Thank you for reaching out!
Why Users Are Being Blocked
Zero Spam uses multiple mechanisms that can block users from accessing your entire website:
1. Manual IP/Location Blocks
You or another administrator may have manually blocked:
- Specific IP addresses
- Entire countries
- Regions/states
- Cities
- ZIP/postal codes
2. Enhanced Protection (Zero Spam API)
If you have a license key configured, this service checks visitor IPs against a spam database. Users are blocked when their IP has a “confidence score” of 30% or higher (default setting). This is the most common cause, especially those using VPNs or Tor.
3. Stop Forum Spam
This free service checks if visitor IPs appear in their spam database. Users are blocked when their IP has a confidence score of 50% or higher (default setting).
4. Project Honeypot
If you’ve configured an access key, this service checks IP threat scores. Users are blocked when their threat score is 50 or higher (default setting).Why Tor/VPN Users Get Blocked
This is expected behavior. Tor exit nodes and VPN IP addresses are:
- Shared by thousands of users worldwide
- Frequently used for spam and malicious activity
- Commonly listed in spam databases
When you tested with Brave browser using Tor, you experienced this firsthand.
How to Resolve This Issue
Step 1: Identify What’s Blocking Users
Go to WordPress Admin → Dashboard → Zero Spam → Log
This shows you:
- Which IP addresses are being blocked
- The exact reason for each block (e.g., “High Confidence Score: 95%”, “blocked_country_code”, “Stop Forum Spam”)
- When the blocks occurred
Step 2: Whitelist Trusted IP Addresses
If you know certain IPs belong to legitimate users:
- Go to Settings → Zero Spam → General
- Find the IP Whitelist field
- Add trusted IP addresses (one per line)
- Save changes
Important: Whitelisted IPs bypass ALL security checks, so only add IPs you completely trust.Step 3: Adjust Detection Sensitivity
Here’s how to make things lenient:
Enhanced Protection (if enabled):
- Go to Settings → Zero Spam → Enhanced Protection
- Change Confidence Minimum from 30% to 60-70%
- Higher numbers = fewer blocks, but potentially more spam
Stop Forum Spam (if enabled):
- Go to Settings → Zero Spam → Stop Forum Spam
- Change Confidence Minimum from 50% to 70-80%
Project Honeypot (if enabled):
- Go to Settings → Zero Spam → Project Honeypot
- Change Threat Score Minimum from 50 to 100-150
Step 4: Remove Manual Blocks
- Go to Dashboard → Zero Spam → Blocked
- Check the IPs tab – remove any IP addresses that shouldn’t be blocked
- Check the Locations tab – remove any geographic blocks (countries, regions, cities, ZIPs)
Step 5: Set Up Emergency Access
To prevent being locked out yourself, add this to your wp-config.php
define('ZEROSPAM_RESCUE_KEY', 'your-secret-key-here');
Replace
your-secret-key-here
with any random string. If you ever get blocked, access your site with:
https://yoursite.com/?zerospam_rescue=your-secret-key-here
Recommended Settings to Reduce False Positives
Based on your situation, I recommend:
- Enhanced Protection Confidence: 60% (instead of 30%)
- Stop Forum Spam Confidence: 70% (instead of 50%)
- Project Honeypot Threat Score: 100 (instead of 50%)
- Geographic Blocking: Only block specific high-risk countries if absolutely necessary
- IP Whitelist: Add your own IP and any known legitimate user IPs
What About Tor/VPN Users?
You have three options:
- Accept the limitation – Most legitimate users don’t browse via Tor. This may be acceptable for your use case.
- Reduce sensitivity significantly – Set all thresholds to 70%+ or disable IP reputation checks entirely. This will allow more Tor/VPN users through, but may also allow more spam.
- Disable IP-based blocking – Turn off Enhanced Protection, Stop Forum Spam, and Project Honeypot entirely. Rely only on form-level protection (the plugin has other techniques that don’t block site access).
The key is finding the right balance between security and accessibility for your specific audience and needs.
We’d greatly appreciate it if you could leave us a review on WordPress.org!
