Title: SilentShield – Captcha & Anti-Spam for WordPress (CF7, WPForms, Elementor, WooCommerce)
Author: Forge12 Interactive GmbH
Published: October 11, 2021
Last modified: June 26, 2026
---
Search plugins
# SilentShield – Captcha & Anti-Spam for WordPress (CF7, WPForms, Elementor, WooCommerce)
By [Forge12 Interactive GmbH](https://profiles.wordpress.org/forge12/)
[Download](https://downloads.wordpress.org/plugin/captcha-for-contact-form-7.2.7.6.zip)
* [Details](https://wordpress.org/plugins/captcha-for-contact-form-7/#description)
* [Reviews](https://wordpress.org/plugins/captcha-for-contact-form-7/#reviews)
* [Installation](https://wordpress.org/plugins/captcha-for-contact-form-7/#installation)
* [Development](https://wordpress.org/plugins/captcha-for-contact-form-7/#developers)
[Support](https://wordpress.org/support/plugin/captcha-for-contact-form-7/)
## Description
SilentShield is a **unified captcha and anti-spam plugin for WordPress**.
It works
with the most popular form builders and protects login, registration, and comment
forms – without slowing your site.
**Why choose SilentShield?**
– **Invisible defense** – Captcha, honeypot, and blacklists
working silently. – **Instant results** – Install, activate, and stop spam. – **
Universal support** – Works with Contact Form 7, WPForms, Elementor, WooCommerce,
and more. – **Privacy-first** – No cookies, no tracking, fully GDPR / DSGVO compliant.
SilentShield doesn’t just protect forms.
It protects your time, your customers,
your business.
### Core Features
* Invisible Captcha (Arithmetic, Honeypot, Image)
* Smart IP Blocking & Blacklists
* Spam filters for links, code & keywords
* Whitelisting for admins & customers
* GDPR-ready, no cookies, no tracking
### Supported Form Plugins & Integrations
SilentShield protects forms from all major WordPress form builders and core features:
**Form Builders:**
– Contact Form 7 (CF7) – WPForms / WPForms Lite – Elementor
Pro Forms – Gravity Forms – Fluent Forms – JetFormBuilder – Avada (Fusion Builder)
Forms
**WooCommerce:**
– Checkout (classic & PayPal Payments) – Login – Registration
**WordPress Core:**
– Login form (wp-login.php) – Registration form – Comment forms
**Other:**
– Ultimate Member (Login & Registration) – WP Job Manager (Job Applications)
Each integration can be enabled or disabled individually under **Settings > Extended**.
### Protection Layers
SilentShield uses **10+ protection mechanisms** working together:
1. **Captcha** – Arithmetic math, honeypot, or image-based captcha
2. **JavaScript Protection** – Detects submissions from bots without JS support
3. **Browser Detection** – Validates User-Agent strings
4. **Timer Protection** – Blocks submissions faster than a human can type
5. **Multiple Submission Protection** – Prevents rapid duplicate submissions
6. **IP Rate Limiting** – Limits requests per IP and time window
7. **IP Blacklist** – Block known bad IPs
8. **Content Rules** – Limit URLs, block BBCode, keyword blacklist
9. **Whitelist** – Skip validation for admins, logged-in users, or specific emails/
IPs
10. **SilentShield API** (Beta) – Cloud-based spam detection
### The Promise
SilentShield is not “just another plugin.”
It’s an invisible wall against the background
noise of the internet.
Activate once – and your forms are human again.
### Privacy & Telemetry
* No cookies, no user tracking.
* Encrypted IP storage (max. 2 months, only for spam defense).
* Telemetry is optional and anonymized.
* You can disable telemetry anytime in plugin settings.
Collected fields:
– `plugin_slug`, `plugin_version` – `snapshot_date` – `settings_json`(
anonymized config – only boolean/integer flags, no free-text) – `features_json` (
enabled features) – `created_at`, `first_seen`, `last_seen` – `counters_json` (spam
events) – `wp_version`, `php_version`, `locale`
**GDPR / DSGVO Compliance**
– Basis: _Art. 6 Abs. 1 lit. f DSGVO_ (legitimate interest–
plugin optimization). – No personal data, no cookies, no user tracking.
## Screenshots
[⌊IP Protection settings⌉⌊IP Protection settings⌉[
IP Protection settings
[⌊Spam protection in comments⌉⌊Spam protection in comments⌉[
Spam protection in comments
[⌊Contact Form 7 integration⌉⌊Contact Form 7 integration⌉[
Contact Form 7 integration
[⌊Avada Forms integration⌉⌊Avada Forms integration⌉[
Avada Forms integration
[⌊Image Captcha example⌉⌊Image Captcha example⌉[
Image Captcha example
[⌊Arithmetic Captcha example⌉⌊Arithmetic Captcha example⌉[
Arithmetic Captcha example
[⌊Honeypot Captcha example⌉⌊Honeypot Captcha example⌉[
Honeypot Captcha example
[[
[[
[[
[[
[[
## Installation
1. Upload to `/wp-content/plugins/`.
2. Activate via WordPress “Plugins” menu.
3. Configure protection settings under **Settings > SilentShield**.
For detailed setup instructions, see [docs/installation.md](https://wordpress.org/plugins/captcha-for-contact-form-7/docs/installation.md?output_format=md).
## FAQ
### Will this stop all spam?
Not all, but it drastically reduces it. SilentShield combines multiple detection
layers (captcha, honeypot, IP blocking, JavaScript detection, timer, content rules)
for maximum coverage.
### Is it GDPR compliant?
Yes – no cookies, no tracking, only anonymized data. IPs are stored encrypted for
max 2 months (only for spam defense). See the Privacy section below.
### Do I need coding skills?
No. Everything is managed via WordPress Dashboard.
### Does it work with WooCommerce PayPal Payments?
Yes. SilentShield automatically injects JavaScript protection timestamps into PayPal
checkout requests. Both PayPal Standard Buttons and Card Fields are supported.
### Can I customize the captcha appearance?
Yes. Choose from 3 built-in templates, customize the label and placeholder text,
and select a reload icon color (black/white). Developers can further customize the
output via filters.
### Can I disable specific protection layers?
Yes. Every protection mechanism (captcha, timer, JavaScript, browser, IP, rules,
etc.) can be individually enabled or disabled.
### How do I whitelist my admin users?
Under **Settings > Extended > Whitelist**, enable “Whitelist Admin Users” and/or“
Whitelist Logged-In Users”. You can also whitelist specific emails and IPs.
### What data does telemetry collect and why?
SilentShield includes **optional anonymous telemetry** (opt-out).
This helps us
understand which features are used, so we can improve usability and remove unused
complexity.
**We are a small independent team** – we don’t earn money with this plugin, and
we don’t sell or share data.
Telemetry is used **only for optimization and maintenance
purposes**.
### Where is the full documentation?
See the [docs/](https://wordpress.org/plugins/captcha-for-contact-form-7/docs/?output_format=md)
directory in the plugin folder for complete documentation of all settings, hooks,
REST API, and developer reference.
## Reviews
### [Simple and effective CAPTCHA solution for Contact Form 7](https://wordpress.org/support/topic/simple-and-effective-captcha-solution-for-contact-form-7/)
[uwejansen](https://profiles.wordpress.org/uwejansen/) May 9, 2026
I have been using this plugin with Contact Form 7 and overall it works well. The
setup is straightforward, and it helps reduce spam submissions without making the
form too complicated for visitors. It integrates nicely with Contact Form 7 and
does what it is supposed to do. For a free plugin, it is a very useful solution.
I am giving 4 stars because there is still some room for improvement, for example
in terms of documentation or additional configuration options. But overall, it is
a solid and helpful plugin.
### [Great plugin](https://wordpress.org/support/topic/great-plugin-41455/)
[solanum](https://profiles.wordpress.org/solanum/) April 28, 2026 1 reply
I use this plugin on ALL my client’s websites because it is easy to set up and it
works incredibly well in protecting my sites 😀
### [Great Plug-In](https://wordpress.org/support/topic/great-plug-in-1420/)
[Nico Demus](https://profiles.wordpress.org/nicodemusy2k/) January 26, 2026
Easy to use and does exactly what it should. Not overloaded, pretty easy to setup.
Awesome ! Works like a charm with Elementor !
### [Finally the spam stopped!!!](https://wordpress.org/support/topic/finally-the-spam-stopped/)
[lyndzer](https://profiles.wordpress.org/lyndzer/) December 28, 2025
This is FINALLY the solution I was looking for. Thousands of spam emails from my
website have been a plague. Now – with this amazing plug-in – it has STOPPED. My
gratitude is immense. A real game changer!!
### [Beware: Blocks login](https://wordpress.org/support/topic/beware-blocks-login/)
[martinpelletier](https://profiles.wordpress.org/martinpelletier/) November 8,
2025 1 reply
Blocks login even if login protection is not checked in dashboard. Moreover, the
right answer does not allow to login. You get locked out your own WP site.
### [Just perfect!](https://wordpress.org/support/topic/just-perfect-693/)
[KnallBlauMedia](https://profiles.wordpress.org/knallblaumedia/) October 9, 2025
I’m using this plugin for 1-2 years and it’s the best solution yet.
[ Read all 20 reviews ](https://wordpress.org/support/plugin/captcha-for-contact-form-7/reviews/)
## Contributors & Developers
“SilentShield – Captcha & Anti-Spam for WordPress (CF7, WPForms, Elementor, WooCommerce)”
is open source software. The following people have contributed to this plugin.
Contributors
* [ Forge12 Interactive GmbH ](https://profiles.wordpress.org/forge12/)
“SilentShield – Captcha & Anti-Spam for WordPress (CF7, WPForms, Elementor, WooCommerce)”
has been translated into 2 locales. Thank you to [the translators](https://translate.wordpress.org/projects/wp-plugins/captcha-for-contact-form-7/contributors)
for their contributions.
[Translate “SilentShield – Captcha & Anti-Spam for WordPress (CF7, WPForms, Elementor, WooCommerce)” into your language.](https://translate.wordpress.org/projects/wp-plugins/captcha-for-contact-form-7)
### Interested in development?
[Browse the code](https://plugins.trac.wordpress.org/browser/captcha-for-contact-form-7/),
check out the [SVN repository](https://plugins.svn.wordpress.org/captcha-for-contact-form-7/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/captcha-for-contact-form-7/)
by [RSS](https://plugins.trac.wordpress.org/log/captcha-for-contact-form-7/?limit=100&mode=stop_on_copy&format=rss).
## Changelog
#### 2.7.6
* Security [Audio Captcha]: The accessibility audio endpoint (`/captcha/audio`)
no longer returns the captcha solution for math challenges. The math answer was
never used by the frontend (math formulas are read aloud directly from the page),
so this code path only disclosed the solution to direct API callers. Image captchas
still spell out their characters — that is the intended purpose of the audio
accessibility feature and remains protected by the existing per-IP rate limit.
* Security [SilentShield]: Documented that the frontend `beta_captcha_api_key`
is a publishable, domain-bound client key (comparable to a reCAPTCHA site key),
intentionally exposed to the browser so the behavioral client script can run.
It carries no administrative or sensitive authority.
#### 2.7.5
* Fix [Forms]: Enabling WordPress Comments, JetFormBuilder or Ultimate Member protection
no longer attaches the captcha submit interceptor to unrelated forms — most notably
the WooCommerce “Add to cart” form (`form.cart`), which could be blocked or delayed.
These three integrations relied on the generic default-forms handler, which bound
to _every_ form on the page that wasn’t explicitly excluded (an exclusion list
that could never be complete). Each integration now has its own dedicated module
that targets only its own forms (comment form, JetFormBuilder forms, Ultimate
Member login/registration), and the generic handler is no longer activated as
a side effect.
#### 2.7.4
* New [Analytics]: When the SilentShield API is active, the Analytics page now
shows an “API Exclusive Blocks” section with measured numbers — how many spam
submissions the API blocked that none of the local rules (Captcha, Timer, IP,
Honeypot, …) would have stopped, plus the overlap and total API blocks. Both
the recording and the section are only active while the API is enabled and reachable.
This complements Shadow Mode, which shows an estimate while the API is off.
* New [Analytics]: Bots that submit a protected form without ever loading the widget(
no behavior nonce — typically scripts that POST directly without running JavaScript)
are now reported to the SilentShield API so they are counted in the “bots blocked”
statistics instead of being silently dropped. The submission is still blocked
locally exactly as before; the report is fire-and-forget and never delays the
request.
* Maintenance: Removed temporary debug logging from the SilentShield API validator(
no longer writes diagnostic lines, including nonce/API-key prefixes, to the PHP
error log).
#### 2.7.3
* Fix [WooCommerce Checkout]: The JavaScript protection could wrongly reject legitimate
checkouts (“JavaScript protection not correct”) and require several clicks on“
Place order”. The captcha and its timing fields (`js_start_time`/`js_end_time`)
are rendered inside the order review block, which WooCommerce re-renders on every`
updated_checkout` AJAX (address, shipping or payment changes). The page-load
init only ran once, so after a refresh `js_start_time` was empty and the timestamp
fallback collapsed start and end to the same value (zero duration). The checkout
now re-seeds `js_start_time` on every `updated_checkout` and falls back to the
stable page-load time, so the submitted duration is always valid.
* Fix [Compatibility]: Resolved a conflict with Germanized for WooCommerce where
enabling “WooCommerce Login” or “WooCommerce Registration” protection broke the
order withdrawal/Widerruf form (`?wc-ajax=eu_owb_woocommerce_order_withdrawal_request`),
which failed with an HTTP 500 error and no success/error message. The frontend
submit interceptor was bound to the generic `form.woocommerce-form` class and
therefore also hijacked third-party WooCommerce forms that ship their own AJAX
handling. It now only targets the WooCommerce login (`woocommerce-form-login`)
and registration (`woocommerce-form-register`) forms it actually protects.
#### 2.7.2
* Fix [Forms]: Comments and other default WordPress forms now set the JavaScript
timing field (`js_end_time`) at the moment of submission instead of on page load.
Previously the timestamp was pre-filled during init, making it identical to `
js_start_time` and rendering the time-based bot detection ineffective for these
forms.
* Fix [Forms]: Default forms (comments, JetForm, Ultimate Member, generic forms)
no longer ran the captcha workflow on page load. The workflow is now correctly
triggered by a native submit listener, so the captcha is verified only when the
user actually submits.
* Fix [Forms]: Resolved an issue where default forms with a submit control named`
submit` (e.g. the WordPress comment form’s “Post Comment” button) could not be
submitted, because the control shadowed the form’s `submit()` method. The form
is now submitted natively via the prototype method, which also avoids re-entrant
submit events.
* Fix [IP Protection]: IP rate limiting no longer wrongly blocks legitimate visitors
from the third submission onward. The time check compared the gap between the
two _previous_ submissions instead of the time since the last one, so the current
request’s actual timing was ignored — once a visitor’s first two submissions
were close together, every following submission (e.g. the third comment on a
post) was rejected with “IP protection” regardless of how long they waited. The
check now correctly measures the time elapsed since the visitor’s last submission.
#### 2.7.1
* Improved [Translations]: French (fr_FR) translations overhauled — replaced anglicisms
with correct French terminology throughout (“spam” “indésirables”, “bots” “
robots”, “plan” “offre”, “plugin” “extension”, “clé API” “clé d’API”, “paramètres”“
réglages”, “analyse comportementale IA” “analyse comportementale par IA”, “espace
réservé” “texte indicatif”, “étiquette” “libellé”). Fixed typos and grammar
errors in community-contributed translations. Regenerated MO and JSON files.
#### 2.7.0
* Fix [Admin UI]: Resolved sidebar/navigation not rendering on sites with WooCommerce
or other React-based plugins. The plugin now uses WordPress’ built-in React instead
of bundling its own copy, preventing duplicate React instance conflicts that
broke context providers.
* Fix [Cron]: “Daily Telemetry” cron job no longer runs when telemetry is disabled.
Previously, disabling telemetry in the admin UI only took effect on the next
page load; the cron could still fire in between. Cron state is now synced immediately
when settings are saved.
* Fix [Cron]: Audit log no longer shows “Daily Telemetry completed” entries when
telemetry is disabled. The audit hook for the telemetry cron is now only registered
when telemetry is active.
* Fix [Forms]: Integration names (Avada, WooCommerce, Elementor, etc.) are no longer
passed through WordPress translation. This caused brand names to be incorrectly
translated by community language packs — e.g. “Avada” was displayed as “Optionen”
on German sites.
#### 2.6.12
* Fix [Settings]: Plugin action link (“Settings” in plugin list) now correctly
opens the new React admin UI instead of the removed legacy page.
* Fix [Dashboard]: “View Audit Log” link in the dashboard widget now points to
the new Audit Log page instead of the removed legacy page.
* Fix [Navigation]: Old admin page URLs (e.g. `admin.php?page=f12-cf7-captcha`,`
f12-cf7-captcha-extended`, `f12-cf7-captcha-audit-log`) now redirect to their
React equivalents instead of showing a permissions error.
* Fix [Forms]: Integration presets (WooCommerce, Fluent Forms, JetForm, etc.) no
longer default to “enabled” when the setting has not been explicitly saved. Previously,
unsaved settings defaulted to enabled, making it appear as though integrations
were active even when the corresponding plugin was not installed.
* Fix [Dashboard]: Internal telemetry errors (e.g. `TELEMETRY_UNEXPECTED_RESPONSE`)
are no longer shown in the “Recent Issues” section of the dashboard widget. These
technical messages are not actionable by end users.
* Improved [Dashboard]: Protection Score widget is now more compact — score circle
reduced from 120px to 72px, stats displayed beside the circle instead of below,
and module list uses smaller type for a tighter layout.
* Improved [Settings]: Added descriptive help text to all numeric fields in Advanced
Settings (IP Rate Limiting, Content Rules, Mail Log Retention, Block Log Retention,
Audit Log Retention) so users understand what each value controls.
* Improved [Cleanup]: Every cleanup action now shows a description below the button
label explaining exactly what it does (e.g. “Removes log entries older than 3
weeks”).
#### 2.6.11
* Fix [Settings]: Global settings (including integration enable/disable toggles)
were not loaded on non-admin pages (wp-login.php, frontend). The settings cache
only included values from the `f12-cf7-captcha_settings` filter defaults, which
are only registered on admin pages. DB settings containers not covered by filter
defaults were silently dropped. All `get_settings()` calls returned `null` on
the login page, causing every protection module to fall back to its enabled default.
This also meant integration toggle settings and per-module overrides were ignored
on the login page.
* New [Forms]: Added master toggle to enable/disable entire integrations (WordPress
Login, WooCommerce, Avada, CF7, etc.) directly from the Forms page. Previously,
only per-module overrides were available — there was no way to completely deactivate
protection for a specific integration via the UI.
* Fix [Cleanup]: Data Cleanup page showed all counts as zero. The `handle_cleanup_counts`
endpoint called `get_count()` on Cleaner classes (`CaptchaCleaner`, `IPLogCleaner`,`
IPBanCleaner`, `CaptchaTimerCleaner`) which do not have this method. The resulting`
Error` was silently caught. Added `get_count()` delegate methods to all four
Cleaner classes.
* New [API]: New REST endpoint `POST /integration/toggle` to programmatically enable
or disable integrations by setting their global settings key.
* New [API]: The `/forms/discover` endpoint now returns `enabled` and `settings_key`
per integration, so the UI can display and toggle the integration status.
#### 2.6.10
* Fix [Telemetry]: Disabling telemetry in Advanced Settings no longer stops the
daily telemetry cron job from running. The cron was scheduled unconditionally
on every page load and `send_telemetry_snapshot()` never checked the setting —
data was still sent to the API even when telemetry was turned off. Now the cron
is only registered when telemetry is enabled, removed immediately when disabled,
and the send function includes a guard check as defense-in-depth.
#### 2.6.9
* Fix [Whitelist]: Email whitelist never matched — the `is_whitelisted_email()`
method logged the match but was missing the `return true` statement, so whitelisted
emails were still checked by all protection modules.
* Fix [Whitelist]: Admin role check caused early return that blocked IP and email
whitelist checks. When admin whitelist was enabled and a non-admin user submitted
a form, the method returned `false` immediately instead of continuing to check
IP/email whitelists.
* Fix [Whitelist/Blacklist]: REST API settings save (`handle_settings_save`) used`
sanitize_text_field()` for textarea fields (whitelist emails, whitelist IPs,
blacklist IPs), which strips newlines. Entries saved via the React admin UI were
merged into a single line and never matched. Now uses `sanitize_textarea_field()`
for these fields, matching the PHP form handler behavior.
* Fix [Whitelist/Blacklist]: IP and email parsing now uses `preg_split('/[\s,]+/')`
instead of `explode("\n")`, so entries separated by spaces or commas (e.g. from
previously corrupted saves) are correctly recognized.
* Fix [Protection]: SilentShield API mode and local protection modules (JavaScript,
Timer, Captcha, etc.) can now run simultaneously. Previously, enabling the API
disabled all local modules and prevented the local JS from loading, causing false`
NO_JAVASCRIPT` blocks on login and other forms.
* Fix [Assets]: Local protection script (`f12-cf7-captcha-cf7.js`) is now always
loaded when a form is detected, even when the SilentShield API client (`client.
js`) is also active. Previously the two were mutually exclusive.
* New [Documentation]: Added in-plugin Help page (SilentShield > Help) with full
user guide covering all protection modules, integrations, whitelist/blacklist,
per-form overrides, API mode, logging and FAQ.
* New [Documentation]: Contextual help links (info icon) added to all section headings
on Settings, Dashboard, API and Forms pages, linking directly to the relevant
documentation section.
* New [Documentation]: Inline tooltips on 14 key settings fields (whitelist, blacklist,
IP protection, content rules, logging, asset loading) explaining each option
on hover.
* New [Translations]: German (de_DE, de_DE_formal) and French (fr_FR) translations
added for all documentation strings.
#### 2.6.8
* Fix [API]: Unified all API endpoints to use `/api/v1` base path. The verify endpoint
changed from `/v1/verify` to `/api/v1/captcha/verify-nonce`. Affects key validation,
trial creation, telemetry, shadow mode, and blacklist retrieval.
* New [API]: Introduced separate `F12_CAPTCHA_CLIENT_URL` constant to decouple
the behavior client script URL from the API base URL. The client.js loader now
reads `client_url` from localized data with fallback to `url`.
* New [Mail-Log]: API response metadata (verdict, confidence, reason codes) is
now forwarded to mail log entries for both blocked and passed submissions, enabling
better audit trail and debugging.
* Fix [Settings]: Added `invalidate_settings_cache` hook at `init` priority 99
to ensure the settings cache is rebuilt after UI page filters register their
defaults.
* New [Debug]: Added detailed debug logging in the API spam check flow for nonce
detection, API request/response, and verdict evaluation. Temporary logging to`
error_log` for troubleshooting integration issues.
#### 2.6.7
* Fix [Translations]: Fixed 4 German strings that were mistakenly used in the French(
fr_FR) translation files instead of French. Affected strings: “Enable Mail Logging…”,“
Also block partial matches…”, “The analytics page…”, “Synchronized with WordPress
Disallowed Comment Keys”.
* Fix [Translations]: Fixed incorrect French translation for relative time indicator“
in” — changed from “dans” to “en” (e.g. “en 5 minutes”).
* Fix [UI]: Fixed overflow-hidden on the individual forms list (FormsPage) which
prevented scrolling when the list exceeded viewport height. Replaced with overflow-
auto.
* Fix [Settings]: Fixed settings cache race condition where `Protection::init_modules()`
called `get_settings()` before UI pages registered their filter defaults, caching
an empty array. The REST API then returned `[]` instead of `{ global: {...},
beta: {...} }`, causing the admin UI to show empty settings. The cache is now
invalidated on `init` (priority 99) after UI page filters are registered.
#### 2.6.6
* Fix [Translations]: Fixed `_load_textdomain_just_in_time` notice introduced in
WordPress 6.7. Translation loading for UI pages (e.g. Upgrade page) was triggered
too early during plugin initialization. The `do_action('_ui_after_load_pages')`
call in `UI_Manager` is now deferred to the `init` hook, ensuring `__()` is only
called after translations are available.
#### 2.6.5
* New [Templates]: Captcha image now uses transparent PNG background, blending
seamlessly with all template styles (Standard, Compact, Clean, Dark Card, Gradient
Dark). Dark templates (Gradient Dark) use light text colors for readability.
* New [Templates]: Classic templates (0–2) from v2.3.x are now visible and selectable
in the template picker alongside the modern templates, ensuring backward compatibility
for existing users after updates.
* New [Templates]: Template picker UI now groups templates into “Templates” (modern)
and “Classic Templates” (legacy) sections with distinct preview styles.
* Fix [Templates]: Audio tooltip text (“Click to have the CAPTCHA read aloud”)
was rendered as visible text instead of a hover tooltip. Added global CSS rule
to hide by default and show on hover.
* Fix [Templates]: Compact template (6) reload and audio icons were separated instead
of grouped on the right side. Fixed flex layout so icons stay together.
* Fix [Templates]: Compact template (6) input field was too short and had no border.
Added proper border styling and flex layout for hint text + input inline.
* Fix [Templates]: Audio button icon was misaligned vertically with reload icon
across all templates. Added `line-height: 0; display: inline-flex; align-items:
center` to audio buttons.
* Fix [Templates]: Removed `padding-right: 0` override on `.c-header > div` for
all v2 templates (5–9) which caused math captcha question mark to stick to the
container edge.
* Fix [Captcha Pool]: Pool entries now store the template ID they were generated
for. On retrieval, only entries matching the current template are used, preventing
stale images with wrong colors after template changes.
#### 2.6.4
* Fix [Charts]: Fixed empty/blank Recharts charts on Dashboard and Analytics pages.
MySQL returns `COUNT(*)` as strings via `$wpdb->get_results()`, but Recharts
requires numeric values for `dataKey`. All chart data (LineChart, BarChart, PieChart)
now casts `entry.count` to `Number()` before rendering.
* Fix [Admin UI]: Fixed `useSettingsContext must be used within a SettingsProvider`
crash on API and other pages. The context hook now returns a safe loading-state
fallback instead of throwing, preventing app crashes from stale browser cache
or module loading race conditions.
* Fix [Admin UI]: Hidden “Kostenlose Trial starten” section on the API page when
an API key is already configured. Previously clicking “Trial starten” with an
active key returned a 409 error.
* Fix [Admin UI]: Replaced text-based status badges in the Mail-Log table with
compact status icons (CheckCircle, ShieldAlert, RotateCw) and hover tooltips.
Fixes “Erneut gesendet” badge text wrapping to a new line in narrow columns.
* New [Translations]: Built .po/.mo files for 12 previously missing locales: Bulgarian(
bg_BG), Czech (cs_CZ), Danish (da_DK), Finnish (fi), Croatian (hr), Hungarian(
hu_HU), Dutch (nl_NL), Polish (pl_PL), Romanian (ro_RO), Slovak (sk_SK), Slovenian(
sl_SI), Swedish (sv_SE). All 25 languages now have compiled translation files
at 100% coverage (492/492 strings).
#### 2.6.3
* Fix [Type Safety]: Fixed `is_enabled()` type comparison bug in JavaScript, Browser,
and Multiple Submission protection modules. Settings value was not cast to `(
int)` before comparison, causing string `'0'` (disabled) to evaluate as truthy—
these modules could not be reliably disabled via settings.
* Fix [Type Safety]: Fixed `Api::is_enabled()` default value from `1` (enabled)
to `0` (disabled). Previously, if `beta_captcha_enable` was not explicitly set,
the API mode defaulted to active, potentially bypassing all local protection
modules.
* Fix [Timer]: `Timer_Validator::get_validation_time()` now reads the `protection_time_ms`
setting instead of using a hardcoded 2000ms value. The UI default is 500ms —
previously the setting had no effect.
* Fix [Multiple Submission]: `Multiple_Submission_Validator::get_validation_time()`
now reads the `protection_time_ms` setting instead of using a hardcoded 2000ms
value.
* Fix [Context]: Added missing `set_context()`/`clear_context()` calls in Elementor,
Ultimate Member, and WP Job Manager controllers. Without context, spam blocks
were logged with empty `form_plugin` and mail logging could not identify the
source integration.
* Fix [Analytics]: Fixed protection module label mapping in the Analytics block
log UI. The database stores module names with `-validator` suffix (e.g. `timer-
validator`, `captcha-validator`), but the React UI was looking for short names
without suffix (e.g. `timer`, `captcha`). All labels, badge variants, and pie
chart entries now use the exact database values.
* Fix [BlockLog]: Block reason detail now uses the module’s specific error message(`
$modul->get_message()`) instead of the generic static map description. For content
rules, this means the actual rule violation (e.g. “The word ‘viagra’ is blacklisted”)
is logged instead of the generic “Content matched a blacklist rule”.
* Fix [Mail-Log]: CF7 sent mail logging now uses the universal `wp_mail` filter
instead of the CF7-specific `wpcf7_mail_components` hook. This ensures all form
plugins (CF7, WPForms, Elementor, Gravity Forms, Fluent Forms, Avada, JetFormBuilder,
WooCommerce) are covered with a single hook.
* Fix [Mail-Log]: Sent mail logging now captures the actual resolved mail data (
recipient, subject, body) from `wp_mail()` instead of raw CF7 templates with
unresolved `[tags]`.
* Fix [Mail-Log]: Form data (posted fields) is now stored for sent mails, enabling
proper review and resend from the admin UI.
* Fix [Mail-Log]: Added `table_exists()` check in `MailLog::log()` to prevent silent
failures on fresh installations before the upgrade migration runs.
#### 2.6.2
* New [Mail-Log]: Added complete mail logging system for tracking sent and blocked
form submissions. Stores sender, recipient, subject, body, headers, attachments,
form data, IP hash, and block reason in a dedicated database table (`f12_mail_log`).
* New [Mail-Log]: Blocked submissions are automatically logged from the central`
Protection::is_spam()` method, capturing block reason and form data. Works across
all supported integrations (CF7, WPForms, Elementor, Gravity Forms, Fluent Forms,
Avada, WooCommerce, WordPress core).
* New [Mail-Log]: Successfully sent Contact Form 7 mails are logged via `wpcf7_mail_components`
filter, capturing the fully resolved mail data (recipient, sender, subject, body
with all [tags] replaced, headers, attachments). Previously used `wpcf7_before_send_mail`
which only had raw templates with unresolved CF7 tags.
* New [Mail-Log]: Added “Resend” functionality — any mail log entry (sent, blocked,
or previously resent) can be resent directly from the admin UI via `wp_mail()`.
Attachments are only included if files still exist on disk. Status is updated
to “resent” with audit log entry.
* New [Admin UI]: Added dedicated “Mail-Log” page with summary cards (total, sent,
blocked, resent), filterable/searchable table (status, form plugin, free-text
search with debounce), pagination, and auto-refresh controls.
* New [Admin UI]: Mail-Log detail dialog shows full message body, form data (JSON),
block reason, IP hash, headers, and action buttons (resend with confirmation,
delete with double-confirmation).
* New [Admin UI]: Bulk actions for Mail-Log — select individual entries via checkboxes
or “select all” on the current page. Bulk resend (with confirmation dialog) and
bulk delete (with toggle-switch double-confirmation) for multiple entries at
once.
* New [Admin UI]: Delete confirmation uses a double-confirm pattern: a toggle switch“
Ich verstehe, dass dieser Eintrag unwiderruflich gelöscht wird” must be activated
before the delete button becomes clickable. Applied to both single and bulk delete.
* New [Admin UI]: Added Mail-Log sidebar navigation entry with Mail icon (between
Analytics and Audit Log).
* New [Admin UI]: Added “Mail-Logging” settings section in Advanced Settings with
GDPR warning banner, enable/disable toggle, sub-toggles for sent/blocked logging,
and configurable retention period (1–365 days).
* New [Admin UI]: Added Mail-Log cleanup options in Data Cleanup page (“Alle Mail-
Logs löschen”, “Blockierte Mail-Logs löschen”) with entry counts.
* New [REST API]: Added 5 admin-only Mail-Log REST endpoints: `GET /mail-log/entries`(
paginated with filters), `GET /mail-log/summary` (counts by status), `GET /mail-
log/entry/{id}` (full entry with body), `DELETE /mail-log/entry/{id}`, `POST /
mail-log/resend/{id}`.
* New [Core]: `MailLog` PHP class (`core/log/MailLog.class.php`) with full CRUD
operations, table existence checks, `suppress_errors` for resilient inserts,
and separate `log_blocked()`/`log_sent()` convenience methods.
* New [Core]: Automatic Mail-Log cleanup integrated into `Log_Cleaner` cron job
with configurable retention (`protection_mail_log_retention`, default 30 days).
* New [Settings]: 4 new settings: `protection_mail_log_enable` (default: off), `
protection_mail_log_sent` (default: on), `protection_mail_log_blocked` (default:
on), `protection_mail_log_retention` (default: 30 days).
* Fix [API Fallback]: Frontend assets (`client.js` vs local JS bundle) now respect
the API health check transient. When the SilentShield API is unreachable, the
local JS bundle (with JavaScriptProtection, SubmitGuard, form handlers) is loaded
instead of the API client — fixing missing `js_end_time` timestamps, broken captcha
reload, and CORS errors from offline API endpoints.
* Fix [REST API]: Increased admin endpoint rate limit from 10 to 60 requests per
minute to prevent rate-limit errors when using auto-refresh or loading pages
with multiple concurrent API calls.
* Improvement [Settings]: Changed default for `protection_global_asset_loading`
from 0 to 1, ensuring frontend JS/CSS assets are loaded on all pages by default.
Prevents issues where captcha fields render but JS handlers are not loaded.
#### 2.6.1
* Fix [API]: Fixed settings type mismatch between PHP REST API and React admin
UI. The REST save handler converted all values to strings via `sanitize_text_field()`,
but the React frontend used strict equality (`=== 1`) to check toggle states.
This caused API-related toggles (API enable, Shadow Mode) to always appear as“
off” after saving, even though the value was correctly stored. The server now
preserves native integer, float, and boolean types during save, and the React
UI uses `Number()` coercion for defensive comparison.
* Fix [API Fallback]: When the SilentShield API is enabled but unreachable (e.g.
dev/staging environment offline, network issues, server errors), the plugin now
automatically falls back to all local protection modules (Captcha, Timer, JS
detection, Browser detection, IP blocking, Content rules, etc.) instead of silently
disabling all protection. Previously, an active API key with an unreachable API
resulted in no captcha output and no spam protection at all.
* New [Admin Notice]: Added a dismissible admin warning that appears when the API
fallback is active, informing administrators that the SilentShield API is unreachable
and local protection modules have been automatically reactivated. Includes a
link to the API settings page.
* New [API Health Check]: Added lightweight API reachability check with transient
caching (5 min on success, 2 min on failure) to avoid hitting the API on every
request. HTTP 2xx–4xx responses are treated as “reachable” (the API is up, even
if the key is invalid); only connection errors and 5xx responses trigger the
local fallback.
* New [Audit Log]: API health failures are now logged as `API_HEALTH_UNREACHABLE`(
connection error) or `API_HEALTH_SERVER_ERROR` (5xx response) audit events with
endpoint and error context.
* Fix [Database]: Added missing upgrade migration for BlockLog and AuditLog tables.
Sites that upgraded to 2.6.0 without deactivating/reactivating the plugin had
missing database tables, causing `wpdb` errors on the Audit Log and Analytics
pages and cascading rate-limit failures.
* Fix [Database]: AuditLog and BlockLog query methods now gracefully return empty
results when the underlying table does not exist, preventing HTML error output
from leaking into REST API JSON responses.
* Fix [Database]: `$wpdb->suppress_errors()` is now used around AuditLog and BlockLog
insert operations to prevent database error HTML from breaking REST responses
when tables are missing.
* Fix [Admin UI]: Fixed IP hash string overflowing into adjacent columns in the
block detail and audit event detail dialogs. Long hash strings now wrap automatically
via `break-all`.
* New [Admin UI]: Added “Erweitertes Tracking” hint banner on the Analytics page.
When detailed tracking is disabled (default), a dismissible warning explains
that Analytics requires this setting and links directly to the Advanced settings
page to enable it.
* New [Admin UI]: Added auto-refresh controls to both Analytics and Audit Log pages.
A tab bar allows selecting refresh intervals (Aus / 5s / 15s / 30s) and a manual
refresh button with spin animation is available for on-demand data reload.
#### 2.6.0
* New [Audit Log]: Added always-active audit log system (`AuditLog` class) that
records admin and system events (settings changes, cron runs, activation/deactivation,
rate limiting, API errors, DB errors, trial events, i18n failures) to a dedicated
database table with throttling, sensitive data masking, and error_log fallback.
* New [Admin UI]: Added Audit Log admin page (SilentShield Audit Log) with summary
cards, filterable/paginated event table, severity color-coding, and slide-out
detail panel with JSON context viewer.
* New [Admin UI]: Dashboard widget now shows the 5 most recent warnings/errors/
critical events with a direct link to the full Audit Log page.
* New [REST API]: Added 2 new admin-only REST endpoints (`/audit/entries`, `/audit/
summary`) with filters for time range, event type, severity, and pagination.
* New [Core]: API verification errors (`Api.class.php`) now log `API_VERIFY_UNREACHABLE`
audit events with endpoint and fail-mode context.
* New [Core]: Trial activation failures now log `TRIAL_API_UNREACHABLE`, `TRIAL_API_ERROR`,
and `TRIAL_INVALID_RESPONSE` audit events.
* New [Core]: All 6 cron jobs now have bookend audit hooks that log start/completion
with execution timing and catch/log failures as `CRON_FAILED` events.
* New [Core]: Telemetry, monthly report, and weekly report cron handlers now audit-
log send failures and unexpected responses.
* New [Core]: Translation loading failures now log `TRANSLATION_LOAD_FAILED` audit
events with locale and path context.
* New [Core]: BlockLog database operations (`log`, `get_entries`, `get_overview`,`
cleanup`) now audit-log insert/query/cleanup failures as `BLOCKLOG_*` events.
* New [Settings]: Added configurable “Audit Log Retention” setting (7–365 days,
default 90) under Settings Extended. Log cleanup respects this setting automatically.
* Improvement [Core]: Log_Cleaner now also cleans up AuditLog and BlockLog tables
during the weekly cron job, respecting their individual retention settings.
* New [Audit Log]: API key validation failures (`API_KEY_VALIDATION_UNREACHABLE`,`
API_KEY_INVALID`) are now audit-logged when the SilentShield key validation endpoint
is unreachable or returns invalid.
* New [Audit Log]: API key lifecycle changes are now audit-logged: key set (`API_KEY_SET`),
key removed (`API_KEY_REMOVED`), key rotated (`API_KEY_CHANGED`).
* New [Audit Log]: API mode and Shadow Mode toggles are now audit-logged (`API_MODE_ENABLED/
DISABLED`, `SHADOW_MODE_ENABLED/DISABLED`).
* New [Audit Log]: API verify HTTP error responses (4xx/5xx) and unparseable JSON
are now audit-logged as `API_VERIFY_ERROR_RESPONSE`.
* New [Audit Log]: Trial expiration is now proactively audit-logged once as `TRIAL_EXPIRED`
when the admin visits the Beta settings page after the trial period ends.
#### 2.5.0
* New [F2P]: Added Shadow Mode for statistical estimation of API-blocked spam.
Samples 30% of passed submissions and projects weekly totals. Enable under Settings
> Beta. Dormant API call behind `F12_CAPTCHA_SHADOW_API_LIVE` constant.
* New [F2P]: Added Weekly Email Report (opt-in) with block statistics, top 3 reason
codes, breakdown by protection type, and upgrade CTA with UTM tracking. Enable
under Settings > Extended > Weekly Report.
* New [Analytics]: Shadow Mode comparison section on Analytics page showing estimated
additional API catches with 4 stat cards and upgrade CTA.
* New [Beta]: Shadow Mode toggle added to Beta settings page.
#### 2.4.0
* New [Analytics]: Added Analytics admin page (SilentShield Analytics) with block
statistics overview, timeline chart, protection module breakdown, reason code
frequency, and paginated block log with detail drawer.
* New [Analytics]: 4 new REST API endpoints for analytics data (summary, timeline,
reasons, log) with admin-only access and rate limiting.
* New [Analytics]: Score breakdown visualization for API-mode blocks showing 7
sub-score categories with color-coded progress bars.
* New [Analytics]: Time range selector (7/30/90 days) for all analytics views.
* New [Privacy]: Added “Disable Log Anonymization (Debug Mode)” toggle in Extended
Settings Detailed Tracking. When enabled, email addresses and IP addresses are
stored in plain text in submission logs and the block log, allowing admins to
identify blocked users. Disabled by default. Includes GDPR/DSGVO privacy warning.
Passwords are always masked regardless of this setting.
* New [Core]: Added `Protection::has_module()` method to safely check module availability
before access.
* Fix [Admin UI]: Fixed fatal error “Module captcha-validator does not exist” on
Extended Settings page when SilentShield API mode is active. The Captcha management
section now shows an informational message in API mode instead of crashing.
#### 2.3.6
* New [Accessibility]: Added Audio CAPTCHA feature using the Web Speech API. A
speaker button next to the CAPTCHA allows visually impaired users to have the
challenge read aloud via browser-native text-to-speech. Privacy-first — no external
API calls. Disabled by default, enable under Settings > Protection > Audio Accessibility.
* New [Accessibility]: Added hover/focus tooltip on the audio button (“Click to
have the CAPTCHA read aloud”) so users understand the button’s purpose before
clicking.
* New [REST API]: Added rate-limited `POST /captcha/audio` endpoint (5 req/min
per IP) that returns spelled-out characters for image CAPTCHAs and the formula
for math CAPTCHAs.
* Improvement [Image CAPTCHA]: When Audio CAPTCHA is enabled, the character pool
is restricted to lowercase letters + digits to avoid ambiguity (TTS cannot distinguish
upper/lowercase). Existing pooled CAPTCHAs with uppercase characters are automatically
discarded and regenerated.
* Improvement [Translations]: Added all new Audio CAPTCHA strings to all language
files (de_DE, de_DE_formal, es_ES, fr_FR, it_IT, pt_PT).
#### 2.3.5
* Fix [Fluent Forms]: Fixed JavaScript protection failing for Conversational Forms(`[
fluentform type="conversational"]`). Conversational Forms render as a Vue.js
app inside a `` instead of a `