Title: LukaCodes AntiSpam Shield
Author: LukaCodes
Published: March 11, 2026
Last modified: March 15, 2026
---
Search plugins
# LukaCodes AntiSpam Shield
By [LukaCodes](https://profiles.wordpress.org/luka2013/)
[Download](https://downloads.wordpress.org/plugin/lukacodes-comment-shield.1.1.3.zip)
* [Details](https://wordpress.org/plugins/lukacodes-comment-shield/#description)
* [Reviews](https://wordpress.org/plugins/lukacodes-comment-shield/#reviews)
* [Installation](https://wordpress.org/plugins/lukacodes-comment-shield/#installation)
* [Development](https://wordpress.org/plugins/lukacodes-comment-shield/#developers)
[Support](https://wordpress.org/support/plugin/lukacodes-comment-shield/)
## Description
**LukaCodes AntiSpam Shield** is a lightweight, no-bloat plugin that protects your
WordPress comment section **and contact forms** from spam. Five independent tools,
one settings page. [Read the full documentation](https://lukacodes.com/comment-shield-docs/).
* **Disable Website Field** — Removes the URL/website field from the comment form.
Works with all themes, including those that hardcode the field (CSS fallback
included).
* **Strip Links from Comments** — Automatically removes all `` hyperlinks
from comment content — both on display and before saving to the database. Spammers
get zero benefit from posting links.
* **reCAPTCHA v3** — Adds Google’s invisible bot-score protection. No checkbox,
no puzzle, no friction for real users. Bots are silently blocked server-side.
* **Cloudflare Turnstile** — A privacy-friendly CAPTCHA alternative. Mutually exclusive
with reCAPTCHA v3 — enabling one automatically disables the other.
* **Login Shield** — Adds CAPTCHA to the WordPress login form (`wp-login.php`).
Stops brute-force bots silently.
* **Registration Shield** — Adds CAPTCHA to the WordPress registration form. Blocks
bot account creation.
* **WPForms Integration** — Apply the same CAPTCHA protection to WPForms Lite —
using the same keys you already configured, no extra setup.
All features are **independent** — enable only what you need.
#### Login & Registration Shield
Version 1.1.2 adds CAPTCHA protection to `wp-login.php`:
* **Login Shield** — Hooks into `wp_authenticate_user` for server-side verification
after credentials are checked. Returns a `WP_Error` if CAPTCHA fails — WordPress
displays it as a normal login error.
* **Registration Shield** — Hooks into `registration_errors` to add CAPTCHA validation
during registration. Works alongside all other WordPress registration validations.
Both are independently togglable in the settings panel. Admins already logged in
are never affected.
#### WPForms Integration
Version 1.1.0 introduces CAPTCHA protection for **WPForms Lite**:
* Hooks into `wpforms_display_submit_before` to inject the CAPTCHA widget before
the submit button.
* Hooks into `wpforms_process` for server-side token verification.
* Works with both reCAPTCHA v3 (invisible) and Cloudflare Turnstile (visible widget).
Note: WPForms Pro includes its own native CAPTCHA integration — this feature is
intended for **WPForms Lite** users only.
#### Why AntiSpam Shield?
Most anti-spam plugins are heavy, require accounts, or add ugly CAPTCHAs. LukaCodes
AntiSpam Shield is different:
* ~30 KB total — no external libraries, no jQuery dependency
* Settings page with **live key testing** — verify your reCAPTCHA or Turnstile
keys before enabling
* **Link stripping preview** — paste any comment text and see exactly what gets
removed
* Graceful fallback: if Google’s or Cloudflare’s API is unreachable, comments are
held for moderation (never lost)
* Trusted users (administrators) bypass CAPTCHA checks automatically
* **Mutual exclusion**: reCAPTCHA v3 and Cloudflare Turnstile cannot be active
at the same time
* WP Coding Standards compliant — fully escaped output, nonce-protected AJAX
#### reCAPTCHA v3 — How it works
When a visitor submits a form, JavaScript silently requests a score token from Google.
The token is sent with the submission and verified server-side against your minimum
score threshold (configurable from 0.1 to 1.0). No user interaction required.
#### Cloudflare Turnstile — How it works
A Turnstile widget is rendered inside the form. When the visitor completes the challenge,
a token is submitted and verified server-side against the Cloudflare API.
### Third-Party Services
This plugin optionally uses the following third-party services:
#### Google reCAPTCHA v3
A service provided by Google LLC.
* **What it does:** Detects bots and spam on your comment form and contact forms
without user interaction.
* **When data is sent:** Only when reCAPTCHA v3 is enabled. A token is sent to `
https://www.google.com/recaptcha/api/siteverify` on each form submission.
* **What data is sent:** The visitor’s IP address and a reCAPTCHA token.
* **Google Privacy Policy:** https://policies.google.com/privacy
* **Google Terms of Service:** https://policies.google.com/terms
#### Cloudflare Turnstile
A service provided by Cloudflare, Inc.
* **What it does:** Presents a privacy-friendly CAPTCHA widget on comment and contact
forms.
* **When data is sent:** Only when Cloudflare Turnstile is enabled. A token is
sent to `https://challenges.cloudflare.com/turnstile/v0/siteverify` on each form
submission.
* **What data is sent:** The visitor’s IP address and a Turnstile token.
* **Cloudflare Privacy Policy:** https://www.cloudflare.com/privacypolicy/
* **Cloudflare Terms of Service:** https://www.cloudflare.com/website-terms/
Both services are entirely optional. If you do not enter API keys or enable either
CAPTCHA, no data is sent to any third party.
## Screenshots
* [[
* The main settings dashboard with Comment Options, reCAPTCHA, Turnstile, Login&
Registration, and WPForms sections.
## Installation
1. Upload the `lukacodes-comment-shield` folder to `/wp-content/plugins/`
2. Activate the plugin through **Plugins Installed Plugins**
3. Go to **Settings AntiSpam Shield** to configure your options
#### reCAPTCHA v3 Setup
1. Visit [Google reCAPTCHA Admin Console](https://www.google.com/recaptcha/admin/create)
2. Create a new site — select **Score based (v3)**
3. Add your domain to the allowed domains list
4. Copy the **Site Key** and **Secret Key** into the plugin settings
5. Use the built-in **🔍 Test Keys** button to verify connectivity before enabling
6. Enable reCAPTCHA v3, set your minimum score, and save
#### Cloudflare Turnstile Setup
1. Visit [Cloudflare Turnstile Dashboard](https://dash.cloudflare.com/?to=/:account/turnstile)
2. Create a new site and select your widget type (Managed recommended)
3. Copy the **Site Key** and **Secret Key** into the plugin settings
4. Use the built-in **🔍 Test Turnstile Keys** button to verify connectivity before
enabling
5. Enable Cloudflare Turnstile and save — reCAPTCHA v3 will be disabled automatically
#### Contact Forms Setup
No extra setup needed. Once reCAPTCHA v3 or Cloudflare Turnstile is configured,
go to the **Contact Forms** section in the settings and toggle on each plugin you
want to protect. The admin panel shows which form plugins are currently installed
and active on your site.
## FAQ
### Does this require a Google account?
Only if you use reCAPTCHA v3. You need a Google account to obtain keys from the
[reCAPTCHA Admin Console](https://www.google.com/recaptcha/admin/create). The service
is free. Cloudflare Turnstile requires a free Cloudflare account instead.
### Can I use both reCAPTCHA and Turnstile at the same time?
No — they are mutually exclusive. Enabling one will automatically disable the other,
both in the settings UI and on the server.
### Does this protect the login and registration forms?
Yes. Enable “Login Shield” and/or “Registration Shield” in the **Login & Registration**
section of the settings panel. The same reCAPTCHA v3 or Turnstile keys are reused—
no extra setup needed. Administrators are never blocked.
### Does this protect WPForms Lite without extra keys?
Yes. The same reCAPTCHA v3 or Turnstile keys you enter for comment protection are
reused automatically for WPForms Lite. No additional setup required.
### What happens if Google’s or Cloudflare’s API is unreachable?
The comment or form submission is held for moderation instead of being rejected.
You will never lose a genuine submission due to an API outage.
### Does it work with custom themes that hardcode the URL field?
Yes. The plugin removes the field from WordPress’s form array and also injects CSS
as a fallback.
### Does this work with caching plugins?
Yes. All CAPTCHA logic runs client-side (JS) and server-side (PHP on submission).
Caching does not interfere.
### Do I need all features?
No. Each feature has its own toggle. Enable only what your site needs.
## Reviews
There are no reviews for this plugin.
## Contributors & Developers
“LukaCodes AntiSpam Shield” is open source software. The following people have contributed
to this plugin.
Contributors
* [ LukaCodes ](https://profiles.wordpress.org/luka2013/)
“LukaCodes AntiSpam Shield” has been translated into 2 locales. Thank you to [the translators](https://translate.wordpress.org/projects/wp-plugins/lukacodes-comment-shield/contributors)
for their contributions.
[Translate “LukaCodes AntiSpam Shield” into your language.](https://translate.wordpress.org/projects/wp-plugins/lukacodes-comment-shield)
### Interested in development?
[Browse the code](https://plugins.trac.wordpress.org/browser/lukacodes-comment-shield/),
check out the [SVN repository](https://plugins.svn.wordpress.org/lukacodes-comment-shield/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/lukacodes-comment-shield/)
by [RSS](https://plugins.trac.wordpress.org/log/lukacodes-comment-shield/?limit=100&mode=stop_on_copy&format=rss).
## Changelog
#### 1.1.3
* Added: Option to disable comments on all posts sitewide
* Added: Option to disable comments on all pages sitewide
* Fixed: WPForms CAPTCHA hook changed to wpforms_process_before — form submission
is now blocked before email is sent when token is missing/invalid
* Fixed: Key tester now validates that reCAPTCHA / Turnstile keys are registered
for this site’s domain
* Fixed: Keys from a different domain now show a clear “Domain mismatch” error
instead of a false “keys look correct” result
* Improved: Turnstile key tester now passes sitekey to Cloudflare API to enable
domain-level validation
* Improved: Greek (el) translation updated to 100% — all strings now translated
* Bumped version to 1.1.3
#### 1.1.2
* Added Login Shield: CAPTCHA protection for wp-login.php login form
* Added Registration Shield: CAPTCHA protection for wp-login.php registration form
* Login and Registration shields are independently togglable in the settings panel
* Both shields reuse existing reCAPTCHA v3 / Turnstile keys — no additional setup
required
* Added Login Shield and Register Shield rows to Plugin Status panel
* Updated POT template with all new i18n strings
* Updated Greek (el) translation with all new strings
* Bumped version to 1.1.2
#### 1.1.0
* Added WPForms Lite integration: reCAPTCHA v3 and Cloudflare Turnstile protection
for WPForms forms
* WPForms protection reuses existing CAPTCHA keys — no additional setup required
* Added WPForms panel in admin: auto-detects if WPForms is installed, toggle to
enable/disable
* Added WPForms Shield row to Plugin Status panel
* Updated POT template with all new i18n strings
* Updated Greek (el) translation with all new strings
* Bumped version to 1.1.0
#### 1.0.1
* Added Cloudflare Turnstile as a second CAPTCHA option (privacy-friendly alternative
to reCAPTCHA)
* Added mutual exclusion logic: enabling reCAPTCHA disables Turnstile and vice
versa
* Added server-side Turnstile token verification with moderation fallback
* Added live Turnstile key tester in the settings panel
* Updated uninstall.php to clean up Turnstile options on deletion
#### 0.3
* Added server-side reCAPTCHA verification with action and hostname validation
* Added fallback: holds comment for moderation if Google API is unreachable
* Added `COMMSH_VERSION` constant and activation hook to seed default options
* Improved score threshold: configurable from 0.1 to 1.0 with live slider
#### 0.2
* Integrated Google reCAPTCHA v3 invisible protection on comment form
* Added real-time key testing against Google API
* Added live link stripping preview with before/after diff
* Fixed double-submission bug on slow connections
#### 0.1
* Initial release
* Remove website field from comment form (filter + CSS fallback)
* Strip HTML links from comments on display and before saving to database
## Meta
* Version **1.1.3**
* Last updated **3 weeks ago**
* Active installations **10+**
* WordPress version ** 6.0 or higher **
* Tested up to **6.9.4**
* PHP version ** 8.0 or higher **
* Languages
* [English (US)](https://wordpress.org/plugins/lukacodes-comment-shield/), [Greek](https://el.wordpress.org/plugins/lukacodes-comment-shield/),
and [Spanish (Spain)](https://es.wordpress.org/plugins/lukacodes-comment-shield/).
* [Translate into your language](https://translate.wordpress.org/projects/wp-plugins/lukacodes-comment-shield)
* Tags
* [anti-spam](https://wordpress.org/plugins/tags/anti-spam/)[recaptcha](https://wordpress.org/plugins/tags/recaptcha/)
[spam](https://wordpress.org/plugins/tags/spam/)[turnstile](https://wordpress.org/plugins/tags/turnstile/)
[WPForms](https://wordpress.org/plugins/tags/wpforms/)
* [Advanced View](https://wordpress.org/plugins/lukacodes-comment-shield/advanced/)
## Ratings
No reviews have been submitted yet.
[Add my review](https://wordpress.org/support/plugin/lukacodes-comment-shield/reviews/#new-post)
[See all reviews](https://wordpress.org/support/plugin/lukacodes-comment-shield/reviews/)
## Contributors
* [ LukaCodes ](https://profiles.wordpress.org/luka2013/)
## Support
Got something to say? Need help?
[View support forum](https://wordpress.org/support/plugin/lukacodes-comment-shield/)
## Donate
Would you like to support the advancement of this plugin?
[ Donate to this plugin ](https://www.paypal.com/donate/?hosted_button_id=942LJ42XE4HVW)