Dam Spam is a comprehensive spam protection plugin for WordPress that blocks spam registrations, login attempts, comments, and contact form submissions through multiple layers of protection.

If you are migrating from Stop Spammers, simply install and activate Dam Spam. All existing settings, lists, and statistics will be migrated automatically in the background. Stop Spammers will be deactivated and can then be safely deleted.

When Dam Spam is deactivated or deleted, all settings and data are preserved in the database so you can reactivate later without losing your configuration. To move settings between sites, use Export and Import under Advanced.

Dam Spam runs a series of configurable checks whenever someone tries to register, log in, comment, or submit a form on your WordPress site. Each submission goes through two main stages:

1. Allow Checks - First, Dam Spam checks if the user should be automatically allowed (trusted IPs, payment processors, Google crawlers, etc.)
2. Block Checks - If not on the allow list, Dam Spam runs various spam detection checks (disposable emails, known spam IPs, suspicious behavior, etc.)

When a submission is flagged as suspicious, you can either block it outright or present a CAPTCHA challenge. Legitimate users are cached to speed up future submissions, while known spam sources are permanently blocked.

Dam Spam works out of the box with sensible defaults, but the best results come from tuning it to your site over time. As your Allow and Block lists grow and you refine settings based on your logs, false positives decrease and spam catch rates improve.

Blogs and content sites: The defaults are a good starting point. Enable a CAPTCHA on your comment form if comment spam is heavy. Check your logs periodically and add persistent offenders to the Block List.

Membership and community sites: Enable "Require Email Verification for New Users" under Advanced to ensure real email addresses. Consider enabling "Limit Login Attempts" to protect against brute force attacks. Review the Allow List Requests page regularly to approve legitimate users who were caught.

WooCommerce and ecommerce: Enable "Skip WooCommerce Forms" and "Skip Payment Forms" under Protections to prevent checkout interference. Make sure the relevant payment gateway allow lists (PayPal, Stripe, etc.) are enabled under Allowed.

High-security sites: Enable "Check for 404 Exploit Probing," "Check for Exploits," "Limit Login Attempts," and a CAPTCHA. Consider enabling "Check for Missing HTTP_ACCEPT Header" and "Check for Invalid HTTP_REFERER," but monitor logs closely for false positives.

The key is to check your logs after making changes. If legitimate users are being blocked, loosen the relevant check or add them to the Allow List. If spam is getting through, enable additional protections or add patterns to the Block List.

The Summary page displays statistics about blocked spam and allows you to clear your statistics.

Reset all spam blocking statistics to zero.

Where: Dam Spam → Summary

Why Use: Useful for starting fresh after testing or making significant configuration changes.

Why Not: None. This only clears statistics and doesn't affect your protection settings or lists.

The Protections page is where you enable or disable specific spam detection methods.

Bypass spam checks for third-party form plugins (Contact Form 7, Gravity Forms, WooCommerce, etc.).

Where: Dam Spam → Protections → Form Checking

Why Use: Prevents conflicts with ecommerce checkout processes or complex forms that have their own validation.

Why Not: WooCommerce users experiencing checkout issues should enable this. May reduce spam protection on third-party forms.

Skip spam checking on payment processor forms (PayPal, Stripe, Square, etc.).

Where: Dam Spam → Protections → Form Checking

Why Use: Prevents blocking legitimate payment transactions.

Why Not: Reduces spam protection on payment forms. Most payment processors have their own fraud protection.

Skip spam checking specifically on WooCommerce checkout and registration forms.

Where: Dam Spam → Protections → Form Checking

Why Use: Prevents checkout failures and order processing issues.

Why Not: May allow spam orders or fake customer accounts. Only enable if experiencing issues.

Skip spam checking on Gravity Forms submissions.

Where: Dam Spam → Protections → Form Checking

Why Use: Prevents conflicts with Gravity Forms' built-in spam protection.

Why Not: May reduce spam protection on Gravity Forms. Only enable if experiencing form submission issues.

Skip spam checking on WP Forms submissions.

Where: Dam Spam → Protections → Form Checking

Why Use: Prevents conflicts with WP Forms' built-in spam protection.

Why Not: May reduce spam protection on WP Forms. Only enable if experiencing form submission issues.

Require authentication to view any part of your site.

Where: Dam Spam → Protections → Private Mode

Why Use: Creates a private members-only site or protects sites during development.

Why Not: Makes your entire site inaccessible to the public, including search engines. Only use for private communities or development sites.

Automatically add administrator IP addresses to the allow list upon login.

Where: Dam Spam → Protections → Prevent Lockouts

Why Use: Ensures you won't accidentally lock yourself out when testing strict settings.

Why Not: If an attacker gains admin access, their IP will be whitelisted. Best for single-admin sites or trusted team environments.

Verify username and password exist before running other spam checks.

Where: Dam Spam → Protections → Prevent Lockouts

Why Use: Prevents logging failed spam attempts with non-existent credentials.

Why Not: May interfere with 2FA plugins or custom authentication systems. Disable if experiencing 2FA failures.

Block all login attempts using "admin" as the username.

Where: Dam Spam → Protections → Login Protection

Why Use: "admin" is the most commonly attacked username; blocking it stops many automated attacks.

Why Not: If you actually have an admin user named "admin", you'll need to create a new admin account with a different username first.

Apply spam filtering to login attempts.

Where: Dam Spam → Protections → Login Protection

Why Use: Protects login page from automated attacks.

Why Not: May interfere with programmatic login systems or mobile apps.

Block requests that don't include an HTTP_ACCEPT header.

Where: Dam Spam → Protections → Validate Requests

Why Use: Most legitimate browsers send this header; bots often don't.

Why Not: May block some legitimate API requests, mobile apps, or older browsers. Monitor logs after enabling.

Block requests with suspicious or invalid referrer headers.

Where: Dam Spam → Protections → Validate Requests

Why Use: Catches bots that spoof or omit proper referrer information.

Why Not: May block users with referrer-blocking browser extensions or privacy tools. Check logs for false positives.

Block form submissions that happen too quickly after page load.

Where: Dam Spam → Protections → Validate Requests

Why Use: Humans need time to read and fill forms; bots submit instantly.

Why Not: May block users with form auto-fill tools or very fast typists. May not work with caching plugins. Adjust timeout value if getting false positives.

Block registration attempts using temporary/disposable email services.

Where: Dam Spam → Protections → Validate Input

Why Use: Prevents spam accounts using throwaway email addresses.

Why Not: May block legitimate users who prefer privacy-focused temporary email services. Rare false positives with lesser-known email providers.

Flag suspiciously long email addresses, usernames, or passwords.

Where: Dam Spam → Protections → Validate Input

Why Use: Spammers often use extremely long strings to try to break validation.

Why Not: May block legitimate users with very long email addresses (rare). Adjust length thresholds if needed.

Flag unusually short email addresses or usernames.

Where: Dam Spam → Protections → Validate Input

Why Use: Catches bots using minimal character combinations.

Why Not: May block users with legitimate short usernames. Consider the minimum length that makes sense for your site.

Detect BBCode markup in submissions.

Where: Dam Spam → Protections → Validate Input

Why Use: BBCode in registration forms or comments often indicates spam.

Why Not: Will block submissions from users who use BBCode if your site supports it (like forums). Disable for BBCode-enabled sites.

Flag email addresses with unusual period patterns.

Where: Dam Spam → Protections → Validate Input

Why Use: Spammers often use multiple periods or period patterns that real users don't.

Why Not: May block some legitimate international email addresses with unusual formatting. Monitor logs.

Flag excessive hyphens in usernames or emails.

Where: Dam Spam → Protections → Validate Input

Why Use: Multiple hyphens are common in spam patterns.

Why Not: May block legitimate users with hyphenated names. Adjust threshold if needed.

Scan submissions for common exploit patterns (SQL injection, XSS, etc.).

Where: Dam Spam → Protections → Validate Input

Why Use: Blocks malicious code injection attempts.

Why Not: Very rare false positives with legitimate technical content. May flag code examples in comments.

Block submissions containing URLs.

Where: Dam Spam → Protections → Validate Input

Why Use: Spammers frequently include links in registrations and comments.

Why Not: Will block legitimate submissions that contain links. Best suited for registration forms where URLs are rarely needed.

Detect and block VPN connections.

Where: Dam Spam → Protections → IP Reputation

Why Use: Spammers and attackers commonly use VPNs to hide their real location.

Why Not: Will block legitimate users who use VPNs for privacy. Not recommended for privacy-conscious audiences.

Detect and block Tor exit nodes.

Where: Dam Spam → Protections → IP Reputation

Why Use: Tor is often used by spammers and attackers to hide their identity.

Why Not: Blocks legitimate users who use Tor for privacy. Only enable if Tor users aren't part of your target audience.

Check against Ubiquity server networks and other hosting provider blocklists.

Where: Dam Spam → Protections → IP Reputation

Why Use: These networks host many spam operations.

Why Not: May block legitimate users on shared hosting from these providers. Rare false positives.

Flag traffic from major hosting providers and cloud services.

Where: Dam Spam → Protections → IP Reputation

Why Use: Spammers often use hosting/cloud IPs rather than residential connections.

Why Not: May block legitimate users who browse from their work environment if their company uses these services. May block legitimate API requests.

Flag traffic from Amazon AWS IP ranges.

Where: Dam Spam → Protections → IP Reputation

Why Use: AWS hosting is popular with spam operations.

Why Not: May block legitimate services hosted on AWS. Many legitimate sites and services use AWS.

Block IPs that Akismet has flagged as spam.

Where: Dam Spam → Protections → IP Reputation

Why Use: Leverages Akismet's spam database for additional protection.

Why Not: Requires Akismet to be installed and configured. May block users who were falsely flagged by Akismet.

Block IPs that hit multiple non-existent URLs in a short time.

Where: Dam Spam → Protections → Behavior Detection

Why Use: Attackers scan for vulnerable files by trying many URLs; this detects that behavior.

Why Not: May block legitimate users if they repeatedly mistype URLs. Rare false positives.

Block IPs that make multiple requests in a short time period.

Where: Dam Spam → Protections → Behavior Detection

Why Use: Catches bots that rapidly attempt multiple registrations or submissions.

Why Not: May block legitimate users who refresh pages frequently or submit forms multiple times due to errors.

Use Cloudflare's firewall to block entire countries.

Where: Dam Spam → Protections → Block Countries

Why Use: Blocks traffic from countries where you have no legitimate users but receive lots of spam.

Why Not: Requires Cloudflare account and API configuration. Blocks all users from selected countries, including legitimate ones.

Manage IP addresses, email addresses, and user IDs that should always be allowed through spam protection.

View and manage requests from blocked users who asked to be added to your allow list.

Where: Dam Spam → Allowed → Requests

Why Use: Legitimate users who were blocked can request access, and you can review and approve them.

Why Not: None. This is a manual review process.

Manually add IP addresses that should bypass all spam checks.

Where: Dam Spam → Allowed → Allow List

Why Use: Whitelist your own IP, office IPs, or specific trusted users.

Why Not: Be careful not to whitelist attacker IPs. These IPs will bypass all protection.

Automatically allow verified Google crawlers (keep enabled under most circumstances).

Where: Dam Spam → Allowed → Allow Options

Why Use: Ensures search engines can index your site for SEO.

Why Not: None. Essential for SEO unless you intentionally want to block search engines.

Allow traffic from miscellaneous trusted sources and services.

Where: Dam Spam → Allowed → Allow Options

Why Use: Provides additional allow list coverage for legitimate services.

Why Not: None. Works in conjunction with other allow list checks.

Automatically allow PayPal's IPs for payment notifications and webhooks.

Where: Dam Spam → Allowed → Allow Options

Why Use: Prevents blocking legitimate payment transactions and notifications.

Why Not: None if you use PayPal. Disable if you don't use PayPal.

Automatically allow Stripe's IPs for payment processing.

Where: Dam Spam → Allowed → Allow Options

Why Use: Ensures Stripe webhooks and payment verifications work.

Why Not: None if you use Stripe. Disable if you don't use Stripe.

Automatically allow Authorize.Net's IPs for payment processing.

Where: Dam Spam → Allowed → Allow Options

Why Use: Ensures payment gateway communication isn't blocked.

Why Not: None if you use Authorize.Net. Disable if you don't.

Automatically allow Braintree's IPs for payment processing.

Where: Dam Spam → Allowed → Allow Options

Why Use: Prevents blocking Braintree webhooks and notifications.

Why Not: None if you use Braintree. Disable if you don't.

Automatically allow Recurly's IPs for subscription billing.

Where: Dam Spam → Allowed → Allow Options

Why Use: Ensures recurring billing webhooks work properly.

Why Not: None if you use Recurly. Disable if you don't.

Automatically allow Square's IPs for payment processing.

Where: Dam Spam → Allowed → Allow Options

Why Use: Prevents blocking Square transactions and webhooks.

Why Not: None if you use Square. Disable if you don't.

Automatically allow specific Amazon AWS services and IPs.

Where: Dam Spam → Allowed → Allow Options

Why Use: Prevents blocking legitimate AWS-hosted services and APIs your site depends on.

Why Not: None if you use AWS services. Works in conjunction with "Check for Amazon Cloud" in Protections to selectively allow trusted AWS traffic.

Manage IP addresses, email addresses, and patterns that should always be blocked.

Add specific IP addresses or email addresses to permanently block.

Where: Dam Spam → Blocked → Block List

Why Use: Manually block persistent spammers that automated checks don't catch.

Why Not: Blocking entire email domains may block legitimate users from those domains. Be specific.

Manage the list of words and phrases that trigger spam blocks.

Where: Dam Spam → Blocked → Spam Words List

Why Use: Block submissions containing specific spam keywords.

Why Not: May block legitimate discussion of blocked topics. Review and customize your spam word list carefully.

Manage which URL shortening services are blocked.

Where: Dam Spam → Blocked → URL Shortening Services List

Why Use: Many spammers use URL shorteners to hide malicious links.

Why Not: May block legitimate users sharing shortened links. Consider which services to block carefully.

Block specific browser user agents known to be used by bots.

Where: Dam Spam → Blocked → Bad User Agents List

Why Use: Catches bots identifying themselves with known spam user agents.

Why Not: May block legitimate browsers if user agents are too broad. Monitor for false positives.

Block email addresses from specific top-level domains.

Where: Dam Spam → Blocked → TLDs List

Why Use: Some TLDs are predominantly used for spam.

Why Not: May block legitimate users from those countries/domains. Be careful with country TLDs.

Configure how Dam Spam responds when suspicious activity is detected.

Customize the message shown to blocked users.

Where: Dam Spam → Challenges → Access Blocked Message

Why Use: Provide helpful information or contact details for blocked users.

Why Not: None. This is just the message text.

Redirect blocked users to a specific URL instead of showing the default block message.

Where: Dam Spam → Challenges → Routing and Notifications

Why Use: Direct users to a custom page with contact information or alternative access instructions.

Why Not: Users won't see the standard block message. Ensure your redirect URL is accessible.

Show blocked users a form where they can request to be added to your allow list.

Where: Dam Spam → Challenges → Routing and Notifications

Why Use: Gives legitimate users who were blocked a way to request access with their contact details.

Why Not: You'll need to review and manually approve requests. Spammers may submit fake requests.

Receive email notifications when blocked users submit allow list requests.

Where: Dam Spam → Challenges → Routing and Notifications

Why Use: Stay informed about access requests without checking the dashboard regularly.

Why Not: Can generate many emails if you block many users. Emails may be marked as spam by your mail provider.

Automatically notify users via email when you approve their allow list request.

Where: Dam Spam → Challenges → Routing and Notifications

Why Use: Provides good user experience by informing approved users they can now access your site.

Why Not: Outgoing emails may be marked as spam. Ensure your server's email is properly configured.

Choose which CAPTCHA system to present to suspicious users instead of blocking them outright.

• No CAPTCHA (default) - Block immediately without second chance
• Cloudflare Turnstile - Cloudflare's privacy-friendly CAPTCHA
• Google reCAPTCHA - Google's CAPTCHA system
• hCaptcha - Privacy-focused alternative to reCAPTCHA
• Math Question - Simple arithmetic challenge

Where: Dam Spam → Challenges → CAPTCHA

Why Use: Reduces false positives by giving suspicious users a chance to prove they're human.

Why Not: Requires API keys for Turnstile, reCAPTCHA, or hCaptcha. Adds friction to user experience.

After selecting a CAPTCHA type, you can enable it on specific WordPress forms:

Login - Show CAPTCHA on the WordPress login page

Registration - Display CAPTCHA on the registration form

Comment - Display CAPTCHA on the comment form

Where: Dam Spam → Challenges → CAPTCHA

Why Use: Protects specific forms from automated attacks.

Why Not: Adds extra steps for all users on those forms. May reduce engagement.

Cloudflare Turnstile (Get Keys)

Google reCAPTCHA (Get Keys)

hCaptcha (Get Keys)

Where: Dam Spam → Challenges → CAPTCHA

Why Use: Required to enable Turnstile, reCAPTCHA, or hCaptcha protection.

Why Not: Keep keys secure. Don't share them publicly or commit to version control.

Configure third-party spam detection services and API keys.

Configure Cloudflare API access for advanced features like country blocking, ban list syncing, and cache management.

Required Fields:

• Cloudflare Email - Your Cloudflare account email address (find it here)
• Cloudflare Global API Key - Found under API Keys, not API Tokens (find it here)
• Cloudflare Zone ID - Go to your Cloudflare dashboard, click on your domain to open its Overview page, then scroll to the bottom-right to find the Zone ID

Actions:

• Clear Cloudflare Cache - Purge Cloudflare's cache for your site (requires API configuration)

Where: Dam Spam → APIs → Cloudflare Integration

Why Use: Enables Cloudflare-specific features including DNS-level ban list blocking, country blocking, and cache clearing.

Why Not: Requires Cloudflare account. Keep API keys secure. Global API Key has full account access.

Query DNS-based blocklists to check if IPs are known spam sources.

Where: Dam Spam → APIs → Blocklist Checking

Why Use: Leverages Spamhaus and other DNSBLs maintained by anti-spam organizations.

Why Not: Requires DNS queries which may add slight latency. Some false positives possible.

Query the Stop Forum Spam database for known spammer IPs, emails, and usernames.

Where: Dam Spam → APIs → Blocklist Checking

Why Use: Accesses one of the largest spam databases on the internet.

Why Not: Requires API access. Free tier has query limits.

StopForumSpam.com API Key (optional - only needed to report spam)

• Frequency threshold: Block spammers with more than X incidents
• Age threshold: Only block if seen within X days

Project Honeypot API Key

• Threat level threshold: Block threats above X level (25 is average, 5 is low)
• Age threshold: Only block if seen within X days

BotScout API Key

• Frequency threshold: Block spammers with more than X incidents

Google Safe Browsing API Key

• Checks URLs in submissions against Google's malware and phishing database

Where: Dam Spam → APIs → API Keys and Thresholds

Why Use: Provides configurable spam detection from multiple trusted databases.

Why Not: Requires API key registration. Some services have daily query limits. May add latency to checks.

Configure how Dam Spam caches known good and bad IPs.

Configure how many days to cache known bad IPs before removing them from cache.

Where: Dam Spam → Cache

Why Use: Keeps known spammers blocked without repeated API checks. Longer duration = better performance.

Why Not: Very long cache times may keep reformed or reassigned IPs blocked longer than necessary.

Configure how many days to cache known good IPs before rechecking them.

Where: Dam Spam → Cache

Why Use: Dramatically improves performance by skipping checks for trusted IPs. Longer duration = better performance but slower to detect compromised IPs.

Why Not: Very long cache times may keep compromised IPs whitelisted longer.

Remove all cached IP addresses.

Where: Dam Spam → Cache

Why Use: Forces fresh checks on all IPs. Useful after major configuration changes.

Why Not: Temporarily increases API usage and reduces performance while cache rebuilds.

View and manage logs of blocked and allowed requests.

Configure how many log entries to retain (options: 25, 50, 100, 200, 500, 1000).

Where: Dam Spam → Logs

Why Use: Balance database size with historical data retention. Smaller logs = less database space.

Why Not: Changing log size will wipe current logs. Export logs first if you need to keep them.

Search and filter through all blocked and allowed attempts by date, IP, email, or reason. The search box filters results in real-time as you type.

Where: Dam Spam → Logs

Why Use: Quickly find specific blocks to identify false positives or verify spam patterns.

Why Not: None. This is a search/filter tool for viewing existing logs.

Delete all log entries.

Where: Dam Spam → Logs

Why Use: Free up database space or start fresh after testing.

Why Not: Permanently deletes historical data.

Test your spam protection settings against sample data and view diagnostic information.

Test how your current settings would handle specific IP addresses, emails, usernames, subjects, and comments. Enter test data in the form fields and click "Test Options" to see which checks would trigger.

Test Fields:

• IP Address
• Email
• Username
• Subject
• Comment

Where: Dam Spam → Testing

Why Use: Verify settings work as expected before going live. Test if specific IPs or emails would be blocked or allowed. Debug false positives.

Why Not: None. This is a testing tool that doesn't affect live traffic.

Dump all Dam Spam configuration options in a readable format.

Where: Dam Spam → Testing

Why Use: Useful for debugging, support requests, or backing up settings manually.

Why Not: None. Displays settings only without modifying anything.

Dump all Dam Spam statistics in a readable format.

Where: Dam Spam → Testing

Why Use: View all counter values for every check type and protection method.

Why Not: None. Read-only display of statistics.

Toggle display of PHP configuration information from phpinfo().

Where: Dam Spam → Testing

Why Use: Debug PHP-related issues, verify server configuration, check installed extensions.

Why Not: Contains sensitive server information. Only use when needed and don't share publicly.

Scan your WordPress installation for potential security threats and vulnerabilities.

Where: Dam Spam → Testing

Why Use: Identify security issues that spam protection alone won't catch.

Why Not: Scans can be resource-intensive. Run during low-traffic periods.

Tools for managing users and database maintenance.

Identify and disable inactive or suspicious user accounts.

Where: Dam Spam → Cleanup → Disable Users

Why Use: Clean up spam accounts that got through or remove inactive users.

Why Not: Disabling users prevents them from logging in. Be careful not to disable legitimate accounts.

Bulk delete spam comments.

Where: Dam Spam → Cleanup → Delete Comments

Why Use: Remove spam comments that made it through protection.

Why Not: Deletion is permanent. Review before deleting to avoid removing legitimate comments.

View and manage Dam Spam database options.

Where: Dam Spam → Cleanup → Database Cleanup

Why Use: Advanced troubleshooting and optimization.

Why Not: Modifying database options directly can break plugin functionality. For advanced users only.

Advanced features for server-level protection and custom login forms.

Add security rules to your .htaccess file for server-level protection.

Where: Dam Spam → Advanced → Firewall Settings

Why Use: Blocks common exploits and attacks before they reach WordPress, reducing server load.

Why Not: Incorrect .htaccess rules can break your site. Only enable if you know how to manually edit .htaccess. May conflict with other security plugins.

Automatically ban IPs after a specified number of failed login attempts within a time window. Banned IPs are added to the Automatic Ban List and blocked before WordPress loads.

• Threshold - Number of failed attempts before banning (default: 20, minimum: 20)
• Duration - Time window in minutes to count attempts (default: 60, maximum: 1440)

Where: Dam Spam → Advanced → Login Settings

Why Use: Protects against brute force password attacks.

Why Not: May lock out legitimate users who forget their password. May conflict with other login protection plugins.

Users must click activation link in email before they can log in. Works with all registration forms.

Where: Dam Spam → Advanced → Login Settings

Why Use: Verifies email addresses are real, prevents spam bot registrations, automatically cleans up unverified accounts.

Why Not: May conflict with plugins that have their own email verification (e.g., Ultimate Member Pro). Users must have working email to complete registration.

Automatically remove user accounts that haven't clicked their activation link within 7 days.

Where: Dam Spam → Advanced → Login Settings

Why Use: Prevents buildup of spam accounts with fake email addresses. Keeps user database clean.

Why Not: Deletes legitimate users who didn't check their email in time (they can re-register).

Replace default WordPress login system with custom themed pages.

Where: Dam Spam → Advanced → Login Settings

Why Use: Provides prettier login/registration pages and disables the default wp-login.php (which attackers target).

Why Not: Conflicts with custom login plugins. Disables wp-login.php which some services expect.

Choose whether users can log in with username, email, or both.

Where: Dam Spam → Advanced → Login Settings

Why Use: Simplify login or increase security by restricting login method.

Why Not: Changing this may confuse existing users. Username-only blocks users who only remember their email.

Add invisible honeypot field to Contact Form 7 forms.

Where: Dam Spam → Advanced → Honeypot Settings

Why Use: Catches bots that fill all form fields including hidden ones.

Why Not: Requires Contact Form 7 plugin installed.

Add honeypot protection to bbPress forums.

Where: Dam Spam → Advanced → Honeypot Settings

Why Use: Protects forum registrations and posts.

Why Not: Requires bbPress plugin installed.

Add honeypot to Elementor forms.

Where: Dam Spam → Advanced → Honeypot Settings

Why Use: Protects Elementor form submissions.

Why Not: Requires Elementor Pro plugin installed.

Add honeypot to Divi forms.

Where: Dam Spam → Advanced → Honeypot Settings

Why Use: Protects Divi form submissions.

Why Not: Requires Divi theme or builder installed.

Important: The Ban List is different from the Block List. The Block List prevents form submissions, while the Ban List blocks access to the entire website.

Add specific IP addresses, email addresses, or email domains to permanently ban from the entire website.

Where: Dam Spam → Advanced → Ban List Settings

Why Use: Completely block persistent attackers from accessing any part of your site, not just forms.

Why Not: Bans entire site access. Be certain before adding IPs. Blocking email domains may affect legitimate users.

View IP addresses that were automatically banned by various protections (like login attempt limits). The list auto-culls at 100,000 entries.

Where: Dam Spam → Advanced → Ban List Settings

Why Use: Review automated bans to ensure legitimate users weren't caught.

Why Not: These are temporary automatic bans. May include false positives.

Copy the ban list to Cloudflare's firewall for DNS-level blocking.

Where: Dam Spam → Advanced → Ban List Settings

Why Use: Blocks banned IPs before they even reach WordPress, reducing server load.

Why Not: Requires Cloudflare account and API configuration. Firewall rules count against Cloudflare limits.

Remove all automatically-generated ban entries.

Where: Dam Spam → Advanced → Ban List Settings

Why Use: Clear false positives or start fresh after testing.

Why Not: Removes all automatic bans including legitimate blocks. Manual bans are not affected.

Dam Spam provides several shortcodes for adding forms and user info to pages:

• [dam-spam-contact-form] - Display a simple contact form with name, email, phone, and message fields. Includes built-in honeypot spam protection. Messages are sent to the site admin email by default. Optional attributes:
  • email - Send messages to a specific email address instead of the site admin (e.g., [dam-spam-contact-form email="you@example.com"])
  • accent - Set the accent color for the form (e.g., [dam-spam-contact-form accent="#ff6600"])
  • unstyled - Set to "yes" to remove default styling so the form inherits your theme's styles (e.g., [dam-spam-contact-form unstyled="yes"])
• [dam-spam-login] - Display custom login, registration, or forgot password form depending on the page slug. Requires pages with the slugs "login", "register", and "forgot" to be created. Works with Themed Login enabled under Advanced.
• [dam-spam-show-displayname-as] - Show logged-in user's display name
• [dam-spam-show-fullname-as] - Show logged-in user's first and last name
• [dam-spam-show-email-as] - Show logged-in user's email address

Where: Dam Spam → Advanced → Shortcodes

Why Use: Create custom page layouts with login forms and user information.

Why Not: None. Shortcodes only display content on pages where you add them.

Download your Dam Spam settings as a JSON file for backup or transfer to another site.

Where: Dam Spam → Advanced → Export Settings

Why Use: Back up your configuration or replicate settings across multiple sites.

Why Not: None. This is a backup/export feature.

Upload a Dam Spam settings JSON file to restore configuration.

Where: Dam Spam → Advanced → Import Settings

Why Use: Restore backed-up settings or apply settings from another site.

Why Not: Overwrites current settings. Make sure to export current settings first if you want to keep them.

Reset all Dam Spam settings to defaults.

Where: Dam Spam → Advanced → Reset Settings

Why Use: Start over with a clean configuration if settings become problematic.

Why Not: Permanently deletes all custom settings. Export first if you want to preserve current configuration.

For WordPress multisite installations, Dam Spam includes a network-level settings page.

Control whether Dam Spam settings are managed centrally from the main site or independently on each sub-site.

• Networked ON - All sites share the same Dam Spam settings, managed from the main site's admin
• Networked OFF - Each site has its own independent Dam Spam configuration

Where: Dam Spam → Multisite

Why Use: Networked ON simplifies management for networks where all sites need the same protection. Networked OFF gives site admins control over their own spam settings.

Why Not: Switching modes doesn't migrate settings between sites. Choose your preferred mode early.

These features work automatically in the background or integrate with WordPress in ways that don't have dedicated settings pages.

Dam Spam automatically tracks and stores the IP address when users register, displayed in a "Signup IP" column in WordPress Admin > Users.

Where: WordPress Admin → Users

Why Use: Helps identify spam account patterns (multiple registrations from same IP) and verify suspicious users against spam databases.

Why Not: None. IP tracking for spam prevention is a legitimate security measure.

Dam Spam adds Lock and Unlock action links to the WordPress Users page, allowing you to quickly disable/enable user accounts.

How to Use:

1. Go to WordPress Admin > Users
2. Hover over a user row to see action links
3. Click "Lock account" to prevent login or "Unlock account" to restore access

Where: WordPress Admin → Users

Why Use: Quickly disable suspicious accounts without deleting them. Useful for temporarily blocking users while investigating.

Why Not: Locked users cannot log in. Make sure to communicate with legitimate users before locking their accounts.

Dam Spam adds quick-action icons to the WordPress Comments page for checking IPs against WHOIS, Stop Forum Spam, Project Honeypot, BotScout, and reporting spam.

Where: WordPress Admin → Comments

Why Use: Quickly verify suspicious comments without leaving WordPress admin.

Why Not: None. These are optional quick-action links.

Dam Spam adds a dashboard widget showing total spammers blocked, users awaiting allow list approval, and a settings link.

Where: WordPress Admin → Dashboard

Why Use: At-a-glance view of Dam Spam activity.

Why Not: None. Only visible to administrators.

Dam Spam fires two WordPress action hooks:

• dam_spam_caught - Fires when spam is blocked (passes $ip and $reason)
• dam_spam_ok - Fires when submission passes all checks (passes $ip and $post_data)

Why Use: Integrate Dam Spam events with logging services, analytics, Slack alerts, or custom workflows.

Why Not: Requires custom code. For developers only.

Dam Spam supports custom spam detection through add-on plugins that hook into two filters:

• dam_spam_addons_block - Runs during block checking phase
• dam_spam_addons_allow - Runs during allow list checking phase

Example:

add_filter( 'dam_spam_addons_block', function( $addons ) {
	$addons[] = array( __FILE__, 'My_Spam_Check' );
	return $addons;
} );

class My_Spam_Check {
	public function process( $ip, &$stats, &$options, &$post ) {
		// Return false to continue, or string to block with reason
		if ( $ip === '123.45.67.89' ) {
			return 'Blocked by custom check';
		}
		return false;
	}
}

Why Use: Extend Dam Spam with custom business logic, third-party APIs, or site-specific spam patterns without modifying core files.

Why Not: Requires creating a separate plugin. For developers only.