Spam Protection
The plugin includes built-in spam prevention that works without any configuration or third-party services.
Honeypot Field
Every form includes a hidden text field that is invisible to human visitors but visible to automated bots. If a bot fills in this field, the submission is silently discarded — the bot receives a fake “success” response so it doesn’t retry.
No configuration needed. This is always active.
Rate Limiting
Submissions are rate-limited per IP address:
- 20 submissions per 10 minutes from the same IP address (subscribe endpoint; update-subscriptions is 30/10min, unsubscribe 60/10min)
- After hitting the limit, submissions return “Too many requests. Please wait a moment and try again.”
- The limit resets after 10 minutes
Rate limits are stored as WordPress transients and require no configuration.
Nonce Verification
Every form submission includes a WordPress nonce token that is verified server-side. This prevents:
- Cross-site request forgery (CSRF) attacks
- Submissions from forms on other domains
- Direct POST requests without first loading the page
If the nonce is invalid or expired, the submission is rejected with a “Security check failed” message.
Email Validation
- Client-side: JavaScript validates the email format on blur (before submission)
- Server-side: PHP validates the email format using WordPress’s
is_email()function
Invalid emails are rejected before any database operations occur.
What’s Not Included
These may be added in future versions:
- reCAPTCHA / hCaptcha — challenge-based verification for high-traffic sites
- IP blocklist — manual or automatic blocking of specific IPs
(Double opt-in is available — email confirmation before a sign-up becomes active — see Double Opt-in.)
- Email domain blocklist — blocking disposable email services
For most sites, the honeypot + rate limiting combination effectively blocks automated spam without any user friction.