SOS Captcha — Privacy-First Spam Protection

Changelog

1.0.71 – 2026-05-06

• New helper SOSCAPTCHA_Generator::pro_extra_fields() / pro_extra_fields_html() — single source of truth for the Pro honeypot + browser-fingerprint hidden inputs that integrations need to render. Each of the 9 integration adapters (CF7, Comments, WPForms, Gravity Forms, Ninja Forms, WooCommerce reviews/checkout/registration, WP login/register/lost-password) now emits these fields when their toggles are on
• Slider JS now computes a base64-encoded JSON fingerprint ({ ua, lang, tz, screen }) on slider init and writes it into the hidden input — paired with Pro 1.0.10’s rewritten validator that checks the claimed UA matches $_SERVER['HTTP_USER_AGENT'] to detect automation toolkits

1.0.70 – 2026-05-06

• Critical: slider validation failed on the last checkpoint. The “next checkpoint highlight” code in assets/challenge-slider.js ran checkpointDots[lastCheckpoint + 1].style.borderColor = … after the AJAX block had already advanced lastCheckpoint to the final index — so it dereferenced undefined once the last dot was reached. The TypeError aborted the rest of updatePosition, including the setTimeout that writes collected tokens to the form’s hidden soscaptcha_tokens input. End result: form submitted with empty tokens → server rejected with “invalid_tokens”. Added a guard so the highlight only runs when there’s actually a next checkpoint.

1.0.69 – 2026-05-06

• Critical fix: slider challenge wouldn’t load (admin-ajax 400 with action: soscaptcha_get_challenge_config). The three front-end AJAX endpoints (get_challenge_config, collect_token, refresh_challenge) were registered PHP-side under the legacy wp_ajax_sos_* prefix, but the slider JS sends action=soscaptcha_* (matching the WP.org 4+ char prefix rule applied in 1.0.54). Mismatch meant every challenge fetch returned 400 — the slider couldn’t render and form submissions on protected pages couldn’t validate. PHP side now uses wp_ajax_soscaptcha_* to match.
  • Affected pages: every form protected by the plugin (login, comments, CF7, demo page, etc.)
  • Same root-cause family as the license-activation 400 (1.0.2) and the settings auto-save 400 (1.0.65) — finally hunted down the third instance.

1.0.68 – 2026-05-06

• Plugin Check fixes (regressions caught after 1.0.67 publish): proper escaping on the disabled-input attribute (now uses WordPress’s disabled() helper instead of echoing a raw string), /* translators: */ comment moved adjacent to its __() call, and load_plugin_textdomain() removed (WP auto-loads translations for WP.org-hosted plugins since 4.6 — the call is flagged as discouraged)

1.0.67 – 2026-05-06

• Fix Pro integration toggles failing silently — the integrations save handler’s allow-list was seeded with only the 2 free integrations (comments, cf7). Pro’s filter (since 1.0.64) only flips lock flags on the canonical registry instead of adding entries, so any Pro toggle (wpforms, gravityforms, etc.) was silently stripped during save. The handler now seeds from SOSCAPTCHA_Integrations::filtered() so all 9 keys are accepted, with a server-side guard that still blocks Pro toggles when the license isn’t active

1.0.66 – 2026-05-06

• Translations refreshed for all 9 non-English locales (no source-string changes; pairs with Pro 1.0.8 which ships the matching superset .mo)

1.0.65 – 2026-05-06

• Fix admin Settings/Integrations not saving — AJAX action names registered as wp_ajax_sos_save_* but the JS auto-save POSTed action=soscaptcha_save_*. Mismatch meant every change failed silently. Both sides now use soscaptcha_save_*
• Fix critical error on the “Get Pro” page — DeepL strips %s placeholders when translating short format strings, so printf( 'or %s/year (save 20%%)', $price ) blew up on PHP 8+ with ArgumentCountError. Refactored to two simpler translatable strings + runtime guard that falls back to English if the translation is missing the placeholder
• Translations regenerated; the previously broken yearly-savings line now renders cleanly in all 9 non-English locales

1.0.64 – 2026-05-06

• Integrations grid now shows the Pro form integrations (WPForms, Gravity Forms, Ninja Forms, WooCommerce, WP login/register/lost-password) as locked previews even when the Pro plugin isn’t installed at all — users see what’s available without needing to install Pro first
• New shared data file includes/data/integrations.php (single source of truth, mirrors the tier matrix pattern) accessed via the new SOSCAPTCHA_Integrations helper
• Re-added the 3 gradient color presets (Classic / Purple / Ocean) to the Appearance tab; locked when no Pro license is active
• Translations: refreshed for the new locked-preview, preset, and statistics strings

1.0.63 – 2026-05-05

• Settings page rebuilt to surface Pro features as locked previews — visitors and admins can see what each tier unlocks without installing Pro first
  • Validation tab: new “Advanced bot detection” section (behavior analysis, honeypot, browser fingerprint) shown disabled with a Pro badge until licensed
  • Challenge reduction tab: new “Auto-reload on timeout” toggle, locked until licensed
  • New “Appearance” tab with gradient color pickers and a “Show / hide badge” toggle, both locked until licensed
• New “Statistics” submenu entry in the admin sidebar (with a lock icon) when Pro isn’t active — click it to see the Pro upsell page
• New SOSCAPTCHA_Tiers::is_pro_active() helper backed by the soscaptcha_pro_active filter; Pro flips it on when its license is valid

1.0.61 – 2026-05-05

• New: single source of truth for plan tiers and feature matrix at includes/data/tier-matrix.php (readable through the SOSCAPTCHA_Tiers helper class). Both the free “Get Pro” page and the Pro plugin’s “License” page render from it, kept in sync with sos-captcha.com pricing
• “Get Pro” page rebuilt: 4-tier comparison (Free / Starter / Pro / Agency) with monthly + yearly prices, “MOST POPULAR” badge on Pro, per-tier CTAs to sos-captcha.com
• Translations: regenerated all .pot/.po/.mo for the latest source strings (previous .mo files dated back to 1.0.50, missing dozens of strings added by the prefix renames)

1.0.60 – 2026-05-05

• Translations: explicitly call load_plugin_textdomain() so admin strings translate on manually-uploaded installs (not just WordPress.org-distributed ones)
• Integrations grid: render Pro integrations with a “Pro” lock badge + Upgrade CTA when no Pro license is active (relies on the new premium_locked flag exposed by the Pro plugin’s soscaptcha_integrations filter)
• Add soscaptcha_show_get_pro_menu filter; the Pro plugin (1.0.2+) hooks it to hide the “Get Pro” upsell submenu once a license is active

1.0.59 – 2026-05-05

• Fix admin JS 404: rename admin/js/sos-admin.{js,min.js} → admin/js/soscaptcha-admin.{js,min.js} so the file matches the prefixed enqueue path introduced in 1.0.54

1.0.57 – 2026-05-05

• Fix fatal error on activation: rename class files from class-sos-*.php to class-soscaptcha-*.php so they match the require_once paths introduced in 1.0.54 (the rename touched the require paths but not the files on disk)
• WordPress.org Plugin Check: prefix view-scope variables in admin/views/{settings,integrations,get-pro}.php with soscaptcha_ to clear WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound warnings

1.0.56 – 2026-05-05

• Prefix the three form-traveling input names (challenge_session, challenge_nonce, collected_tokens → soscaptcha_session, soscaptcha_nonce, soscaptcha_tokens) to avoid collisions with other plugins on host forms
• Updated all integrations (Contact Form 7, Comments + premium adapters) and the slider JS selectors accordingly

1.0.55 – 2026-05-04

• Extend the soscaptcha- prefix to CSS classes and script handles (4+ char prefix everywhere) for WordPress.org compliance

1.0.54 – 2026-05-04

• Rename PHP class prefix from SOS_ to SOSCAPTCHA_ and function prefix from sos_ to soscaptcha_ (4+ char prefix per WordPress.org guidelines)

1.0.53 – 2026-05-03

• Architecture: split the plugin into a free build (this plugin) and an optional sos-captcha-pro companion plugin loaded through WordPress filters/actions
• Free plugin no longer contains any premium code paths — addresses WordPress.org trialware concern
• Companion plugin declares Requires Plugins: sos-captcha (WP 6.5+)

1.0.52 – 2026-05-03

• Source assets shipped in the ZIP are now stripped of dev comments (CSS and JS), keeping the code human-readable for reviewers without leaking internal notes
• Plugin loaders unchanged: .min.js and .min.css load in production, source files load with SCRIPT_DEBUG=true
• Removed GitHub repo link from readme (source ships inside the plugin)

1.0.51 – 2026-05-03

• WordPress.org compliance round 2 (response to reviewer feedback)
• Trialware: build-time post-processor strips all $is_licensed conditionals from the free ZIP (new bin/strip-license-checks.php)
• Source code visibility: ship non-minified .js / .css alongside their .min counterparts; document GitHub repo in readme
• Security: AJAX endpoints now require a session-tied HMAC nonce (cache-friendly). Form submissions verify the nonce in the validator. All 8 integrations render the nonce field.

1.0.50 – 2026-04-29

• Rebrand: plugin renamed from “SOS Anti-Spam” to “SOS Captcha” — slug, text-domain and language files updated to “sos-captcha”
• Main file renamed: slide-out-spam.php → sos-captcha.php
• No functional change for existing installs; cleaner branding aligned with sos-captcha.com

1.0.49 – 2026-04-27

• WordPress.org compliance pass
• Prefix all AJAX actions with sos_ to avoid collisions
• Remove load_plugin_textdomain (not needed for plugins hosted on WordPress.org)
• Replace the License page in the free build with a Compare-plans page (no license input, no external API call)
• Premium upgrade is now a manual download from sos-captcha.com (Plugins → Add New → Upload)
• Initial public release
• Contact Form 7 and WordPress comments protection
• WP login, registration, and lost-password protection (Premium)
• Up to 8 checkpoints (Free) / 15 (Premium)
• 10-language support