WordPress.org
Get WordPress
WordPress.org

Plugin Directory

LukaCodes AntiSpam Shield

LukaCodes AntiSpam Shield

By LukaCodes
Download

Description

LukaCodes AntiSpam Shield is a lightweight, no-bloat plugin that protects your WordPress comment section and contact forms from spam. Five independent tools, one settings page. Read the full documentation.

  • Disable Website Field — Removes the URL/website field from the comment form. Works with all themes, including those that hardcode the field (CSS fallback included).
  • Strip Links from Comments — Automatically removes all <a href> hyperlinks from comment content — both on display and before saving to the database. Spammers get zero benefit from posting links.
  • reCAPTCHA v3 — Adds Google’s invisible bot-score protection. No checkbox, no puzzle, no friction for real users. Bots are silently blocked server-side.
  • Cloudflare Turnstile — A privacy-friendly CAPTCHA alternative. Mutually exclusive with reCAPTCHA v3 — enabling one automatically disables the other.
  • Login Shield — Adds CAPTCHA to the WordPress login form (wp-login.php). Stops brute-force bots silently.
  • Registration Shield — Adds CAPTCHA to the WordPress registration form. Blocks bot account creation.
  • WPForms Integration — Apply the same CAPTCHA protection to WPForms Lite — using the same keys you already configured, no extra setup.

All features are independent — enable only what you need.

Login & Registration Shield

Version 1.1.2 adds CAPTCHA protection to wp-login.php:

  • Login Shield — Hooks into wp_authenticate_user for server-side verification after credentials are checked. Returns a WP_Error if CAPTCHA fails — WordPress displays it as a normal login error.
  • Registration Shield — Hooks into registration_errors to add CAPTCHA validation during registration. Works alongside all other WordPress registration validations.

Both are independently togglable in the settings panel. Admins already logged in are never affected.

WPForms Integration

Version 1.1.0 introduces CAPTCHA protection for WPForms Lite:

  • Hooks into wpforms_display_submit_before to inject the CAPTCHA widget before the submit button.
  • Hooks into wpforms_process for server-side token verification.
  • Works with both reCAPTCHA v3 (invisible) and Cloudflare Turnstile (visible widget).

Note: WPForms Pro includes its own native CAPTCHA integration — this feature is intended for WPForms Lite users only.

Why AntiSpam Shield?

Most anti-spam plugins are heavy, require accounts, or add ugly CAPTCHAs. LukaCodes AntiSpam Shield is different:

  • ~30 KB total — no external libraries, no jQuery dependency
  • Settings page with live key testing — verify your reCAPTCHA or Turnstile keys before enabling
  • Link stripping preview — paste any comment text and see exactly what gets removed
  • Graceful fallback: if Google’s or Cloudflare’s API is unreachable, comments are held for moderation (never lost)
  • Trusted users (administrators) bypass CAPTCHA checks automatically
  • Mutual exclusion: reCAPTCHA v3 and Cloudflare Turnstile cannot be active at the same time
  • WP Coding Standards compliant — fully escaped output, nonce-protected AJAX

reCAPTCHA v3 — How it works

When a visitor submits a form, JavaScript silently requests a score token from Google. The token is sent with the submission and verified server-side against your minimum score threshold (configurable from 0.1 to 1.0). No user interaction required.

Cloudflare Turnstile — How it works

A Turnstile widget is rendered inside the form. When the visitor completes the challenge, a token is submitted and verified server-side against the Cloudflare API.

Third-Party Services

This plugin optionally uses the following third-party services:

Google reCAPTCHA v3

A service provided by Google LLC.

  • What it does: Detects bots and spam on your comment form and contact forms without user interaction.
  • When data is sent: Only when reCAPTCHA v3 is enabled. A token is sent to https://www.google.com/recaptcha/api/siteverify on each form submission.
  • What data is sent: The visitor’s IP address and a reCAPTCHA token.
  • Google Privacy Policy: https://policies.google.com/privacy
  • Google Terms of Service: https://policies.google.com/terms

Cloudflare Turnstile

A service provided by Cloudflare, Inc.

  • What it does: Presents a privacy-friendly CAPTCHA widget on comment and contact forms.
  • When data is sent: Only when Cloudflare Turnstile is enabled. A token is sent to https://challenges.cloudflare.com/turnstile/v0/siteverify on each form submission.
  • What data is sent: The visitor’s IP address and a Turnstile token.
  • Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/
  • Cloudflare Terms of Service: https://www.cloudflare.com/website-terms/

Both services are entirely optional. If you do not enter API keys or enable either CAPTCHA, no data is sent to any third party.

Screenshots

  • The main settings dashboard with Comment Options, reCAPTCHA, Turnstile, Login & Registration, and WPForms sections.

Installation

  1. Upload the lukacodes-comment-shield folder to /wp-content/plugins/
  2. Activate the plugin through Plugins Installed Plugins
  3. Go to Settings AntiSpam Shield to configure your options

reCAPTCHA v3 Setup

  1. Visit Google reCAPTCHA Admin Console
  2. Create a new site — select Score based (v3)
  3. Add your domain to the allowed domains list
  4. Copy the Site Key and Secret Key into the plugin settings
  5. Use the built-in 🔍 Test Keys button to verify connectivity before enabling
  6. Enable reCAPTCHA v3, set your minimum score, and save

Cloudflare Turnstile Setup

  1. Visit Cloudflare Turnstile Dashboard
  2. Create a new site and select your widget type (Managed recommended)
  3. Copy the Site Key and Secret Key into the plugin settings
  4. Use the built-in 🔍 Test Turnstile Keys button to verify connectivity before enabling
  5. Enable Cloudflare Turnstile and save — reCAPTCHA v3 will be disabled automatically

Contact Forms Setup

No extra setup needed. Once reCAPTCHA v3 or Cloudflare Turnstile is configured, go to the Contact Forms section in the settings and toggle on each plugin you want to protect. The admin panel shows which form plugins are currently installed and active on your site.

FAQ

Does this require a Google account?

Only if you use reCAPTCHA v3. You need a Google account to obtain keys from the reCAPTCHA Admin Console. The service is free. Cloudflare Turnstile requires a free Cloudflare account instead.

Can I use both reCAPTCHA and Turnstile at the same time?

No — they are mutually exclusive. Enabling one will automatically disable the other, both in the settings UI and on the server.

Does this protect the login and registration forms?

Yes. Enable “Login Shield” and/or “Registration Shield” in the Login & Registration section of the settings panel. The same reCAPTCHA v3 or Turnstile keys are reused — no extra setup needed. Administrators are never blocked.

Does this protect WPForms Lite without extra keys?

Yes. The same reCAPTCHA v3 or Turnstile keys you enter for comment protection are reused automatically for WPForms Lite. No additional setup required.

What happens if Google’s or Cloudflare’s API is unreachable?

The comment or form submission is held for moderation instead of being rejected. You will never lose a genuine submission due to an API outage.

Does it work with custom themes that hardcode the URL field?

Yes. The plugin removes the field from WordPress’s form array and also injects CSS as a fallback.

Does this work with caching plugins?

Yes. All CAPTCHA logic runs client-side (JS) and server-side (PHP on submission). Caching does not interfere.

Do I need all features?

No. Each feature has its own toggle. Enable only what your site needs.

Reviews

There are no reviews for this plugin.

Contributors & Developers

“LukaCodes AntiSpam Shield” is open source software. The following people have contributed to this plugin.

Contributors

“LukaCodes AntiSpam Shield” has been translated into 2 locales. Thank you to the translators for their contributions.

Translate “LukaCodes AntiSpam Shield” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.1.3

  • Added: Option to disable comments on all posts sitewide
  • Added: Option to disable comments on all pages sitewide
  • Fixed: WPForms CAPTCHA hook changed to wpforms_process_before — form submission is now blocked before email is sent when token is missing/invalid
  • Fixed: Key tester now validates that reCAPTCHA / Turnstile keys are registered for this site’s domain
  • Fixed: Keys from a different domain now show a clear “Domain mismatch” error instead of a false “keys look correct” result
  • Improved: Turnstile key tester now passes sitekey to Cloudflare API to enable domain-level validation
  • Improved: Greek (el) translation updated to 100% — all strings now translated
  • Bumped version to 1.1.3

1.1.2

  • Added Login Shield: CAPTCHA protection for wp-login.php login form
  • Added Registration Shield: CAPTCHA protection for wp-login.php registration form
  • Login and Registration shields are independently togglable in the settings panel
  • Both shields reuse existing reCAPTCHA v3 / Turnstile keys — no additional setup required
  • Added Login Shield and Register Shield rows to Plugin Status panel
  • Updated POT template with all new i18n strings
  • Updated Greek (el) translation with all new strings
  • Bumped version to 1.1.2

1.1.0

  • Added WPForms Lite integration: reCAPTCHA v3 and Cloudflare Turnstile protection for WPForms forms
  • WPForms protection reuses existing CAPTCHA keys — no additional setup required
  • Added WPForms panel in admin: auto-detects if WPForms is installed, toggle to enable/disable
  • Added WPForms Shield row to Plugin Status panel
  • Updated POT template with all new i18n strings
  • Updated Greek (el) translation with all new strings
  • Bumped version to 1.1.0

1.0.1

  • Added Cloudflare Turnstile as a second CAPTCHA option (privacy-friendly alternative to reCAPTCHA)
  • Added mutual exclusion logic: enabling reCAPTCHA disables Turnstile and vice versa
  • Added server-side Turnstile token verification with moderation fallback
  • Added live Turnstile key tester in the settings panel
  • Updated uninstall.php to clean up Turnstile options on deletion

0.3

  • Added server-side reCAPTCHA verification with action and hostname validation
  • Added fallback: holds comment for moderation if Google API is unreachable
  • Added COMMSH_VERSION constant and activation hook to seed default options
  • Improved score threshold: configurable from 0.1 to 1.0 with live slider

0.2

  • Integrated Google reCAPTCHA v3 invisible protection on comment form
  • Added real-time key testing against Google API
  • Added live link stripping preview with before/after diff
  • Fixed double-submission bug on slow connections

0.1

  • Initial release
  • Remove website field from comment form (filter + CSS fallback)
  • Strip HTML links from comments on display and before saving to database

Meta

Ratings

No reviews have been submitted yet.

Add my review

See all reviews

Contributors

Support

Got something to say? Need help?

View support forum

Donate

Would you like to support the advancement of this plugin?

Donate to this plugin