=== Ansico SpamShield ===
Contributors: aphandersen
Support link: https://ansico.dk/Ansico/Ansico-spamshield
Tags: spam, antispam, captcha, honeypot, akismet, ip-blocking, comment-spam, login-protection, woocommerce, geoip
Requires at least: 5.9
Tested up to: 6.7
Requires PHP: 7.4
Stable tag: 1.0.0
License: GPL-3.0-or-later
License URI: https://www.gnu.org/licenses/gpl-3.0.html

Comprehensive, layered spam protection for WordPress — CAPTCHA, honeypot, IP blocking, country restrictions, Akismet integration and much more.

== Description ==

**Ansico SpamShield** protects your WordPress site from spam, bots and brute-force attacks using multiple independent defensive layers. Unlike single-method plugins, SpamShield combines server-side checks with optional third-party API integrations so that even if one layer is bypassed, others remain in place.

= Core features =

**🍯 Honeypot + timing check**
An invisible honeypot field is added to comment forms. Bots that fill it in are silently rejected. A submission timing check additionally catches bots that submit forms in under 3 seconds.

**🔐 CAPTCHA**
Supports Google reCAPTCHA v2, reCAPTCHA v3 and hCaptcha on comment forms, login, registration and WooCommerce checkout. reCAPTCHA v3 works invisibly with a configurable score threshold.

**💬 Comment spam filtering**
- Maximum link count per comment
- Keyword, email and domain blocklist
- Comment length limit
- Pattern matching for common spam phrases
- Rate limiting per IP

**🚫 IP blocking**
Manual and automatic IP blocking with configurable duration. IPs are automatically blocked after a configurable number of violations. Supports IPv4 and IPv6, and correctly handles Cloudflare and reverse proxy headers.

**🔑 Login protection**
- Rate limiting on login attempts with automatic IP blocking
- Generic login error messages (prevents username enumeration)
- Login attempt logging

**🌍 Country restriction (IPinfo)**
Restrict comments, logins and registrations to specific countries using ISO country codes. Uses the IPinfo.io API (free Lite token available). Results are cached per IP for 24 hours to minimise API calls.

**🛡️ Akismet integration**
Send comments that pass all other checks to the Akismet API as a secondary layer. Supports configurable actions (moderate or reject), automatic spam/ham reporting back to Akismet to improve their filters, and a built-in API key verification tool.

**🗃️ StopForumSpam integration**
Cross-reference commenter IPs and email addresses against the StopForumSpam public database. Configurable confidence threshold prevents false positives.

**🌐 REST API & XML-RPC hardening**
Optionally disable XML-RPC, rate-limit the REST API, block known-bad IPs from REST endpoints and hide the WordPress version number from headers and the generator meta tag.

**🛒 WooCommerce protection**
CAPTCHA on checkout, blocklist checking on billing email, checkout rate limiting, and automatic suspicious order detection (zero-value orders, repeated orders from same IP, generic names). Suspicious orders can be automatically placed on hold.

**📝 Form plugin integration**
Applies IP blocking, email blocklist, rate limiting and StopForumSpam checks to Contact Form 7, Gravity Forms and WPForms submissions.

**📊 Dashboard & tools**
- Live statistics with a 30-day spam chart
- Full spam log with type filtering and pagination
- Blocklist manager (keywords, emails, URL domains) with CSV import/export
- IP manager with manual block/unblock and CSV export
- IP lookup tool with geo-information and local spam history
- StopForumSpam live check tool
- Country lookup tool (IPinfo)
- Akismet API key verification

**🔔 Notifications**
Optional admin email alerts when daily spam count exceeds a threshold, plus optional weekly summary emails.

= Privacy =

Ansico SpamShield does not collect or transmit any data unless you explicitly enable one of the optional third-party integrations (Akismet, StopForumSpam, IPinfo, reCAPTCHA, hCaptcha). When those integrations are used, commenter IP addresses and/or email addresses are sent to the respective third-party services. Please update your privacy policy accordingly.

= Requirements =

* WordPress 5.9 or higher
* PHP 7.4 or higher

= Optional integrations =

* [Akismet](https://akismet.com/) — requires a free or paid API key
* [StopForumSpam](https://www.stopforumspam.com/) — free, no key required
* [IPinfo](https://ipinfo.io/) — requires a free Lite token for country lookups
* [Google reCAPTCHA](https://www.google.com/recaptcha/) — requires site and secret keys
* [hCaptcha](https://www.hcaptcha.com/) — requires site and secret keys
* WooCommerce 5.0 or higher (for WooCommerce features)
* Contact Form 7, Gravity Forms or WPForms (for form protection features)

== Installation ==

1. Upload the `ansico-spamshield` folder to `/wp-content/plugins/` or install via **Plugins → Add New → Upload Plugin**.
2. Activate the plugin through **Plugins → Installed Plugins**.
3. Navigate to **SpamShield → Settings** to configure.
4. Honeypot and comment spam filtering are enabled by default — no configuration required for basic protection.

== Frequently Asked Questions ==

= Can I use this instead of Akismet? =

Yes, for many sites the built-in layers (honeypot, rate limiting, IP blocking, StopForumSpam) will be sufficient. However, Akismet's primary strength is machine learning trained on billions of comments across all WordPress sites globally — something no local plugin can replicate alone. We recommend enabling the Akismet integration (Settings → Akismet) as a secondary check rather than choosing one over the other.

= Does the plugin work without any API keys? =

Yes. Honeypot, timing checks, comment spam filtering, link limits, IP blocking, rate limiting, login protection and the blocklist all work without any external API keys.

= Will this slow down my site? =

All external API results (IPinfo, StopForumSpam) are cached in WordPress transients for 24 hours per IP, so repeated lookups cost nothing. The Akismet check is only triggered when a comment passes all other layers, keeping API calls to a minimum.

= Is it compatible with caching plugins? =

Yes. All checks run server-side on form submission, not during page rendering, so caching plugins are unaffected.

= What happens if an external API is unavailable? =

Each integration fails open by default — if the API cannot be reached, the action is allowed through rather than blocking legitimate users. You can configure SpamShield to be stricter if preferred.

= Does it support multisite? =

Not tested on multisite in this release. Per-site installation is supported.

== Screenshots ==

1. Dashboard with spam statistics and 30-day chart
2. Settings — CAPTCHA and honeypot configuration
3. Settings — Akismet integration
4. Settings — Country restriction (IPinfo)
5. IP blocking management
6. Blocklist manager
7. Spam log

== Changelog ==

= 1.0.0 =
* Initial public release
* Honeypot + form timing check
* CAPTCHA support: Google reCAPTCHA v2/v3 and hCaptcha (comments, login, registration, WooCommerce checkout, Contact Form 7)
* Comment spam filtering: link limits, keyword/email/domain blocklist, pattern matching, rate limiting
* IP blocking: manual and automatic, configurable duration, IPv4/IPv6
* Login protection: rate limiting, generic error messages, failed login logging
* Country restriction via IPinfo API with per-action allowed-country lists
* Akismet API integration as secondary spam check with spam/ham reporting
* StopForumSpam database integration
* REST API and XML-RPC hardening
* WooCommerce protection: checkout CAPTCHA, suspicious order detection, billing email blocklist
* Contact Form 7, Gravity Forms and WPForms integration
* Admin dashboard with 30-day spam chart, top IPs and top reasons
* Spam log with type filtering and pagination
* Blocklist manager with CSV import/export
* IP manager with geo-lookup tool
* Email notifications: spam spike alerts and weekly summary
* GPL-3.0-or-later licence

== Upgrade Notice ==

= 1.0.0 =
Initial release. No upgrade path from pre-release versions.

== License ==

Ansico SpamShield is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
