{"id":315143,"date":"2026-05-23T13:02:17","date_gmt":"2026-05-23T13:02:17","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/trustsig-security\/"},"modified":"2026-05-23T13:26:17","modified_gmt":"2026-05-23T13:26:17","slug":"trustsig-security","status":"publish","type":"plugin","link":"https:\/\/wordpress.org\/plugins\/trustsig-security\/","author":23502405,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.2.8","stable_tag":"1.2.8","tested":"6.9.4","requires":"5.0","requires_php":"7.2","requires_plugins":null,"header_name":"TrustSig Security","header_author":"TrustSig","header_description":"Non-interactive bot detection and form protection for WordPress, WooCommerce, BuddyPress and EDD. No CAPTCHA, works with no keys.","assets_banners_color":"","last_updated":"2026-05-23 13:26:17","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/trustsig.eu","header_author_uri":"","rating":0,"author_block_rating":0,"active_installs":0,"downloads":32,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.2.6":{"tag":"1.2.6","author":"robertvahhi","date":"2026-05-23 13:02:08"},"1.2.7":{"tag":"1.2.7","author":"robertvahhi","date":"2026-05-23 13:14:58"},"1.2.8":{"tag":"1.2.8","author":"robertvahhi","date":"2026-05-23 13:26:17"}},"upgrade_notice":{"1.2.6":"<p>Compliance update: scripts and styles are now enqueued the WordPress way. No\nbehaviour change.<\/p>","1.2.5":"<p>Adds the verified-session layer and global AJAX\/REST coverage. Existing sites\nstay in Monitor mode until you opt into enforcement.<\/p>","1.2.0":"<p>Major enforcement overhaul: missing tokens are no longer silently allowed.\nExisting installs upgrade safely into Monitor (logging only) mode.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3545156,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3545156,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.2.6","1.2.7","1.2.8"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3545156,"resolution":"1","location":"assets","locale":"","width":2244,"height":1798},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3545156,"resolution":"2","location":"assets","locale":"","width":2238,"height":1810},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3545156,"resolution":"3","location":"assets","locale":"","width":2252,"height":1828}},"screenshots":{"1":"TrustSig dashboard overview: protection status, recent verifications, and the current mode at a glance.","2":"Protection details: per-form coverage across WordPress core, WooCommerce, BuddyPress, EDD, and Elementor.","3":"Settings: switch between Monitor, Challenge, and Enforce, configure brute-force lockout, and link an optional dashboard account."}},"plugin_section":[],"plugin_tags":[166108,2439,600,599,286],"plugin_category":[45,54],"plugin_contributors":[264124],"plugin_business_model":[],"class_list":["post-315143","plugin","type-plugin","status-publish","hentry","plugin_tags-bot-protection","plugin_tags-brute-force","plugin_tags-security","plugin_tags-spam","plugin_tags-woocommerce","plugin_category-ecommerce","plugin_category-security-and-spam-protection","plugin_contributors-robertvahhi","plugin_committers-robertvahhi"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/trustsig-security\/assets\/icon-128x128.png?rev=3545156","icon_2x":"https:\/\/ps.w.org\/trustsig-security\/assets\/icon-256x256.png?rev=3545156","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/trustsig-security\/assets\/screenshot-1.png?rev=3545156","caption":"TrustSig dashboard overview: protection status, recent verifications, and the current mode at a glance."},{"src":"https:\/\/ps.w.org\/trustsig-security\/assets\/screenshot-2.png?rev=3545156","caption":"Protection details: per-form coverage across WordPress core, WooCommerce, BuddyPress, EDD, and Elementor."},{"src":"https:\/\/ps.w.org\/trustsig-security\/assets\/screenshot-3.png?rev=3545156","caption":"Settings: switch between Monitor, Challenge, and Enforce, configure brute-force lockout, and link an optional dashboard account."}],"raw_content":"<!--section=description-->\n<p><strong>TrustSig Security blocks scripted bots before they ever reach your site \u2014 silently, with zero friction for real visitors.<\/strong> No puzzles. No \"I am not a robot\" checkboxes. No third-party signup required to start.<\/p>\n\n<p><a href=\"https:\/\/ps.w.org\/trustsig-security\/assets\/screenshot-1.png\"><\/a>\n<a href=\"https:\/\/ps.w.org\/trustsig-security\/assets\/screenshot-2.png\"><\/a>\n<a href=\"https:\/\/ps.w.org\/trustsig-security\/assets\/screenshot-3.png\"><\/a><\/p>\n\n<h4>Why TrustSig<\/h4>\n\n<ul>\n<li>\ud83d\udee1\ufe0f <strong>Protects every important form out of the box<\/strong> \u2014 login, registration, comments, password reset, WooCommerce checkout, BuddyPress signup, Easy Digital Downloads, Elementor Pro forms, and any custom form via shortcode.<\/li>\n<li>\ud83d\udeab <strong>Stops brute-force login attempts<\/strong> with built-in lockout after repeated failures.<\/li>\n<li>\ud83d\udc7b <strong>Invisible to humans<\/strong> \u2014 real visitors are verified in under a second by a non-interactive browser check. No CAPTCHA, no images to click.<\/li>\n<li>\u2699\ufe0f <strong>Three protection modes<\/strong> \u2014 Monitor (log only), Challenge (default, soft block with auto-retry), Enforce (hard block).<\/li>\n<li>\ud83d\udd0c <strong>Zero configuration<\/strong> \u2014 activate the plugin and protection is live immediately. Anonymous free tier needs no account.<\/li>\n<li>\ud83e\udde9 <strong>Works with caching plugins, WPML, multisite and most themes<\/strong> \u2014 forms are signed server-side with a per-site secret.<\/li>\n<li>\ud83d\udee0\ufe0f <strong>Developer-friendly<\/strong> \u2014 PHP helper <code>trustsig_verify()<\/code>, REST endpoint <code>\/wp-json\/trustsig\/v1\/verify<\/code>, filters and actions for custom forms.<\/li>\n<li>\ud83d\udd12 <strong>Optional admin-ajax and REST API guard<\/strong> for advanced sites.<\/li>\n<li>\ud83d\udcdc <strong>GPLv2<\/strong> \u2014 fully open source.<\/li>\n<\/ul>\n\n<h4>How it works<\/h4>\n\n<p>TrustSig injects a lightweight browser SDK, signs every rendered form with a per-site secret, and verifies submissions against the TrustSig Edge service. Real visitors pass an invisible check in about a second; scripted clients that never run JavaScript are stopped.<\/p>\n\n<p>When a request arrives without a valid token, TrustSig does not silently fail\nopen. Depending on the mode you choose it serves a lightweight \"please wait\"\ninterstitial that re-verifies the browser and then transparently continues the\noriginal request \u2014 or blocks it.<\/p>\n\n<p>The plugin works out of the box with <strong>no account and no API keys<\/strong> (anonymous\nfree tier). Connecting a TrustSig dashboard account is optional and only adds\nanalytics and higher limits.<\/p>\n\n<h4>Protection modes<\/h4>\n\n<ul>\n<li><strong>Monitor<\/strong> \u2014 verify and log only, never block. Used for safe rollout; the\nupgrade path also pins existing sites here so behaviour never changes\nsilently on update.<\/li>\n<li><strong>Challenge<\/strong> (default for new installs) \u2014 a missing or invalid token shows\nthe interstitial, then continues or blocks.<\/li>\n<li><strong>Enforce<\/strong> \u2014 a missing or invalid token is blocked immediately.<\/li>\n<\/ul>\n\n<h4>What it protects<\/h4>\n\n<p>Browser forms are protected automatically with no code:<\/p>\n\n<ul>\n<li>WordPress core \u2014 login, registration, comments, lost\/reset password<\/li>\n<li>WooCommerce \u2014 login, registration, checkout, pay order, lost password<\/li>\n<li>BuddyPress \u2014 registration<\/li>\n<li>Easy Digital Downloads \u2014 login, registration<\/li>\n<li>Elementor Pro forms<\/li>\n<li>Any other form (site-wide \"protect all forms\" option, the <code>[trustsig_form]<\/code>\nshortcode, or a hidden <code>trustsig-response<\/code> input)<\/li>\n<\/ul>\n\n<p>It also includes optional brute-force lockout for repeated failed logins, an\nopt-in admin-ajax \/ REST API guard, and a developer verification API.<\/p>\n\n<h4>For developers<\/h4>\n\n<ul>\n<li>PHP: <code>trustsig_verify( array( 'token' =&gt; $t, 'action' =&gt; 'my_form' ) )<\/code>\nreturns <code>pass<\/code> | <code>fail<\/code> | <code>challenge<\/code>. Filters: <code>trustsig_pre_verify<\/code>,\n  trustsig_result. Action: <code>trustsig_blocked<\/code>.<\/li>\n<li>REST: <code>POST \/wp-json\/trustsig\/v1\/verify<\/code> with <code>{ \"token\": \"...\" }<\/code>.<\/li>\n<\/ul>\n\n<h4>Known limitations<\/h4>\n\n<ul>\n<li>XML-RPC (<code>xmlrpc.php<\/code>) is intentionally out of scope and is not verified.\nDisable XML-RPC separately if it is unused on your site.<\/li>\n<li>admin-ajax and the REST API are only protected when explicitly enabled in\nSettings, to avoid breaking third-party integrations.<\/li>\n<li>File-upload and AJAX submissions cannot show the interstitial; under\nChallenge or Enforce mode a missing token on those is blocked, never\nsilently allowed.<\/li>\n<\/ul>\n\n<h3>External services<\/h3>\n\n<p>This plugin relies on the <strong>TrustSig Edge<\/strong> service to decide whether a request\ncomes from a human or an automated client. This bot-detection verdict cannot be\nproduced locally, so the service is required for the plugin's core\nfunctionality.<\/p>\n\n<p><strong>Service provider:<\/strong> TrustSig \u2014 https:\/\/trustsig.eu<\/p>\n\n<p><strong>Remote script loaded in the browser:<\/strong>\n    https:\/\/edge.trustsig.eu\/trustsig.js is loaded on pages that contain a\nprotected form, on the login screen, and on the verification interstitial. The\nscript runs the non-interactive browser check and produces a verification\ntoken.<\/p>\n\n<p><strong>Data sent from the visitor's browser \/ your server to\n    https:\/\/edge.trustsig.eu\/verify:<\/strong><\/p>\n\n<ul>\n<li>the TrustSig verification token generated by the SDK in the visitor's browser;<\/li>\n<li>your site's host name (e.g. <code>example.com<\/code>) on the anonymous free tier, or, if\nyou connect a dashboard account, the secret key you entered;<\/li>\n<li>as part of any HTTPS request, the visitor's IP address and standard request\nmetadata (such as the user-agent) are visible to the service.<\/li>\n<\/ul>\n\n<p><strong>When data is sent:<\/strong> when the SDK loads on a protected page, when a protected\nform is submitted, and once per browser when the optional verified-session\ncookie is bootstrapped.<\/p>\n\n<p><strong>Data stored locally on your site:<\/strong> TrustSig writes a verification log to\nyour own WordPress database (custom tables) that includes visitor IP addresses,\nthe action attempted, and the verdict. This data is not sent to TrustSig; you\ncan clear it at any time from Settings \u2192 TrustSig \u2192 Tools.<\/p>\n\n<p>By installing and activating this plugin you (the site administrator) consent to\nthis data being sent to TrustSig so that requests can be verified. Inform your\nown site's visitors as required by your local privacy obligations.<\/p>\n\n<ul>\n<li>Terms of Service: https:\/\/trustsig.eu\/terms-of-service\/<\/li>\n<li>Privacy Policy: https:\/\/trustsig.eu\/privacy<\/li>\n<\/ul>\n\n<!--section=installation-->\n<ol>\n<li>Upload the <code>trustsig-security<\/code> folder to <code>\/wp-content\/plugins\/<\/code>, or install\nthe plugin through the WordPress Plugins screen.<\/li>\n<li>Activate the plugin through the 'Plugins' menu in WordPress.<\/li>\n<li>Navigate to Settings \u2192 TrustSig. Protection is active immediately with no\nfurther configuration.<\/li>\n<li>(Optional) Enter your Site Key and Secret Key to link a TrustSig dashboard\naccount for analytics and higher limits.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"do%20i%20need%20an%20account%20or%20api%20keys%3F\"><h3>Do I need an account or API keys?<\/h3><\/dt>\n<dd><p>No. The plugin protects your forms immediately on activation using the\nanonymous free tier. An account is only needed for analytics and higher limits.<\/p><\/dd>\n<dt id=\"what%20data%20leaves%20my%20site%3F\"><h3>What data leaves my site?<\/h3><\/dt>\n<dd><p>A browser verification token, your site host name (or your secret key if you\nconnect an account), and standard HTTPS request metadata are sent to the\nTrustSig Edge service. See the \"External services\" section above for the full\ndisclosure, including links to the Terms of Service and Privacy Policy.<\/p><\/dd>\n<dt id=\"will%20this%20block%20real%20visitors%3F\"><h3>Will this block real visitors?<\/h3><\/dt>\n<dd><p>In Challenge mode (the default) a visitor whose token is missing sees a brief\n\"please wait\" page that re-verifies the browser and then continues the original\nrequest automatically. Monitor mode never blocks. Enforce mode is the strictest\nand can block visitors with JavaScript disabled.<\/p><\/dd>\n<dt id=\"does%20it%20work%20with%20caching%20plugins%3F\"><h3>Does it work with caching plugins?<\/h3><\/dt>\n<dd><p>Yes. Forms are signed with a server-issued nonce and the SDK fills the token\nclient-side, so cached pages are still protected.<\/p><\/dd>\n<dt id=\"how%20do%20i%20temporarily%20bypass%20protection%20if%20i%20lock%20myself%20out%3F\"><h3>How do I temporarily bypass protection if I lock myself out?<\/h3><\/dt>\n<dd><p>Settings \u2192 TrustSig \u2192 Tools shows a private recovery URL that bypasses all\nchecks once. You can also add your IP to the whitelist.<\/p><\/dd>\n<dt id=\"is%20the%20plugin%20gpl%3F\"><h3>Is the plugin GPL?<\/h3><\/dt>\n<dd><p>Yes, it is licensed GPLv2 or later.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.2.8<\/h4>\n\n<ul>\n<li>Listing rewrite republished: screenshots now show at the top of the description, feature bullets prominent. No behaviour change.<\/li>\n<\/ul>\n\n<h4>1.2.7<\/h4>\n\n<ul>\n<li>Rewrote the wordpress.org listing: tighter marketing copy, feature bullets, and a 3-shot screenshot carousel (dashboard overview, per-form coverage, settings).<\/li>\n<li>Added a 256\u00d7256 plugin icon and 128\u00d7128 search-results icon.<\/li>\n<li>No behaviour change.<\/li>\n<\/ul>\n\n<h4>1.2.6<\/h4>\n\n<ul>\n<li>All front-end and admin scripts\/styles are now registered and enqueued via\nwp_enqueue_script\/wp_enqueue_style with configuration passed through\nwp_localize_script; no inline script\/style is printed in the normal page\npipeline.<\/li>\n<li>Fixed the Terms of Service link in the readme.<\/li>\n<\/ul>\n\n<h4>1.2.5<\/h4>\n\n<ul>\n<li>Added the verified-session layer: after a passing scan the browser is trusted\nvia a signed cookie with no further edge calls, protecting AJAX\/REST globally.<\/li>\n<li>Added a rate-limited grace window for non-auth APIs during SDK bootstrap.<\/li>\n<li>Hardened cookie handling (HMAC-signed, user-agent anomaly downgrade, revocation).<\/li>\n<li>Added the developer verify API and opt-in admin-ajax \/ REST protection.<\/li>\n<\/ul>\n\n<h4>1.2.0<\/h4>\n\n<ul>\n<li>Enforcement overhaul. Removed the universal fail-open on a missing token.<\/li>\n<li>Added an HMAC-signed per-site form nonce (auto-generated, works on the free tier).<\/li>\n<li>Added the interstitial challenge: re-verify and transparently resubmit, or block.<\/li>\n<li>Added Monitor \/ Challenge \/ Enforce policy and configurable edge-down behaviour.<\/li>\n<li>Decoupled brute-force counting from the token path.<\/li>\n<li>Safe migration: existing installs upgrade into Monitor with an admin notice.<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release.<\/li>\n<\/ul>","raw_excerpt":"Stop bots, spam and brute-force attacks on every WordPress form. No CAPTCHA. No account. No keys. Installs and protects in one click.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/315143","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=315143"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/robertvahhi"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=315143"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=315143"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=315143"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=315143"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=315143"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=315143"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}