Spam & Abuse Protection
The email signup form on a coming soon product is public — anyone on the internet can submit it, and they don’t need to be logged in. That’s by design (you want strangers to join your waitlist), but it also means the form is a target for bots and abuse. Left unprotected, an attacker could fire thousands of submissions with other people’s email addresses, which makes MailerLite send confirmation emails to all of them — damaging your sender reputation and filling your list with junk.
Super Speedy Coming Soon ships with three layers of protection. You configure them under WooCommerce → Super Speedy Settings, in the Spam & Abuse Protection section.
Table of Contents
The three layers at a glance
| Layer | Default | Configuration needed | Stops |
|---|---|---|---|
| Honeypot | On | None | Naive bots that fill every field |
| Rate limiting | On (always) | None (tunable in code) | Repeated submissions from one source |
| Cloudflare Turnstile | Off | Site + secret key | Scripted / distributed bot attacks |
They work together: the cheap checks (honeypot, rate limit) run first, and the optional CAPTCHA catches what they can’t.
Honeypot
A honeypot is a hidden form field that real users never see and never fill in, but automated bots — which fill in every field they find — do. When the hidden field comes back with a value, the plugin knows the submission is automated and silently rejects it.
- Setting: Honeypot → Enable honeypot field (recommended).
- Default: enabled.
- Configuration: none. It just works.
- When you’d turn it off: almost never. The only reason to disable it is if a page builder or aggressive form-autofill tool is filling the hidden field for legitimate users (very rare). If genuine signups are being rejected as spam, this is the first thing to test.
Rate limiting
Rate limiting caps how many times the same visitor (identified by IP address) can submit the form in a short window. This blunts the most common abuse — a script hammering the endpoint — without affecting normal customers, who submit once.
- Always on. There is no on/off switch; it protects the endpoint at all times.
- Default limit: 5 submissions per 10 minutes per IP address.
- Over the limit: the visitor sees “Too many attempts. Please try again in a few minutes.” and no signup is recorded.
- Fail-open: if the server can’t determine the visitor’s IP address, the limit is skipped rather than risk blocking real users.
Tuning the limit (developers)
The thresholds are adjustable with two filters. Add these to a small custom plugin
or your theme’s functions.php:
// Allow 10 submissions instead of 5.
add_filter( 'sscs_rate_limit_max', function () {
return 10;
} );
// Use a 30-minute window instead of 10 minutes (value is in seconds).
add_filter( 'sscs_rate_limit_window', function () {
return 30 * MINUTE_IN_SECONDS;
} );
Performance note: the counter is stored as a WordPress transient. On a busy site, transients are far more reliable (and faster) when you run a persistent object cache (Redis or Memcached). Without one, the counter lives in the
wp_optionstable — still functional, just heavier under load.
Cloudflare Turnstile (CAPTCHA)
Rate limiting stops a single attacker, but a determined one can rotate through many IP addresses. The only thing that reliably stops scripted and distributed abuse is a CAPTCHA challenge that proves a real browser (and usually a real human) is on the other end. This plugin integrates Cloudflare Turnstile — a free, privacy- friendly CAPTCHA that’s far less annoying than the old “click all the traffic lights” puzzles, and is often invisible to legitimate users.
It is off by default because it requires a one-time setup with Cloudflare.
Step 1 — Get your Turnstile keys
- Sign in to the Cloudflare dashboard (a free account is fine — you do not need to move your DNS to Cloudflare).
- Go to Turnstile and click Add widget.
- Give it a name and add your site’s domain.
- Choose the Managed widget mode (recommended — Cloudflare decides when to show a challenge).
- Cloudflare gives you two values: a Site Key (public, used in the page) and a Secret Key (private, used by your server to verify). Copy both.
Step 2 — Enter the keys in WordPress
- Go to WooCommerce → Super Speedy Settings.
- In Spam & Abuse Protection, tick Enable Turnstile on the signup form.
- Paste the Site Key and Secret Key into their fields.
- Click Save Settings.
Turnstile only becomes active once the toggle is on and both keys are filled in. If either key is missing, the plugin quietly leaves the CAPTCHA off rather than break your signup form — so double-check both fields are saved.
What customers see
When Turnstile is active, the signup form shows the Turnstile widget above the “LET ME IN” button. In Managed mode most visitors see a brief checkbox or nothing at all; only suspicious traffic gets an actual challenge. If verification fails, the visitor sees “Verification failed. Please try again.” and the signup is not recorded.
How the checks run together
When a signup is submitted, the plugin runs its checks in this order and stops at the first failure:
- Honeypot — hidden field filled? → reject as spam.
- Security token — valid request nonce?
- Rate limit — under the per-IP limit?
- CAPTCHA — Turnstile token valid (only if enabled)?
- Email — a valid email address?
- Product — a real coming soon product that’s set up to accept signups?
The cheap, abuse-blocking checks deliberately run before any database write or any call out to MailerLite, so junk traffic is rejected as early and cheaply as possible.
Recommended configuration
- Most stores: leave the honeypot on and rate limiting at its defaults. That’s enough for everyday bot noise.
- Under active attack, a high-profile launch, or a flood of junk signups: turn on Cloudflare Turnstile. It’s the only layer that stops a serious, distributed attack.
- For the front-end error messages and how to diagnose them, see Troubleshooting.