📄 Official Documentation · v1.0.1
LukaCodes Comment Shield
Complete guide to installing and configuring spam protection for your WordPress comments.
WordPress 6.0+
PHP 8.0+
Free & Open Source
// 01 — Overview
What is Comment Shield?
LukaCodes Comment Shield is a lightweight WordPress plugin that protects your comment section from spam — without slowing down your site or requiring a paid subscription. It gives you four independent tools you can enable freely:
Disable Website Field
Removes the URL field from the comment form entirely, including a CSS fallback for hardcoded themes.
Strip Links from Comments
Automatically removes all <a href> hyperlinks from comments — on display and before saving to the database.
Google reCAPTCHA v3
Invisible bot-score detection. No checkbox, no puzzle — real users never notice it. Bots are blocked server-side.
Cloudflare Turnstile
A privacy-friendly CAPTCHA widget from Cloudflare. A visible but frictionless challenge on the comment form.
💡 Mutual Exclusion
reCAPTCHA v3 and Cloudflare Turnstile cannot be active simultaneously. Enabling one automatically disables the other — both in the settings UI and on the server.
// 02 — Installation
Installing the Plugin
⬆️ Method 1 — WordPress Admin (Recommended)
1
Go to Plugins → Add NewIn your WordPress dashboard, navigate to Plugins → Add New Plugin.
2
Search for “Comment Shield”Type LukaCodes Comment Shield in the search box and press Enter.
3
Click Install NowFind the plugin by LukaCodes and click Install Now.
4
ActivateOnce installed, click Activate Plugin.
5
ConfigureGo to Settings → Comment Shield to set up your options.
📦 Method 2 — Manual Upload
1
Download the .zip fileDownload
lukacodes-comment-shield.zip from WordPress.org or lukacodes.com.2
Upload via WordPressGo to Plugins → Add New → Upload Plugin and select the .zip file.
3
Activate & ConfigureActivate the plugin and visit Settings → Comment Shield.
✅ Requirements
WordPress 6.0 or later · PHP 8.0 or later · An active WordPress comments section
// 03 — reCAPTCHA v3
Setting Up Google reCAPTCHA v3
reCAPTCHA v3 works invisibly in the background — it scores every visitor and blocks bots without any user interaction.
🔑 Getting Your Keys
1
Open the reCAPTCHA Admin ConsoleVisit google.com/recaptcha/admin/create and sign in with your Google account.
2
Create a new siteEnter a label (e.g. “My WordPress Site”), select Score based (v3) as the type.
3
Add your domainEnter your domain (e.g.
example.com) without https://.4
Copy your keysAfter submission, copy both the Site Key and Secret Key.
⚙️ Configuring in Comment Shield
1
Open Settings → Comment ShieldNavigate to the plugin settings page in your WordPress admin.
2
Paste your keysEnter the Site Key and Secret Key in the reCAPTCHA v3 section.
3
Test your keysUse the 🔍 Test Keys button to verify connectivity with Google before going live.
4
Set minimum scoreAdjust the slider (default:
0.5). Closer to 1.0 = stricter. Recommended: 0.5 for most sites.5
Enable & SaveToggle Enable reCAPTCHA v3 on and click 💾 Save Settings.
⚠️ Score Guide
0.1–0.4 = very permissive · 0.5 = balanced (recommended) · 0.7–1.0 = strict (may block borderline users)
🔄 How It Works
- Visitor fills in the comment form and clicks Submit.
- JavaScript calls
grecaptcha.execute()silently in the background. - Google returns a token with a bot score (
0.0= bot,1.0= human). - The token is appended to the form as a hidden field
g-recaptcha-response. - PHP verifies the token server-side against Google’s API.
- Score below threshold → comment blocked with
403error. - Google API unreachable → comment held for moderation (never lost).
// 04 — Cloudflare Turnstile
Setting Up Cloudflare Turnstile
Turnstile is Cloudflare’s privacy-first CAPTCHA. It shows a small widget on the comment form and verifies the visitor server-side — no Google tracking involved.
🔑 Getting Your Keys
1
Open the Cloudflare DashboardVisit dash.cloudflare.com → Turnstile. A free Cloudflare account is required.
2
Add a new siteClick Add Site, enter your domain, and choose Managed as the widget type (recommended).
3
Copy your keysCopy both the Site Key and Secret Key.
⚙️ Configuring in Comment Shield
1
Open Settings → Comment ShieldNavigate to the plugin settings in your WordPress admin.
2
Paste your Turnstile keysEnter the Site Key and Secret Key in the Cloudflare Turnstile section.
3
Test your keysUse the 🔍 Test Turnstile Keys button to verify connectivity with Cloudflare.
4
Enable & SaveToggle Enable Cloudflare Turnstile on and click 💾 Save Settings. reCAPTCHA v3 will be disabled automatically.
✅ Why choose Turnstile over reCAPTCHA?
Turnstile does not use Google’s tracking infrastructure. It is a better choice for GDPR-focused or privacy-conscious audiences. Both options provide equivalent spam protection.
// 05 — Comparison
reCAPTCHA v3 vs Cloudflare Turnstile
| Feature | reCAPTCHA v3 | Cloudflare Turnstile |
|---|---|---|
| Visible widget | ✗ Invisible | ✓ Small widget |
| User interaction | ✓ None required | ✓ Minimal |
| Google tracking | ✗ Yes | ✓ No |
| GDPR friendly | ✗ Requires consent | ✓ Privacy-first |
| Score threshold | ✓ Configurable | ✗ Pass/fail only |
| Account required | Google account | Cloudflare account |
| Server-side verification | ✓ Yes | ✓ Yes |
| Admin bypass | ✓ Yes | ✓ Yes |
// 06 — FAQ
Frequently Asked Questions
No. They are mutually exclusive. Enabling one automatically disables the other — both in the admin UI and on the server. This prevents conflicts and double verification.
The comment is held for moderation instead of being rejected. You will never lose a genuine comment due to an API outage. Find it under Comments → Pending.
No. Both scripts load asynchronously. The verification token is generated only when the visitor clicks Submit — regular page load is completely unaffected.
Yes. All CAPTCHA logic runs client-side (JavaScript) and server-side (PHP on form submission). Caching plugins do not interfere.
No. Users with the
manage_options capability (administrators) are automatically bypassed on the server side.Yes. Comment Shield uses both a WordPress filter (
comment_form_default_fields) and a CSS fallback with display:none !important for themes that ignore the filter.The display filter applies to all comments on the front-end. The save filter only applies to new comments going forward. Existing comments in the database are not modified retroactively.
💛 Support the Developer
Comment Shield is free and always will be. If it saved you time, a small donation helps keep the open-source work going.