockout period. Stops dictionary attacks and credential-stuffing bots cold.
• ⏱ Configurable Lockout — Set exactly how many failed attempts trigger a lockout, and how many minutes the lockout lasts. Default: 5 attempts, 15-minute lockout.
• 📋 Full Audit Logging — Every blocked login attempt is logged with the IP address, timestamp, and the reason for the block, so you can see exactly what threats your site faces.

👤 MODULE 4: Registration Spam Protection

Block fake accounts and spam bot registrations before they are ever created in your database.

• 🍯 Registration Honeypot — A hidden field traps bots that auto-fill every registration field.
• ⏱ Registration Time Check — Blocks registrations submitted impossibly fast or from expired form sessions.
• 📧 Email Domain Blocking — Block registrations from specific disposable email domains. Subdomain matching included — blocking spammail.com also blocks user@sub.spammail.com.
• 🔤 Username & Email Keyword Filter — Blocks registrations with prohibited words in the username or email address.
• 📈 Registration Rate Limiter — Limits the number of registration attempts per IP in a configurable period.
• 🌐 REST API & XML-RPC Coverage — Protection applies to ALL registration paths: the standard form, the WordPress REST API, and direct wp_insert_user() calls. Fake accounts are blocked before they are ever written to the database, which also prevents WordPress from sending notification emails for blocked registrations.

🤖 MODULE 5: Advanced Bot Protection

A dedicated bot-detection engine that runs before WordPress even fully loads — blocking malicious traffic at the earliest possible moment.

• 🕵️ Known Bad Bot Blacklist — 30+ built-in user-agent signatures covering scrapers (AhrefsBot, SemrushBot, MJ12bot), vulnerability scanners (Nikto, sqlmap, WPScan, Acunetix, Nessus), DDoS tools (Slowloris, LOIC), AI crawlers, and spam bots. Fully customizable with your own additional signatures.
• 🚫 Empty User-Agent Blocking — Blocks all requests with no User-Agent header — a near-universal sign of automated attack traffic.
• 🔍 Fake Googlebot / Bingbot Detection — Real Googlebots come from specific Google-owned IP ranges with verifiable reverse DNS. This module performs a live reverse DNS lookup to verify any request claiming to be Googlebot or Bingbot, and blocks fakes that don’t pass verification. Protects your server resources from being wasted on impersonators.
• ⚠️ Suspicious URL Pattern Blocking — Blocks probes for sensitive files and attack patterns including:
  • /wp-config.php, /.env, /.git/, /.htaccess access attempts
  • Web shell uploads (shell.php, c99.php, r57.php)
  • Directory traversal attacks (../../)
  • SQL injection in URLs (UNION SELECT, DROP TABLE)
  • XML/XXE injection attempts
  • phpMyAdmin and database tool probes
  • WordPress scanner paths (/wp-content/uploads/*.php)
• 🌊 Request Flood Protection — Sitewide per-IP rate limiting that blocks any IP sending excessive requests within a configurable time window. Stops DDoS and scraping attacks that would otherwise overload your server.
• 🔒 HTTP Method Filter — Blocks unnecessary and dangerous HTTP methods such as TRACE and CONNECT that are used by certain attack tools.
• 🛡️ Security Headers — Automatically adds five HTTP security headers to every response:
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: SAMEORIGIN
  • X-XSS-Protection: 1; mode=block
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: geolocation=(), microphone=(), camera=()
• 🎭 Hide WordPress Version — Removes the WordPress version number from page source, RSS feeds, script/style URLs, and HTTP headers — making version-specific exploit scanning much harder.
• 👤 Block Author Enumeration — Blocks the ?author=1 URL trick that attackers use to discover your WordPress usernames before launching targeted brute-force attacks.
• ✏️ Custom Bot Signatures & URL Patterns — Add your own custom bot user-agent signatures and URL regex patterns directly from the admin panel.

⚙️ MODULE 6: General WordPress-Wide Protection

Site-wide hardening that protects your WordPress installation at the infrastructure level.

• 📡 XML-RPC Protection — Fully disable XML-RPC (a common DDoS amplification vector), or choose the surgical option: disable only the pingback methods while leaving the rest of XML-RPC available for legitimate use (e.g. mobile apps).
• 🔗 REST API Rate Limiting — Rate-limit unauthenticated REST API requests per IP to prevent API abuse by bots and scrapers.
• 🚫 REST API User Enumeration Block — Automatically blocks unauthenticated access to the /wp/v2/users REST endpoint, which attackers use to harvest all WordPress usernames on your site.
• 🏓 Trackback & Pingback Spam Blocking — Block all incoming trackback and pingback requests sitewide. Also removes the X-Pingback HTTP header and the pingback URL from your blog info to hide the endpoint from probes.
• 🔗 Comment Author URL Hold — Automatically sends any comment to moderation when the author’s display name contains a URL — a common spam technique.

📊 Spam Log & Reporting

• Full Audit Log — Every blocked request is logged with the IP address, user-agent, submission data, block reason, and timestamp. Available under Anti-Spam Protection → Spam Log.
• Filter by Module — Quickly find blocked entries by protection module (honeypot, rate limiter, bot protection, login, registration, etc.).
• Automatic Log Cleanup — Set a log retention period in days and old entries are automatically purged. Keep your database clean without manual work.
• One-Click Log Clear — Clear all log entries instantly from the admin panel.

✅ Why Choose SolverGuard Spam Shield?

Feature
SolverGuard
Typical Free Plugin

CF7 Form Protection
✅ 6 layers
✅ 1-2 layers

Comment Spam Protection
✅ 10 layers
✅ Basic

Login Brute-Force Protection
✅ Yes
❌ No

Registration Spam Protection
✅ Yes
❌ No

Advanced Bot Protection
✅ 10+ checks
❌ No

XML-RPC & REST API Hardening
✅ Yes
❌ No

Security Headers
✅ Yes
❌ No

Hide WordPress Version
✅ Yes
❌ No

Author Enumeration Block
✅ Yes
❌ No

Spam Log with Auto-Cleanup
✅ Yes
❌ No

Zero Configuration Required
✅ Works instantly
⚠️ Often requires setup

100% Free
✅ Yes
✅ Yes

Works Automatically — Zero Configuration Required

All protection layers activate automatically the moment you install and activate the plugin. No shortcodes to add, no per-form configuration, no template edits. Every module can be individually toggled on or off, and all settings are accessible from a single admin page under Anti-Spam Protection → Settings.

External Services

This plugin optionally integrates with Google reCAPTCHA v3 for silent spam scoring on Contact Form 7 submissions. This feature is disabled by default and must be explicitly enabled by the site administrator by entering their own reCAPTCHA site and secret keys.

What data is sent and when?
When reCAPTCHA is enabled, the visitor’s reCAPTCHA response token and IP address are sent to Google’s servers at the time of a form submission.

No data is sent to Google if the reCAPTCHA module is disabled.

• Service: Google reCAPTCHA v3
• Provider: Google LLC
• Terms of Service: https://policies.google.com/terms
• Privacy Policy: https://policies.google.com/privacy

No other data is sent to any external service. All spam detection is performed locally on your own server.