=== GB Anti-Spam for Contact Form 7 ===
Contributors: gregbialowas
Donate link: https://gregbialowas.com/donate
Plugin URI: https://gregbialowas.com/anti-spam-cf7
Tags: contact form 7, anti-spam, honeypot, spam protection
Requires at least: 5.8
Tested up to: 7.0
Stable tag: 2.1.0
Requires PHP: 7.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Lightweight anti-spam protection for Contact Form 7 without CAPTCHA.

More details: https://gregbialowas.com/anti-spam-cf7

== Description ==

GB Anti-Spam for Contact Form 7 adds a lightweight security layer to Contact Form 7 forms without CAPTCHA.

Features:
* Honeypot field protection
* Timing-based bot detection
* Request integrity token
* IP rate limiting
* Automatic injection (no manual form editing required)

Designed to be lightweight and compatible with caching and performance plugins.

== Installation ==

1. Upload plugin to WordPress
2. Activate plugin
3. Works automatically with all Contact Form 7 forms

== Frequently Asked Questions ==

= Does it require editing forms? =
No. Everything is injected automatically.

= Does it slow down the site? =
No noticeable impact.

== Screenshots ==

1. Example of protected Contact Form 7 form with hidden honeypot field
2. Admin settings overview (if applicable)

== Changelog ==
= 2.1.0 =
* Refactored core validation into structured pipeline architecture (validate() now acts as orchestration layer)
* Introduced modular detection stages: context collection, honeypot, timing, nonce, fingerprint, rate limiting, field analysis, payload analysis, scoring, and final decision
* Replaced flat string-based signals with structured signal objects (type + optional field metadata)
* Added unified scoring engine with centralized weight map for all detection signals
* Introduced hard-block vs score-based decision separation (critical threats bypass scoring)
* Split validation logic into dedicated methods for each detection layer for improved maintainability
* Improved field-level analysis with structured output (URL, emoji, markup, Cyrillic, length detection per field)
* Introduced dedicated payload analysis layer for cross-field pattern detection (SQL injection, XSS, command injection, spam keywords)
* Centralized spam keyword detection into reusable helper method
* Improved rate limiting mechanism with explicit signal output (rate_limited)
* Added structured debug logging including score value alongside signals, IP, user agent, and sanitized submission data
* Enhanced logging safety with improved data sanitization and truncation limits
* Improved observability of validation flow through explicit stage separation and consistent signal output format
* Reduced coupling between detection logic and validation decision logic
* Maintained backward compatibility with existing Contact Form 7 validation filter

= 2.0.0 =
* Complete redesign of anti-spam engine architecture
* Replaced legacy scoring system with structured signals-based detection model
* Introduced unified signals[] system as primary validation output
* Split validation logic into layered detection system (hard-block, behavioral signals, content analysis)
* Added per-field validation engine via analyze_field() method
* Introduced helper-based security detection functions (SQL injection, XSS, command injection)
* Added structured JSON logging system for all CF7 submission attempts
* Improved rate limiting mechanism based on IP tracking
* Added detection for URLs, emojis, HTML/BBCode markup, and Cyrillic content
* Separated detection logic from final blocking decision
* Improved observability with detailed request-level debug output
* Prepared internal architecture for future rule weighting and per-field validation engine expansion
* Improved overall maintainability and extensibility of the plugin core

= 1.2.0 =
* Major refactor of anti-spam engine
* Added hard firewall layer using wpcf7_before_send_mail
* Introduced unified payload inspection (email, URL, injection patterns)
* Removed client-side hash-based token system in favor of WP nonce
* Improved scoring logic and reduced redundant validation checks
* Fixed CF7 bypass allowing spam submissions to reach mail layer
* Improved debug logging system with configurable file path

= 1.1.0 =
* Replaced JS-based token mechanism with secure WordPress nonce validation (wp_create_nonce / wp_verify_nonce)
* Removed insecure client-side hash-based token generation
* Added human interaction signal detection (mouse, keyboard, touch events)
* Improved fingerprinting method for better bot anomaly detection
* Added universal payload inspection for SQL injection, XSS, and command injection patterns across all form fields
* Improved rate limiting logic with stricter thresholds per IP
* Enhanced honeypot detection reliability across all CF7 forms

= 1.0.5 =
* Improved validation scoring system for spam detection
* Added additional heuristic checks for automated bot submissions
* Optimized transient-based rate limiting mechanism

= 1.0.0 =
* Initial release
* Basic honeypot protection
* Timing-based submission validation
* Lightweight fingerprint detection

== Upgrade Notice ==

= 1.0.0 =
Initial release of GB Anti-Spam for Contact Form 7.