{"id":147547,"date":"2021-10-11T11:10:06","date_gmt":"2021-10-11T11:10:06","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/captcha-for-contact-form-7\/"},"modified":"2026-04-13T09:07:33","modified_gmt":"2026-04-13T09:07:33","slug":"captcha-for-contact-form-7","status":"publish","type":"plugin","link":"https:\/\/twd.wordpress.org\/plugins\/captcha-for-contact-form-7\/","author":16900441,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"2.7.0","stable_tag":"trunk","tested":"6.9.4","requires":"5.2","requires_php":"7.4","requires_plugins":null,"header_name":"SilentShield \u2013 Captcha & Anti-Spam for WordPress (CF7, WPForms, Elementor, WooCommerce)","header_author":"Forge12 Interactive GmbH","header_description":"This plugin allows you to add a captcha to your contact form 7 forms.","assets_banners_color":"888ccc","last_updated":"2026-04-13 09:07:33","external_support_url":"","external_repository_url":"","donate_link":"https:\/\/www.paypal.com\/donate?hosted_button_id=MGZTVZH3L5L2G","header_plugin_uri":"https:\/\/www.forge12.com\/product\/wordpress-captcha\/","header_author_uri":"https:\/\/www.forge12.com","rating":4.6,"author_block_rating":0,"active_installs":10000,"downloads":219780,"num_ratings":18,"support_threads":10,"support_threads_resolved":9,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.10.0":{"tag":"1.10.0","author":"forge12","date":"2023-04-25 09:34:47"},"1.11.0":{"tag":"1.11.0","author":"forge12","date":"2023-05-03 10:49:31"},"1.11.2":{"tag":"1.11.2","author":"forge12","date":"2023-08-10 11:55:46"},"1.11.3":{"tag":"1.11.3","author":"forge12","date":"2023-08-10 12:05:19"},"1.11.4":{"tag":"1.11.4","author":"forge12","date":"2023-08-18 08:49:31"},"1.11.5":{"tag":"1.11.5","author":"forge12","date":"2023-08-24 08:56:01"},"1.11.6":{"tag":"1.11.6","author":"forge12","date":"2023-10-01 13:03:11"},"1.11.7":{"tag":"1.11.7","author":"forge12","date":"2023-12-01 11:27:25"},"1.11.8":{"tag":"1.11.8","author":"forge12","date":"2023-12-01 11:30:40"},"1.11.92":{"tag":"1.11.92","author":"forge12","date":"2024-04-03 13:00:20"},"1.12.0":{"tag":"1.12.0","author":"forge12","date":"2024-04-10 06:19:03"},"1.12.1":{"tag":"1.12.1","author":"forge12","date":"2024-04-10 06:44:50"},"1.2":{"tag":"1.2","author":"forge12","date":"2022-01-01 15:35:43"},"1.2.1":{"tag":"1.2.1","author":"forge12","date":"2022-01-24 09:54:28"},"1.2.2":{"tag":"1.2.2","author":"forge12","date":"2022-01-24 10:23:28"},"1.4.1":{"tag":"1.4.1","author":"forge12","date":"2022-04-08 09:37:48"},"1.4.2":{"tag":"1.4.2","author":"forge12","date":"2022-04-08 10:15:33"},"1.4.3":{"tag":"1.4.3","author":"forge12","date":"2022-04-13 07:29:15"},"1.4.4":{"tag":"1.4.4","author":"forge12","date":"2022-04-13 07:32:54"},"1.4.5":{"tag":"1.4.5","author":"forge12","date":"2022-05-26 08:58:48"},"1.4.6":{"tag":"1.4.6","author":"forge12","date":"2022-07-05 07:44:05"},"1.4.7":{"tag":"1.4.7","author":"forge12","date":"2022-07-10 13:51:19"},"1.4.8":{"tag":"1.4.8","author":"forge12","date":"2022-08-24 14:53:25"},"1.4.9":{"tag":"1.4.9","author":"forge12","date":"2022-09-30 15:46:01"},"1.4.91":{"tag":"1.4.91","author":"forge12","date":"2022-10-03 11:54:57"},"1.4.92":{"tag":"1.4.92","author":"forge12","date":"2022-10-06 13:12:34"},"1.4.93":{"tag":"1.4.93","author":"forge12","date":"2022-11-06 13:00:01"},"1.5":{"tag":"1.5","author":"forge12","date":"2022-12-09 14:14:53"},"1.5.1":{"tag":"1.5.1","author":"forge12","date":"2022-12-11 14:27:57"},"1.5.3":{"tag":"1.5.3","author":"forge12","date":"2023-01-03 12:45:19"},"1.6":{"tag":"1.6","author":"forge12","date":"2023-01-04 10:48:31"},"1.6.1":{"tag":"1.6.1","author":"forge12","date":"2023-01-21 14:29:08"},"1.6.2":{"tag":"1.6.2","author":"forge12","date":"2023-01-21 14:40:00"},"1.6.3":{"tag":"1.6.3","author":"forge12","date":"2023-02-15 12:24:24"},"1.6.4":{"tag":"1.6.4","author":"forge12","date":"2023-02-16 10:56:39"},"1.6.5":{"tag":"1.6.5","author":"forge12","date":"2023-02-16 11:09:41"},"1.6.6":{"tag":"1.6.6","author":"forge12","date":"2023-03-29 10:15:12"},"1.7.1":{"tag":"1.7.1","author":"forge12","date":"2023-04-14 10:11:47"},"1.7.2":{"tag":"1.7.2","author":"forge12","date":"2023-04-14 10:14:09"},"1.7.2.1":{"tag":"1.7.2.1","author":"forge12","date":"2023-04-14 13:03:23"},"1.8":{"tag":"1.8","author":"forge12","date":"2023-04-16 12:28:40"},"1.9":{"tag":"1.9","author":"forge12","date":"2023-04-20 13:28:18"},"1.9.1":{"tag":"1.9.1","author":"forge12","date":"2023-04-24 10:39:23"},"2.0.0":{"tag":"2.0.0","author":"forge12","date":"2024-06-10 12:43:06"},"2.0.1":{"tag":"2.0.1","author":"forge12","date":"2024-06-10 12:52:09"},"2.0.2":{"tag":"2.0.2","author":"forge12","date":"2024-06-10 13:20:36"},"2.0.3":{"tag":"2.0.3","author":"forge12","date":"2024-06-11 13:49:44"},"2.0.4":{"tag":"2.0.4","author":"forge12","date":"2024-06-13 12:29:12"},"2.0.5":{"tag":"2.0.5","author":"forge12","date":"2024-06-17 10:38:24"},"2.0.6":{"tag":"2.0.6","author":"forge12","date":"2024-07-10 07:08:52"},"2.0.61":{"tag":"2.0.61","author":"forge12","date":"2024-07-10 07:18:11"},"2.0.62":{"tag":"2.0.62","author":"forge12","date":"2024-07-21 12:33:30"},"2.0.63":{"tag":"2.0.63","author":"forge12","date":"2024-07-21 12:41:17"},"2.0.64":{"tag":"2.0.64","author":"forge12","date":"2024-07-23 06:24:38"},"2.0.65":{"tag":"2.0.65","author":"forge12","date":"2024-08-14 09:43:35"},"2.0.66":{"tag":"2.0.66","author":"forge12","date":"2024-10-28 08:16:47"},"2.0.68":{"tag":"2.0.68","author":"forge12","date":"2024-11-18 10:42:31"},"2.0.681":{"tag":"2.0.681","author":"forge12","date":"2024-11-18 11:23:46"},"2.0.682":{"tag":"2.0.682","author":"forge12","date":"2024-11-18 12:56:54"},"2.0.7":{"tag":"2.0.7","author":"forge12","date":"2025-01-14 08:49:58"},"2.0.700":{"tag":"2.0.700","author":"forge12","date":"2025-01-14 08:52:02"},"2.0.701":{"tag":"2.0.701","author":"forge12","date":"2025-01-16 07:10:25"},"2.0.702":{"tag":"2.0.702","author":"forge12","date":"2025-01-16 14:41:33"},"2.1.0":{"tag":"2.1.0","author":"forge12","date":"2025-02-05 08:55:08"},"2.1.1":{"tag":"2.1.1","author":"forge12","date":"2025-02-05 09:03:49"},"2.1.2":{"tag":"2.1.2","author":"forge12","date":"2025-02-05 09:06:55"},"2.2.0":{"tag":"2.2.0","author":"forge12","date":"2025-06-23 12:31:55"},"2.2.1":{"tag":"2.2.1","author":"forge12","date":"2025-06-26 10:58:03"},"2.2.2":{"tag":"2.2.2","author":"forge12","date":"2025-06-26 11:55:16"},"2.2.3":{"tag":"2.2.3","author":"forge12","date":"2025-07-28 06:30:20"},"2.2.4":{"tag":"2.2.4","author":"forge12","date":"2025-09-20 14:30:50"},"2.2.41":{"tag":"2.2.41","author":"forge12","date":"2025-09-21 09:58:42"},"2.2.42":{"tag":"2.2.42","author":"forge12","date":"2025-09-21 10:01:24"},"2.2.43":{"tag":"2.2.43","author":"forge12","date":"2025-09-22 08:15:17"},"2.2.44":{"tag":"2.2.44","author":"forge12","date":"2025-09-22 09:31:09"},"2.2.45":{"tag":"2.2.45","author":"forge12","date":"2025-09-22 10:45:24"},"2.2.46":{"tag":"2.2.46","author":"forge12","date":"2025-09-23 09:26:02"},"2.2.47":{"tag":"2.2.47","author":"forge12","date":"2025-09-23 09:57:08"},"2.2.48":{"tag":"2.2.48","author":"forge12","date":"2025-09-23 10:23:59"},"2.2.49":{"tag":"2.2.49","author":"forge12","date":"2025-09-30 16:01:04"},"2.2.50":{"tag":"2.2.50","author":"forge12","date":"2025-10-01 13:50:49"},"2.2.51":{"tag":"2.2.51","author":"forge12","date":"2025-10-02 11:39:27"},"2.2.52":{"tag":"2.2.52","author":"forge12","date":"2025-10-04 10:17:26"},"2.2.53":{"tag":"2.2.53","author":"forge12","date":"2025-10-24 10:09:00"},"2.2.54":{"tag":"2.2.54","author":"forge12","date":"2025-11-12 13:14:44"},"2.2.55":{"tag":"2.2.55","author":"forge12","date":"2025-11-13 13:10:04"},"2.2.56":{"tag":"2.2.56","author":"forge12","date":"2025-11-17 10:20:51"},"2.2.57":{"tag":"2.2.57","author":"forge12","date":"2025-11-18 08:59:12"},"2.2.58":{"tag":"2.2.58","author":"forge12","date":"2025-11-25 12:51:03"},"2.2.581":{"tag":"2.2.581","author":"forge12","date":"2025-11-25 14:41:37"},"2.2.59":{"tag":"2.2.59","author":"forge12","date":"2025-11-25 14:44:54"},"2.2.60":{"tag":"2.2.60","author":"forge12","date":"2025-12-21 12:29:18"},"2.2.61":{"tag":"2.2.61","author":"forge12","date":"2025-12-23 08:43:44"},"2.3.0":{"tag":"2.3.0","author":"forge12","date":"2026-02-11 07:56:43"},"2.3.1":{"tag":"2.3.1","author":"forge12","date":"2026-02-11 08:01:38"},"2.3.2":{"tag":"2.3.2","author":"forge12","date":"2026-02-18 11:09:02"},"2.3.3":{"tag":"2.3.3","author":"forge12","date":"2026-02-19 09:25:15"},"2.3.4":{"tag":"2.3.4","author":"forge12","date":"2026-02-20 08:23:45"},"2.3.5":{"tag":"2.3.5","author":"forge12","date":"2026-02-20 11:14:16"},"2.6.5":{"tag":"2.6.5","author":"forge12","date":"2026-03-23 16:01:07"},"2.6.6":{"tag":"2.6.6","author":"forge12","date":"2026-03-24 07:29:51"},"2.6.7":{"tag":"2.6.7","author":"forge12","date":"2026-03-25 09:05:52"},"2.6.8":{"tag":"2.6.8","author":"forge12","date":"2026-03-25 12:56:34"}},"upgrade_notice":[],"ratings":{"1":1,"2":1,"3":0,"4":0,"5":16},"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3135000,"resolution":"128x128","location":"assets","locale":""},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3135000,"resolution":"256x256","location":"assets","locale":""}},"assets_banners":{"banner-1544-500.png":{"filename":"banner-1544-500.png","revision":2651582,"resolution":"1544x500","location":"assets","locale":""},"banner-772-250.png":{"filename":"banner-772-250.png","revision":2651582,"resolution":"772x250","location":"assets","locale":""}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.10.0","1.11.0","1.11.2","1.11.3","1.11.4","1.11.5","1.11.6","1.11.7","1.11.8","1.11.92","1.12.0","1.12.1","1.2","1.2.1","1.2.2","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.4.7","1.4.8","1.4.9","1.4.91","1.4.92","1.4.93","1.5","1.5.1","1.5.3","1.6","1.6.1","1.6.2","1.6.3","1.6.4","1.6.5","1.6.6","1.7.1","1.7.2","1.7.2.1","1.8","1.9","1.9.1","2.0.0","2.0.1","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.0.61","2.0.62","2.0.63","2.0.64","2.0.65","2.0.66","2.0.68","2.0.681","2.0.682","2.0.7","2.0.700","2.0.701","2.0.702","2.1.0","2.1.1","2.1.2","2.2.0","2.2.1","2.2.2","2.2.3","2.2.4","2.2.41","2.2.42","2.2.43","2.2.44","2.2.45","2.2.46","2.2.47","2.2.48","2.2.49","2.2.50","2.2.51","2.2.52","2.2.53","2.2.54","2.2.55","2.2.56","2.2.57","2.2.58","2.2.581","2.2.59","2.2.60","2.2.61","2.3.0","2.3.1","2.3.2","2.3.3","2.3.4","2.3.5","2.6.5","2.6.6","2.6.7","2.6.8"],"block_files":[],"assets_screenshots":{"screenshot-1.jpg":{"filename":"screenshot-1.jpg","revision":3490940,"resolution":"1","location":"assets","locale":""},"screenshot-10.jpg":{"filename":"screenshot-10.jpg","revision":3490940,"resolution":"10","location":"assets","locale":""},"screenshot-11.jpg":{"filename":"screenshot-11.jpg","revision":3490940,"resolution":"11","location":"assets","locale":""},"screenshot-12.jpg":{"filename":"screenshot-12.jpg","revision":3490940,"resolution":"12","location":"assets","locale":""},"screenshot-2.jpg":{"filename":"screenshot-2.jpg","revision":3490940,"resolution":"2","location":"assets","locale":""},"screenshot-3.jpg":{"filename":"screenshot-3.jpg","revision":3490940,"resolution":"3","location":"assets","locale":""},"screenshot-4.jpg":{"filename":"screenshot-4.jpg","revision":3490940,"resolution":"4","location":"assets","locale":""},"screenshot-5.jpg":{"filename":"screenshot-5.jpg","revision":3490940,"resolution":"5","location":"assets","locale":""},"screenshot-6.jpg":{"filename":"screenshot-6.jpg","revision":3490940,"resolution":"6","location":"assets","locale":""},"screenshot-7.jpg":{"filename":"screenshot-7.jpg","revision":3490940,"resolution":"7","location":"assets","locale":""},"screenshot-8.jpg":{"filename":"screenshot-8.jpg","revision":3490940,"resolution":"8","location":"assets","locale":""},"screenshot-9.jpg":{"filename":"screenshot-9.jpg","revision":3490940,"resolution":"9","location":"assets","locale":""}},"screenshots":{"1":"IP Protection settings","2":"Spam protection in comments","3":"Contact Form 7 integration","4":"Avada Forms integration","5":"Image Captcha example","6":"Arithmetic Captcha example","7":"Honeypot Captcha example"},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[362,1152,239509,598,2419],"plugin_category":[44],"plugin_contributors":[172866],"plugin_business_model":[],"class_list":["post-147547","plugin","type-plugin","status-publish","hentry","plugin_tags-captcha","plugin_tags-contact-form-7","plugin_tags-fluentform","plugin_tags-honeypot","plugin_tags-spam-protection","plugin_category-discussion-and-community","plugin_contributors-forge12","plugin_committers-forge12","plugin_support_reps-forge12marc"],"banners":{"banner":"https:\/\/ps.w.org\/captcha-for-contact-form-7\/assets\/banner-772-250.png?rev=2651582","banner_2x":"https:\/\/ps.w.org\/captcha-for-contact-form-7\/assets\/banner-1544-500.png?rev=2651582","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/captcha-for-contact-form-7\/assets\/icon-128x128.png?rev=3135000","icon_2x":"https:\/\/ps.w.org\/captcha-for-contact-form-7\/assets\/icon-256x256.png?rev=3135000","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/captcha-for-contact-form-7\/assets\/screenshot-1.jpg?rev=3490940","caption":"IP Protection settings"},{"src":"https:\/\/ps.w.org\/captcha-for-contact-form-7\/assets\/screenshot-2.jpg?rev=3490940","caption":"Spam protection in comments"},{"src":"https:\/\/ps.w.org\/captcha-for-contact-form-7\/assets\/screenshot-3.jpg?rev=3490940","caption":"Contact Form 7 integration"},{"src":"https:\/\/ps.w.org\/captcha-for-contact-form-7\/assets\/screenshot-4.jpg?rev=3490940","caption":"Avada Forms integration"},{"src":"https:\/\/ps.w.org\/captcha-for-contact-form-7\/assets\/screenshot-5.jpg?rev=3490940","caption":"Image Captcha example"},{"src":"https:\/\/ps.w.org\/captcha-for-contact-form-7\/assets\/screenshot-6.jpg?rev=3490940","caption":"Arithmetic Captcha example"},{"src":"https:\/\/ps.w.org\/captcha-for-contact-form-7\/assets\/screenshot-7.jpg?rev=3490940","caption":"Honeypot Captcha example"},{"src":"https:\/\/ps.w.org\/captcha-for-contact-form-7\/assets\/screenshot-8.jpg?rev=3490940","caption":""},{"src":"https:\/\/ps.w.org\/captcha-for-contact-form-7\/assets\/screenshot-9.jpg?rev=3490940","caption":""},{"src":"https:\/\/ps.w.org\/captcha-for-contact-form-7\/assets\/screenshot-10.jpg?rev=3490940","caption":""},{"src":"https:\/\/ps.w.org\/captcha-for-contact-form-7\/assets\/screenshot-11.jpg?rev=3490940","caption":""},{"src":"https:\/\/ps.w.org\/captcha-for-contact-form-7\/assets\/screenshot-12.jpg?rev=3490940","caption":""}],"raw_content":"<!--section=description-->\n<p>SilentShield is a <strong>unified captcha and anti-spam plugin for WordPress<\/strong>.\nIt works with the most popular form builders and protects login, registration, and comment forms \u2013 without slowing your site.<\/p>\n\n<p><strong>Why choose SilentShield?<\/strong>\n- <strong>Invisible defense<\/strong> \u2013 Captcha, honeypot, and blacklists working silently.\n- <strong>Instant results<\/strong> \u2013 Install, activate, and stop spam.\n- <strong>Universal support<\/strong> \u2013 Works with Contact Form 7, WPForms, Elementor, WooCommerce, and more.\n- <strong>Privacy-first<\/strong> \u2013 No cookies, no tracking, fully GDPR \/ DSGVO compliant.<\/p>\n\n<p>SilentShield doesn't just protect forms.\nIt protects your time, your customers, your business.<\/p>\n\n\n\n<h3>Core Features<\/h3>\n\n<ul>\n<li>Invisible Captcha (Arithmetic, Honeypot, Image)<\/li>\n<li>Smart IP Blocking &amp; Blacklists<\/li>\n<li>Spam filters for links, code &amp; keywords<\/li>\n<li>Whitelisting for admins &amp; customers<\/li>\n<li>GDPR-ready, no cookies, no tracking<\/li>\n<\/ul>\n\n\n\n<h3>Supported Form Plugins &amp; Integrations<\/h3>\n\n<p>SilentShield protects forms from all major WordPress form builders and core features:<\/p>\n\n<p><strong>Form Builders:<\/strong>\n- Contact Form 7 (CF7)\n- WPForms \/ WPForms Lite\n- Elementor Pro Forms\n- Gravity Forms\n- Fluent Forms\n- JetFormBuilder\n- Avada (Fusion Builder) Forms<\/p>\n\n<p><strong>WooCommerce:<\/strong>\n- Checkout (classic &amp; PayPal Payments)\n- Login\n- Registration<\/p>\n\n<p><strong>WordPress Core:<\/strong>\n- Login form (wp-login.php)\n- Registration form\n- Comment forms<\/p>\n\n<p><strong>Other:<\/strong>\n- Ultimate Member (Login &amp; Registration)\n- WP Job Manager (Job Applications)<\/p>\n\n<p>Each integration can be enabled or disabled individually under <strong>Settings &gt; Extended<\/strong>.<\/p>\n\n\n\n<h3>Protection Layers<\/h3>\n\n<p>SilentShield uses <strong>10+ protection mechanisms<\/strong> working together:<\/p>\n\n<ol>\n<li><strong>Captcha<\/strong> \u2013 Arithmetic math, honeypot, or image-based captcha<\/li>\n<li><strong>JavaScript Protection<\/strong> \u2013 Detects submissions from bots without JS support<\/li>\n<li><strong>Browser Detection<\/strong> \u2013 Validates User-Agent strings<\/li>\n<li><strong>Timer Protection<\/strong> \u2013 Blocks submissions faster than a human can type<\/li>\n<li><strong>Multiple Submission Protection<\/strong> \u2013 Prevents rapid duplicate submissions<\/li>\n<li><strong>IP Rate Limiting<\/strong> \u2013 Limits requests per IP and time window<\/li>\n<li><strong>IP Blacklist<\/strong> \u2013 Block known bad IPs<\/li>\n<li><strong>Content Rules<\/strong> \u2013 Limit URLs, block BBCode, keyword blacklist<\/li>\n<li><strong>Whitelist<\/strong> \u2013 Skip validation for admins, logged-in users, or specific emails\/IPs<\/li>\n<li><strong>SilentShield API<\/strong> (Beta) \u2013 Cloud-based spam detection<\/li>\n<\/ol>\n\n\n\n<h3>The Promise<\/h3>\n\n<p>SilentShield is not \"just another plugin.\"\nIt's an invisible wall against the background noise of the internet.<\/p>\n\n<p>Activate once \u2013 and your forms are human again.<\/p>\n\n<h3>Privacy &amp; Telemetry<\/h3>\n\n<ul>\n<li>No cookies, no user tracking.<\/li>\n<li>Encrypted IP storage (max. 2 months, only for spam defense).<\/li>\n<li>Telemetry is optional and anonymized.<\/li>\n<li>You can disable telemetry anytime in plugin settings.<\/li>\n<\/ul>\n\n<p>Collected fields:\n- <code>plugin_slug<\/code>, <code>plugin_version<\/code>\n- <code>snapshot_date<\/code>\n- <code>settings_json<\/code> (anonymized config \u2013 only boolean\/integer flags, no free-text)\n- <code>features_json<\/code> (enabled features)\n- <code>created_at<\/code>, <code>first_seen<\/code>, <code>last_seen<\/code>\n- <code>counters_json<\/code> (spam events)\n- <code>wp_version<\/code>, <code>php_version<\/code>, <code>locale<\/code><\/p>\n\n<p><strong>GDPR \/ DSGVO Compliance<\/strong>\n- Basis: <em>Art. 6 Abs. 1 lit. f DSGVO<\/em> (legitimate interest \u2013 plugin optimization).\n- No personal data, no cookies, no user tracking.<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Upload to <code>\/wp-content\/plugins\/<\/code>.<\/li>\n<li>Activate via WordPress \"Plugins\" menu.<\/li>\n<li>Configure protection settings under <strong>Settings &gt; SilentShield<\/strong>.<\/li>\n<\/ol>\n\n<p>For detailed setup instructions, see <a href=\"docs\/installation.md\">docs\/installation.md<\/a>.<\/p>\n\n<!--section=faq-->\n<dl>\n<dt id=\"will%20this%20stop%20all%20spam%3F\"><h3>Will this stop all spam?<\/h3><\/dt>\n<dd><p>Not all, but it drastically reduces it. SilentShield combines multiple detection layers (captcha, honeypot, IP blocking, JavaScript detection, timer, content rules) for maximum coverage.<\/p><\/dd>\n<dt id=\"is%20it%20gdpr%20compliant%3F\"><h3>Is it GDPR compliant?<\/h3><\/dt>\n<dd><p>Yes \u2013 no cookies, no tracking, only anonymized data. IPs are stored encrypted for max 2 months (only for spam defense). See the Privacy section below.<\/p><\/dd>\n<dt id=\"do%20i%20need%20coding%20skills%3F\"><h3>Do I need coding skills?<\/h3><\/dt>\n<dd><p>No. Everything is managed via WordPress Dashboard.<\/p><\/dd>\n<dt id=\"does%20it%20work%20with%20woocommerce%20paypal%20payments%3F\"><h3>Does it work with WooCommerce PayPal Payments?<\/h3><\/dt>\n<dd><p>Yes. SilentShield automatically injects JavaScript protection timestamps into PayPal checkout requests. Both PayPal Standard Buttons and Card Fields are supported.<\/p><\/dd>\n<dt id=\"can%20i%20customize%20the%20captcha%20appearance%3F\"><h3>Can I customize the captcha appearance?<\/h3><\/dt>\n<dd><p>Yes. Choose from 3 built-in templates, customize the label and placeholder text, and select a reload icon color (black\/white). Developers can further customize the output via filters.<\/p><\/dd>\n<dt id=\"can%20i%20disable%20specific%20protection%20layers%3F\"><h3>Can I disable specific protection layers?<\/h3><\/dt>\n<dd><p>Yes. Every protection mechanism (captcha, timer, JavaScript, browser, IP, rules, etc.) can be individually enabled or disabled.<\/p><\/dd>\n<dt id=\"how%20do%20i%20whitelist%20my%20admin%20users%3F\"><h3>How do I whitelist my admin users?<\/h3><\/dt>\n<dd><p>Under <strong>Settings &gt; Extended &gt; Whitelist<\/strong>, enable \"Whitelist Admin Users\" and\/or \"Whitelist Logged-In Users\". You can also whitelist specific emails and IPs.<\/p><\/dd>\n<dt id=\"what%20data%20does%20telemetry%20collect%20and%20why%3F\"><h3>What data does telemetry collect and why?<\/h3><\/dt>\n<dd><p>SilentShield includes <strong>optional anonymous telemetry<\/strong> (opt-out).\nThis helps us understand which features are used, so we can improve usability and remove unused complexity.<\/p>\n\n<p><strong>We are a small independent team<\/strong> \u2013 we don't earn money with this plugin, and we don't sell or share data.\nTelemetry is used <strong>only for optimization and maintenance purposes<\/strong>.<\/p><\/dd>\n<dt id=\"where%20is%20the%20full%20documentation%3F\"><h3>Where is the full documentation?<\/h3><\/dt>\n<dd><p>See the <a href=\"docs\/\">docs\/<\/a> directory in the plugin folder for complete documentation of all settings, hooks, REST API, and developer reference.<\/p>\n\n<\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>2.7.0<\/h4>\n\n<ul>\n<li>Fix [Admin UI]: Resolved sidebar\/navigation not rendering on sites with WooCommerce or other React-based plugins. The plugin now uses WordPress' built-in React instead of bundling its own copy, preventing duplicate React instance conflicts that broke context providers.<\/li>\n<li>Fix [Cron]: \"Daily Telemetry\" cron job no longer runs when telemetry is disabled. Previously, disabling telemetry in the admin UI only took effect on the next page load; the cron could still fire in between. Cron state is now synced immediately when settings are saved.<\/li>\n<li>Fix [Cron]: Audit log no longer shows \"Daily Telemetry completed\" entries when telemetry is disabled. The audit hook for the telemetry cron is now only registered when telemetry is active.<\/li>\n<\/ul>\n\n<h4>2.6.12<\/h4>\n\n<ul>\n<li>Fix [Settings]: Plugin action link (\"Settings\" in plugin list) now correctly opens the new React admin UI instead of the removed legacy page.<\/li>\n<li>Fix [Dashboard]: \"View Audit Log\" link in the dashboard widget now points to the new Audit Log page instead of the removed legacy page.<\/li>\n<li>Fix [Navigation]: Old admin page URLs (e.g. <code>admin.php?page=f12-cf7-captcha<\/code>, <code>f12-cf7-captcha-extended<\/code>, <code>f12-cf7-captcha-audit-log<\/code>) now redirect to their React equivalents instead of showing a permissions error.<\/li>\n<li>Fix [Forms]: Integration presets (WooCommerce, Fluent Forms, JetForm, etc.) no longer default to \"enabled\" when the setting has not been explicitly saved. Previously, unsaved settings defaulted to enabled, making it appear as though integrations were active even when the corresponding plugin was not installed.<\/li>\n<li>Fix [Dashboard]: Internal telemetry errors (e.g. <code>TELEMETRY_UNEXPECTED_RESPONSE<\/code>) are no longer shown in the \"Recent Issues\" section of the dashboard widget. These technical messages are not actionable by end users.<\/li>\n<li>Improved [Dashboard]: Protection Score widget is now more compact \u2014 score circle reduced from 120px to 72px, stats displayed beside the circle instead of below, and module list uses smaller type for a tighter layout.<\/li>\n<li>Improved [Settings]: Added descriptive help text to all numeric fields in Advanced Settings (IP Rate Limiting, Content Rules, Mail Log Retention, Block Log Retention, Audit Log Retention) so users understand what each value controls.<\/li>\n<li>Improved [Cleanup]: Every cleanup action now shows a description below the button label explaining exactly what it does (e.g. \"Removes log entries older than 3 weeks\").<\/li>\n<\/ul>\n\n<h4>2.6.11<\/h4>\n\n<ul>\n<li>Fix [Settings]: Global settings (including integration enable\/disable toggles) were not loaded on non-admin pages (wp-login.php, frontend). The settings cache only included values from the <code>f12-cf7-captcha_settings<\/code> filter defaults, which are only registered on admin pages. DB settings containers not covered by filter defaults were silently dropped. All <code>get_settings()<\/code> calls returned <code>null<\/code> on the login page, causing every protection module to fall back to its enabled default. This also meant integration toggle settings and per-module overrides were ignored on the login page.<\/li>\n<li>New [Forms]: Added master toggle to enable\/disable entire integrations (WordPress Login, WooCommerce, Avada, CF7, etc.) directly from the Forms page. Previously, only per-module overrides were available \u2014 there was no way to completely deactivate protection for a specific integration via the UI.<\/li>\n<li>Fix [Cleanup]: Data Cleanup page showed all counts as zero. The <code>handle_cleanup_counts<\/code> endpoint called <code>get_count()<\/code> on Cleaner classes (<code>CaptchaCleaner<\/code>, <code>IPLogCleaner<\/code>, <code>IPBanCleaner<\/code>, <code>CaptchaTimerCleaner<\/code>) which do not have this method. The resulting <code>Error<\/code> was silently caught. Added <code>get_count()<\/code> delegate methods to all four Cleaner classes.<\/li>\n<li>New [API]: New REST endpoint <code>POST \/integration\/toggle<\/code> to programmatically enable or disable integrations by setting their global settings key.<\/li>\n<li>New [API]: The <code>\/forms\/discover<\/code> endpoint now returns <code>enabled<\/code> and <code>settings_key<\/code> per integration, so the UI can display and toggle the integration status.<\/li>\n<\/ul>\n\n<h4>2.6.10<\/h4>\n\n<ul>\n<li>Fix [Telemetry]: Disabling telemetry in Advanced Settings no longer stops the daily telemetry cron job from running. The cron was scheduled unconditionally on every page load and <code>send_telemetry_snapshot()<\/code> never checked the setting \u2014 data was still sent to the API even when telemetry was turned off. Now the cron is only registered when telemetry is enabled, removed immediately when disabled, and the send function includes a guard check as defense-in-depth.<\/li>\n<\/ul>\n\n<h4>2.6.9<\/h4>\n\n<ul>\n<li>Fix [Whitelist]: Email whitelist never matched \u2014 the <code>is_whitelisted_email()<\/code> method logged the match but was missing the <code>return true<\/code> statement, so whitelisted emails were still checked by all protection modules.<\/li>\n<li>Fix [Whitelist]: Admin role check caused early return that blocked IP and email whitelist checks. When admin whitelist was enabled and a non-admin user submitted a form, the method returned <code>false<\/code> immediately instead of continuing to check IP\/email whitelists.<\/li>\n<li>Fix [Whitelist\/Blacklist]: REST API settings save (<code>handle_settings_save<\/code>) used <code>sanitize_text_field()<\/code> for textarea fields (whitelist emails, whitelist IPs, blacklist IPs), which strips newlines. Entries saved via the React admin UI were merged into a single line and never matched. Now uses <code>sanitize_textarea_field()<\/code> for these fields, matching the PHP form handler behavior.<\/li>\n<li>Fix [Whitelist\/Blacklist]: IP and email parsing now uses <code>preg_split('\/[\\s,]+\/')<\/code> instead of <code>explode(\"\\n\")<\/code>, so entries separated by spaces or commas (e.g. from previously corrupted saves) are correctly recognized.<\/li>\n<li>Fix [Protection]: SilentShield API mode and local protection modules (JavaScript, Timer, Captcha, etc.) can now run simultaneously. Previously, enabling the API disabled all local modules and prevented the local JS from loading, causing false <code>NO_JAVASCRIPT<\/code> blocks on login and other forms.<\/li>\n<li>Fix [Assets]: Local protection script (<code>f12-cf7-captcha-cf7.js<\/code>) is now always loaded when a form is detected, even when the SilentShield API client (<code>client.js<\/code>) is also active. Previously the two were mutually exclusive.<\/li>\n<li>New [Documentation]: Added in-plugin Help page (SilentShield &gt; Help) with full user guide covering all protection modules, integrations, whitelist\/blacklist, per-form overrides, API mode, logging and FAQ.<\/li>\n<li>New [Documentation]: Contextual help links (info icon) added to all section headings on Settings, Dashboard, API and Forms pages, linking directly to the relevant documentation section.<\/li>\n<li>New [Documentation]: Inline tooltips on 14 key settings fields (whitelist, blacklist, IP protection, content rules, logging, asset loading) explaining each option on hover.<\/li>\n<li>New [Translations]: German (de_DE, de_DE_formal) and French (fr_FR) translations added for all documentation strings.<\/li>\n<\/ul>\n\n<h4>2.6.8<\/h4>\n\n<ul>\n<li>Fix [API]: Unified all API endpoints to use <code>\/api\/v1<\/code> base path. The verify endpoint changed from <code>\/v1\/verify<\/code> to <code>\/api\/v1\/captcha\/verify-nonce<\/code>. Affects key validation, trial creation, telemetry, shadow mode, and blacklist retrieval.<\/li>\n<li>New [API]: Introduced separate <code>F12_CAPTCHA_CLIENT_URL<\/code> constant to decouple the behavior client script URL from the API base URL. The client.js loader now reads <code>client_url<\/code> from localized data with fallback to <code>url<\/code>.<\/li>\n<li>New [Mail-Log]: API response metadata (verdict, confidence, reason codes) is now forwarded to mail log entries for both blocked and passed submissions, enabling better audit trail and debugging.<\/li>\n<li>Fix [Settings]: Added <code>invalidate_settings_cache<\/code> hook at <code>init<\/code> priority 99 to ensure the settings cache is rebuilt after UI page filters register their defaults.<\/li>\n<li>New [Debug]: Added detailed debug logging in the API spam check flow for nonce detection, API request\/response, and verdict evaluation. Temporary logging to <code>error_log<\/code> for troubleshooting integration issues.<\/li>\n<\/ul>\n\n<h4>2.6.7<\/h4>\n\n<ul>\n<li>Fix [Translations]: Fixed 4 German strings that were mistakenly used in the French (fr_FR) translation files instead of French. Affected strings: \"Enable Mail Logging\u2026\", \"Also block partial matches\u2026\", \"The analytics page\u2026\", \"Synchronized with WordPress Disallowed Comment Keys\".<\/li>\n<li>Fix [Translations]: Fixed incorrect French translation for relative time indicator \"in\" \u2014 changed from \"dans\" to \"en\" (e.g. \"en 5 minutes\").<\/li>\n<li>Fix [UI]: Fixed overflow-hidden on the individual forms list (FormsPage) which prevented scrolling when the list exceeded viewport height. Replaced with overflow-auto.<\/li>\n<li>Fix [Settings]: Fixed settings cache race condition where <code>Protection::init_modules()<\/code> called <code>get_settings()<\/code> before UI pages registered their filter defaults, caching an empty array. The REST API then returned <code>[]<\/code> instead of <code>{ global: {...}, beta: {...} }<\/code>, causing the admin UI to show empty settings. The cache is now invalidated on <code>init<\/code> (priority 99) after UI page filters are registered.<\/li>\n<\/ul>\n\n<h4>2.6.6<\/h4>\n\n<ul>\n<li>Fix [Translations]: Fixed <code>_load_textdomain_just_in_time<\/code> notice introduced in WordPress 6.7. Translation loading for UI pages (e.g. Upgrade page) was triggered too early during plugin initialization. The <code>do_action('_ui_after_load_pages')<\/code> call in <code>UI_Manager<\/code> is now deferred to the <code>init<\/code> hook, ensuring <code>__()<\/code> is only called after translations are available.<\/li>\n<\/ul>\n\n<h4>2.6.5<\/h4>\n\n<ul>\n<li>New [Templates]: Captcha image now uses transparent PNG background, blending seamlessly with all template styles (Standard, Compact, Clean, Dark Card, Gradient Dark). Dark templates (Gradient Dark) use light text colors for readability.<\/li>\n<li>New [Templates]: Classic templates (0\u20132) from v2.3.x are now visible and selectable in the template picker alongside the modern templates, ensuring backward compatibility for existing users after updates.<\/li>\n<li>New [Templates]: Template picker UI now groups templates into \"Templates\" (modern) and \"Classic Templates\" (legacy) sections with distinct preview styles.<\/li>\n<li>Fix [Templates]: Audio tooltip text (\"Click to have the CAPTCHA read aloud\") was rendered as visible text instead of a hover tooltip. Added global CSS rule to hide by default and show on hover.<\/li>\n<li>Fix [Templates]: Compact template (6) reload and audio icons were separated instead of grouped on the right side. Fixed flex layout so icons stay together.<\/li>\n<li>Fix [Templates]: Compact template (6) input field was too short and had no border. Added proper border styling and flex layout for hint text + input inline.<\/li>\n<li>Fix [Templates]: Audio button icon was misaligned vertically with reload icon across all templates. Added <code>line-height: 0; display: inline-flex; align-items: center<\/code> to audio buttons.<\/li>\n<li>Fix [Templates]: Removed <code>padding-right: 0<\/code> override on <code>.c-header &gt; div<\/code> for all v2 templates (5\u20139) which caused math captcha question mark to stick to the container edge.<\/li>\n<li>Fix [Captcha Pool]: Pool entries now store the template ID they were generated for. On retrieval, only entries matching the current template are used, preventing stale images with wrong colors after template changes.<\/li>\n<\/ul>\n\n<h4>2.6.4<\/h4>\n\n<ul>\n<li>Fix [Charts]: Fixed empty\/blank Recharts charts on Dashboard and Analytics pages. MySQL returns <code>COUNT(*)<\/code> as strings via <code>$wpdb-&gt;get_results()<\/code>, but Recharts requires numeric values for <code>dataKey<\/code>. All chart data (LineChart, BarChart, PieChart) now casts <code>entry.count<\/code> to <code>Number()<\/code> before rendering.<\/li>\n<li>Fix [Admin UI]: Fixed <code>useSettingsContext must be used within a SettingsProvider<\/code> crash on API and other pages. The context hook now returns a safe loading-state fallback instead of throwing, preventing app crashes from stale browser cache or module loading race conditions.<\/li>\n<li>Fix [Admin UI]: Hidden \"Kostenlose Trial starten\" section on the API page when an API key is already configured. Previously clicking \"Trial starten\" with an active key returned a 409 error.<\/li>\n<li>Fix [Admin UI]: Replaced text-based status badges in the Mail-Log table with compact status icons (CheckCircle, ShieldAlert, RotateCw) and hover tooltips. Fixes \"Erneut gesendet\" badge text wrapping to a new line in narrow columns.<\/li>\n<li>New [Translations]: Built .po\/.mo files for 12 previously missing locales: Bulgarian (bg_BG), Czech (cs_CZ), Danish (da_DK), Finnish (fi), Croatian (hr), Hungarian (hu_HU), Dutch (nl_NL), Polish (pl_PL), Romanian (ro_RO), Slovak (sk_SK), Slovenian (sl_SI), Swedish (sv_SE). All 25 languages now have compiled translation files at 100% coverage (492\/492 strings).<\/li>\n<\/ul>\n\n<h4>2.6.3<\/h4>\n\n<ul>\n<li>Fix [Type Safety]: Fixed <code>is_enabled()<\/code> type comparison bug in JavaScript, Browser, and Multiple Submission protection modules. Settings value was not cast to <code>(int)<\/code> before comparison, causing string <code>'0'<\/code> (disabled) to evaluate as truthy \u2014 these modules could not be reliably disabled via settings.<\/li>\n<li>Fix [Type Safety]: Fixed <code>Api::is_enabled()<\/code> default value from <code>1<\/code> (enabled) to <code>0<\/code> (disabled). Previously, if <code>beta_captcha_enable<\/code> was not explicitly set, the API mode defaulted to active, potentially bypassing all local protection modules.<\/li>\n<li>Fix [Timer]: <code>Timer_Validator::get_validation_time()<\/code> now reads the <code>protection_time_ms<\/code> setting instead of using a hardcoded 2000ms value. The UI default is 500ms \u2014 previously the setting had no effect.<\/li>\n<li>Fix [Multiple Submission]: <code>Multiple_Submission_Validator::get_validation_time()<\/code> now reads the <code>protection_time_ms<\/code> setting instead of using a hardcoded 2000ms value.<\/li>\n<li>Fix [Context]: Added missing <code>set_context()<\/code>\/<code>clear_context()<\/code> calls in Elementor, Ultimate Member, and WP Job Manager controllers. Without context, spam blocks were logged with empty <code>form_plugin<\/code> and mail logging could not identify the source integration.<\/li>\n<li>Fix [Analytics]: Fixed protection module label mapping in the Analytics block log UI. The database stores module names with <code>-validator<\/code> suffix (e.g. <code>timer-validator<\/code>, <code>captcha-validator<\/code>), but the React UI was looking for short names without suffix (e.g. <code>timer<\/code>, <code>captcha<\/code>). All labels, badge variants, and pie chart entries now use the exact database values.<\/li>\n<li>Fix [BlockLog]: Block reason detail now uses the module's specific error message (<code>$modul-&gt;get_message()<\/code>) instead of the generic static map description. For content rules, this means the actual rule violation (e.g. \"The word 'viagra' is blacklisted\") is logged instead of the generic \"Content matched a blacklist rule\".<\/li>\n<li>Fix [Mail-Log]: CF7 sent mail logging now uses the universal <code>wp_mail<\/code> filter instead of the CF7-specific <code>wpcf7_mail_components<\/code> hook. This ensures all form plugins (CF7, WPForms, Elementor, Gravity Forms, Fluent Forms, Avada, JetFormBuilder, WooCommerce) are covered with a single hook.<\/li>\n<li>Fix [Mail-Log]: Sent mail logging now captures the actual resolved mail data (recipient, subject, body) from <code>wp_mail()<\/code> instead of raw CF7 templates with unresolved <code>[tags]<\/code>.<\/li>\n<li>Fix [Mail-Log]: Form data (posted fields) is now stored for sent mails, enabling proper review and resend from the admin UI.<\/li>\n<li>Fix [Mail-Log]: Added <code>table_exists()<\/code> check in <code>MailLog::log()<\/code> to prevent silent failures on fresh installations before the upgrade migration runs.<\/li>\n<\/ul>\n\n<h4>2.6.2<\/h4>\n\n<ul>\n<li>New [Mail-Log]: Added complete mail logging system for tracking sent and blocked form submissions. Stores sender, recipient, subject, body, headers, attachments, form data, IP hash, and block reason in a dedicated database table (<code>f12_mail_log<\/code>).<\/li>\n<li>New [Mail-Log]: Blocked submissions are automatically logged from the central <code>Protection::is_spam()<\/code> method, capturing block reason and form data. Works across all supported integrations (CF7, WPForms, Elementor, Gravity Forms, Fluent Forms, Avada, WooCommerce, WordPress core).<\/li>\n<li>New [Mail-Log]: Successfully sent Contact Form 7 mails are logged via <code>wpcf7_mail_components<\/code> filter, capturing the fully resolved mail data (recipient, sender, subject, body with all [tags] replaced, headers, attachments). Previously used <code>wpcf7_before_send_mail<\/code> which only had raw templates with unresolved CF7 tags.<\/li>\n<li>New [Mail-Log]: Added \"Resend\" functionality \u2014 any mail log entry (sent, blocked, or previously resent) can be resent directly from the admin UI via <code>wp_mail()<\/code>. Attachments are only included if files still exist on disk. Status is updated to \"resent\" with audit log entry.<\/li>\n<li>New [Admin UI]: Added dedicated \"Mail-Log\" page with summary cards (total, sent, blocked, resent), filterable\/searchable table (status, form plugin, free-text search with debounce), pagination, and auto-refresh controls.<\/li>\n<li>New [Admin UI]: Mail-Log detail dialog shows full message body, form data (JSON), block reason, IP hash, headers, and action buttons (resend with confirmation, delete with double-confirmation).<\/li>\n<li>New [Admin UI]: Bulk actions for Mail-Log \u2014 select individual entries via checkboxes or \"select all\" on the current page. Bulk resend (with confirmation dialog) and bulk delete (with toggle-switch double-confirmation) for multiple entries at once.<\/li>\n<li>New [Admin UI]: Delete confirmation uses a double-confirm pattern: a toggle switch \"Ich verstehe, dass dieser Eintrag unwiderruflich gel\u00f6scht wird\" must be activated before the delete button becomes clickable. Applied to both single and bulk delete.<\/li>\n<li>New [Admin UI]: Added Mail-Log sidebar navigation entry with Mail icon (between Analytics and Audit Log).<\/li>\n<li>New [Admin UI]: Added \"Mail-Logging\" settings section in Advanced Settings with GDPR warning banner, enable\/disable toggle, sub-toggles for sent\/blocked logging, and configurable retention period (1\u2013365 days).<\/li>\n<li>New [Admin UI]: Added Mail-Log cleanup options in Data Cleanup page (\"Alle Mail-Logs l\u00f6schen\", \"Blockierte Mail-Logs l\u00f6schen\") with entry counts.<\/li>\n<li>New [REST API]: Added 5 admin-only Mail-Log REST endpoints: <code>GET \/mail-log\/entries<\/code> (paginated with filters), <code>GET \/mail-log\/summary<\/code> (counts by status), <code>GET \/mail-log\/entry\/{id}<\/code> (full entry with body), <code>DELETE \/mail-log\/entry\/{id}<\/code>, <code>POST \/mail-log\/resend\/{id}<\/code>.<\/li>\n<li>New [Core]: <code>MailLog<\/code> PHP class (<code>core\/log\/MailLog.class.php<\/code>) with full CRUD operations, table existence checks, <code>suppress_errors<\/code> for resilient inserts, and separate <code>log_blocked()<\/code>\/<code>log_sent()<\/code> convenience methods.<\/li>\n<li>New [Core]: Automatic Mail-Log cleanup integrated into <code>Log_Cleaner<\/code> cron job with configurable retention (<code>protection_mail_log_retention<\/code>, default 30 days).<\/li>\n<li>New [Settings]: 4 new settings: <code>protection_mail_log_enable<\/code> (default: off), <code>protection_mail_log_sent<\/code> (default: on), <code>protection_mail_log_blocked<\/code> (default: on), <code>protection_mail_log_retention<\/code> (default: 30 days).<\/li>\n<li>Fix [API Fallback]: Frontend assets (<code>client.js<\/code> vs local JS bundle) now respect the API health check transient. When the SilentShield API is unreachable, the local JS bundle (with JavaScriptProtection, SubmitGuard, form handlers) is loaded instead of the API client \u2014 fixing missing <code>js_end_time<\/code> timestamps, broken captcha reload, and CORS errors from offline API endpoints.<\/li>\n<li>Fix [REST API]: Increased admin endpoint rate limit from 10 to 60 requests per minute to prevent rate-limit errors when using auto-refresh or loading pages with multiple concurrent API calls.<\/li>\n<li>Improvement [Settings]: Changed default for <code>protection_global_asset_loading<\/code> from 0 to 1, ensuring frontend JS\/CSS assets are loaded on all pages by default. Prevents issues where captcha fields render but JS handlers are not loaded.<\/li>\n<\/ul>\n\n<h4>2.6.1<\/h4>\n\n<ul>\n<li>Fix [API]: Fixed settings type mismatch between PHP REST API and React admin UI. The REST save handler converted all values to strings via <code>sanitize_text_field()<\/code>, but the React frontend used strict equality (<code>=== 1<\/code>) to check toggle states. This caused API-related toggles (API enable, Shadow Mode) to always appear as \"off\" after saving, even though the value was correctly stored. The server now preserves native integer, float, and boolean types during save, and the React UI uses <code>Number()<\/code> coercion for defensive comparison.<\/li>\n<li>Fix [API Fallback]: When the SilentShield API is enabled but unreachable (e.g. dev\/staging environment offline, network issues, server errors), the plugin now automatically falls back to all local protection modules (Captcha, Timer, JS detection, Browser detection, IP blocking, Content rules, etc.) instead of silently disabling all protection. Previously, an active API key with an unreachable API resulted in no captcha output and no spam protection at all.<\/li>\n<li>New [Admin Notice]: Added a dismissible admin warning that appears when the API fallback is active, informing administrators that the SilentShield API is unreachable and local protection modules have been automatically reactivated. Includes a link to the API settings page.<\/li>\n<li>New [API Health Check]: Added lightweight API reachability check with transient caching (5 min on success, 2 min on failure) to avoid hitting the API on every request. HTTP 2xx\u20134xx responses are treated as \"reachable\" (the API is up, even if the key is invalid); only connection errors and 5xx responses trigger the local fallback.<\/li>\n<li>New [Audit Log]: API health failures are now logged as <code>API_HEALTH_UNREACHABLE<\/code> (connection error) or <code>API_HEALTH_SERVER_ERROR<\/code> (5xx response) audit events with endpoint and error context.<\/li>\n<li>Fix [Database]: Added missing upgrade migration for BlockLog and AuditLog tables. Sites that upgraded to 2.6.0 without deactivating\/reactivating the plugin had missing database tables, causing <code>wpdb<\/code> errors on the Audit Log and Analytics pages and cascading rate-limit failures.<\/li>\n<li>Fix [Database]: AuditLog and BlockLog query methods now gracefully return empty results when the underlying table does not exist, preventing HTML error output from leaking into REST API JSON responses.<\/li>\n<li>Fix [Database]: <code>$wpdb-&gt;suppress_errors()<\/code> is now used around AuditLog and BlockLog insert operations to prevent database error HTML from breaking REST responses when tables are missing.<\/li>\n<li>Fix [Admin UI]: Fixed IP hash string overflowing into adjacent columns in the block detail and audit event detail dialogs. Long hash strings now wrap automatically via <code>break-all<\/code>.<\/li>\n<li>New [Admin UI]: Added \"Erweitertes Tracking\" hint banner on the Analytics page. When detailed tracking is disabled (default), a dismissible warning explains that Analytics requires this setting and links directly to the Advanced settings page to enable it.<\/li>\n<li>New [Admin UI]: Added auto-refresh controls to both Analytics and Audit Log pages. A tab bar allows selecting refresh intervals (Aus \/ 5s \/ 15s \/ 30s) and a manual refresh button with spin animation is available for on-demand data reload.<\/li>\n<\/ul>\n\n<h4>2.6.0<\/h4>\n\n<ul>\n<li>New [Audit Log]: Added always-active audit log system (<code>AuditLog<\/code> class) that records admin and system events (settings changes, cron runs, activation\/deactivation, rate limiting, API errors, DB errors, trial events, i18n failures) to a dedicated database table with throttling, sensitive data masking, and error_log fallback.<\/li>\n<li>New [Admin UI]: Added Audit Log admin page (SilentShield \u2192 Audit Log) with summary cards, filterable\/paginated event table, severity color-coding, and slide-out detail panel with JSON context viewer.<\/li>\n<li>New [Admin UI]: Dashboard widget now shows the 5 most recent warnings\/errors\/critical events with a direct link to the full Audit Log page.<\/li>\n<li>New [REST API]: Added 2 new admin-only REST endpoints (<code>\/audit\/entries<\/code>, <code>\/audit\/summary<\/code>) with filters for time range, event type, severity, and pagination.<\/li>\n<li>New [Core]: API verification errors (<code>Api.class.php<\/code>) now log <code>API_VERIFY_UNREACHABLE<\/code> audit events with endpoint and fail-mode context.<\/li>\n<li>New [Core]: Trial activation failures now log <code>TRIAL_API_UNREACHABLE<\/code>, <code>TRIAL_API_ERROR<\/code>, and <code>TRIAL_INVALID_RESPONSE<\/code> audit events.<\/li>\n<li>New [Core]: All 6 cron jobs now have bookend audit hooks that log start\/completion with execution timing and catch\/log failures as <code>CRON_FAILED<\/code> events.<\/li>\n<li>New [Core]: Telemetry, monthly report, and weekly report cron handlers now audit-log send failures and unexpected responses.<\/li>\n<li>New [Core]: Translation loading failures now log <code>TRANSLATION_LOAD_FAILED<\/code> audit events with locale and path context.<\/li>\n<li>New [Core]: BlockLog database operations (<code>log<\/code>, <code>get_entries<\/code>, <code>get_overview<\/code>, <code>cleanup<\/code>) now audit-log insert\/query\/cleanup failures as <code>BLOCKLOG_*<\/code> events.<\/li>\n<li>New [Settings]: Added configurable \"Audit Log Retention\" setting (7\u2013365 days, default 90) under Settings \u2192 Extended. Log cleanup respects this setting automatically.<\/li>\n<li>Improvement [Core]: Log_Cleaner now also cleans up AuditLog and BlockLog tables during the weekly cron job, respecting their individual retention settings.<\/li>\n<li>New [Audit Log]: API key validation failures (<code>API_KEY_VALIDATION_UNREACHABLE<\/code>, <code>API_KEY_INVALID<\/code>) are now audit-logged when the SilentShield key validation endpoint is unreachable or returns invalid.<\/li>\n<li>New [Audit Log]: API key lifecycle changes are now audit-logged: key set (<code>API_KEY_SET<\/code>), key removed (<code>API_KEY_REMOVED<\/code>), key rotated (<code>API_KEY_CHANGED<\/code>).<\/li>\n<li>New [Audit Log]: API mode and Shadow Mode toggles are now audit-logged (<code>API_MODE_ENABLED\/DISABLED<\/code>, <code>SHADOW_MODE_ENABLED\/DISABLED<\/code>).<\/li>\n<li>New [Audit Log]: API verify HTTP error responses (4xx\/5xx) and unparseable JSON are now audit-logged as <code>API_VERIFY_ERROR_RESPONSE<\/code>.<\/li>\n<li>New [Audit Log]: Trial expiration is now proactively audit-logged once as <code>TRIAL_EXPIRED<\/code> when the admin visits the Beta settings page after the trial period ends.<\/li>\n<\/ul>\n\n<h4>2.5.0<\/h4>\n\n<ul>\n<li>New [F2P]: Added Shadow Mode for statistical estimation of API-blocked spam. Samples 30% of passed submissions and projects weekly totals. Enable under Settings &gt; Beta. Dormant API call behind <code>F12_CAPTCHA_SHADOW_API_LIVE<\/code> constant.<\/li>\n<li>New [F2P]: Added Weekly Email Report (opt-in) with block statistics, top 3 reason codes, breakdown by protection type, and upgrade CTA with UTM tracking. Enable under Settings &gt; Extended &gt; Weekly Report.<\/li>\n<li>New [Analytics]: Shadow Mode comparison section on Analytics page showing estimated additional API catches with 4 stat cards and upgrade CTA.<\/li>\n<li>New [Beta]: Shadow Mode toggle added to Beta settings page.<\/li>\n<\/ul>\n\n<h4>2.4.0<\/h4>\n\n<ul>\n<li>New [Analytics]: Added Analytics admin page (SilentShield \u2192 Analytics) with block statistics overview, timeline chart, protection module breakdown, reason code frequency, and paginated block log with detail drawer.<\/li>\n<li>New [Analytics]: 4 new REST API endpoints for analytics data (summary, timeline, reasons, log) with admin-only access and rate limiting.<\/li>\n<li>New [Analytics]: Score breakdown visualization for API-mode blocks showing 7 sub-score categories with color-coded progress bars.<\/li>\n<li>New [Analytics]: Time range selector (7\/30\/90 days) for all analytics views.<\/li>\n<li>New [Privacy]: Added \"Disable Log Anonymization (Debug Mode)\" toggle in Extended Settings \u2192 Detailed Tracking. When enabled, email addresses and IP addresses are stored in plain text in submission logs and the block log, allowing admins to identify blocked users. Disabled by default. Includes GDPR\/DSGVO privacy warning. Passwords are always masked regardless of this setting.<\/li>\n<li>New [Core]: Added <code>Protection::has_module()<\/code> method to safely check module availability before access.<\/li>\n<li>Fix [Admin UI]: Fixed fatal error \"Module captcha-validator does not exist\" on Extended Settings page when SilentShield API mode is active. The Captcha management section now shows an informational message in API mode instead of crashing.<\/li>\n<\/ul>\n\n<h4>2.3.6<\/h4>\n\n<ul>\n<li>New [Accessibility]: Added Audio CAPTCHA feature using the Web Speech API. A speaker button next to the CAPTCHA allows visually impaired users to have the challenge read aloud via browser-native text-to-speech. Privacy-first \u2014 no external API calls. Disabled by default, enable under Settings &gt; Protection &gt; Audio Accessibility.<\/li>\n<li>New [Accessibility]: Added hover\/focus tooltip on the audio button (\"Click to have the CAPTCHA read aloud\") so users understand the button's purpose before clicking.<\/li>\n<li>New [REST API]: Added rate-limited <code>POST \/captcha\/audio<\/code> endpoint (5 req\/min per IP) that returns spelled-out characters for image CAPTCHAs and the formula for math CAPTCHAs.<\/li>\n<li>Improvement [Image CAPTCHA]: When Audio CAPTCHA is enabled, the character pool is restricted to lowercase letters + digits to avoid ambiguity (TTS cannot distinguish upper\/lowercase). Existing pooled CAPTCHAs with uppercase characters are automatically discarded and regenerated.<\/li>\n<li>Improvement [Translations]: Added all new Audio CAPTCHA strings to all language files (de_DE, de_DE_formal, es_ES, fr_FR, it_IT, pt_PT).<\/li>\n<\/ul>\n\n<h4>2.3.5<\/h4>\n\n<ul>\n<li>Fix [Fluent Forms]: Fixed JavaScript protection failing for Conversational Forms (<code>[fluentform type=\"conversational\"]<\/code>). Conversational Forms render as a Vue.js app inside a <code>&lt;div&gt;<\/code> instead of a <code>&lt;form&gt;<\/code> element, so the regular <code>render_item_submit_button<\/code> hook and the JS form discovery (<code>querySelectorAll(\"form\")<\/code>) never fired. Timing fields (<code>php_start_time<\/code>, <code>js_start_time<\/code>, <code>js_end_time<\/code>) are now injected via <code>jQuery.ajaxPrefilter<\/code> directly into the inner <code>data<\/code> POST parameter where the PHP backend expects them. Hooks into both <code>wp_footer<\/code> (embedded forms) and <code>fluentform\/conversational_frame_footer<\/code> (standalone pages).<\/li>\n<\/ul>\n\n<h4>2.3.4<\/h4>\n\n<ul>\n<li>Fix [Templates]: Reload button inline styles were stripped by <code>wp_kses()<\/code> CSS property filtering (<code>safecss_filter_attr<\/code>), causing <code>display:inline-flex<\/code>, <code>align-items<\/code>, <code>box-sizing<\/code> etc. to be removed. Reload button HTML is now output directly (all values are escaped at construction via <code>esc_attr<\/code>\/<code>esc_url<\/code>), ensuring per-form and per-integration style overrides work correctly.<\/li>\n<li>Fix [CSS]: Removed hardcoded <code>width:32px; height:32px; display:flex; background-color<\/code> from template-1 <code>.c-reload a<\/code> CSS rule that overrode per-form settings. All visual properties are now controlled exclusively via inline styles from <code>get_reload_button()<\/code>.<\/li>\n<li>Fix [CSS]: Removed <code>!important<\/code> declarations on reload button icon dimensions in template-1 CSS that prevented per-form icon size overrides from taking effect.<\/li>\n<li>Fix [CSS]: Removed redundant global inline CSS (<code>wp_add_inline_style<\/code>) for reload button styling that conflicted with the hierarchical settings resolution (form &gt; module &gt; global).<\/li>\n<li>Fix [CSS]: Reload button icon is now vertically centered using flexbox (<code>display:inline-flex; align-items:center<\/code>) instead of <code>margin-top:5px<\/code>.<\/li>\n<li>Improvement [CSS]: All reload button inline styles now use <code>!important<\/code> to prevent theme and plugin CSS from overriding configured values (background-color, padding, border-radius, display, icon dimensions, margin, max-width).<\/li>\n<li>Fix [Core]: Replaced deprecated <code>CF7Captcha::getInstance()<\/code> calls in UI_Extended with <code>CF7Captcha::get_instance()<\/code>.<\/li>\n<\/ul>\n\n<h4>2.3.3<\/h4>\n\n<ul>\n<li>New [Admin UI]: Added full reload button styling options: background color, border color (color pickers), padding, border radius, and icon size (number inputs). All settings have backward-compatible defaults.<\/li>\n<li>New [Admin UI]: All reload button styling settings can be overridden per integration (CF7, Avada, WPForms, etc.) and per individual form via the existing override panel system.<\/li>\n<li>New [Admin UI]: Added live preview for the reload button in global settings and all override panels (integration + form level). Changes are reflected in real-time.<\/li>\n<li>New [Admin UI]: Added \"Asset Loading\" section with global toggle to force-load all plugin assets (CSS\/JS) on every page, useful when automatic form detection fails.<\/li>\n<li>New [Admin UI]: Added custom URL path exceptions textarea. Define URL paths (one per line) where assets should always be loaded, e.g. for custom login pages (WPS Hide Login) or exotic page builders.<\/li>\n<li>Improvement [Core]: <code>should_load_assets()<\/code> now checks global asset loading toggle and custom URL paths before falling back to automatic form detection.<\/li>\n<\/ul>\n\n<h4>2.3.2<\/h4>\n\n<ul>\n<li>Fix [Captcha]: Fixed reload button href being stripped by wp_kses. Changed <code>javascript:void(0)<\/code> to <code>#<\/code> to be compatible with WordPress HTML sanitization.<\/li>\n<\/ul>\n\n<h4>2.3.1<\/h4>\n\n<ul>\n<li>New [Admin UI]: Added per-integration and per-form override settings. Protection settings can now be customized at the integration level (e.g. all CF7 forms) or for individual forms, with hierarchical inheritance (Global &gt; Integration &gt; Form).<\/li>\n<li>New [Admin UI]: Added slide-in configuration panels on the Extended and Forms admin pages. Click \"Configure\" next to any integration or form to open the override panel.<\/li>\n<li>New [Admin UI]: Added Forms admin page listing all discovered forms across installed integrations (CF7, WPForms, Elementor, Gravity Forms, etc.) with override status badges.<\/li>\n<li>New [REST API]: Added <code>POST \/overrides\/save<\/code> endpoint for persisting integration and form-level override settings via AJAX with admin permission checks and rate limiting.<\/li>\n<li>New [Core]: Added hierarchical settings resolution system (<code>Settings_Resolver<\/code>) that merges Global, Integration, and Form-level settings with proper inheritance.<\/li>\n<li>New [Core]: Added form discovery system (<code>Form_Discovery<\/code>) that detects forms across all supported integrations.<\/li>\n<li>New [Core]: Added <code>ProtectionContext<\/code> for per-form setting resolution during spam validation, enabling form-specific protection behavior.<\/li>\n<li>Fix [Compatibility]: Resolved \"Translation loading triggered too early\" PHP Notice on WordPress 6.7+ that caused \"Cookies are blocked due to unexpected output\" errors on login pages, breaking compatibility with plugins like SecuPress Move Login.<\/li>\n<li>Fix [JavaScript]: Resolved global scope collision where the bundled <code>WPForms<\/code> class overwrote <code>window.WPForms<\/code>, breaking the WPForms plugin. Build output is now wrapped in an IIFE.<\/li>\n<li>Improvement [Translations]: Added 57 new translatable strings for override panels and Forms page to all language files (de_DE, de_DE_formal, es_ES, fr_FR, it_IT, pt_PT).<\/li>\n<li>Improvement [Compatibility]: Updated integration controllers (Avada, CF7, FluentForms, Gravity Forms, WPForms) with form discovery support and per-form protection context.<\/li>\n<\/ul>\n\n<h4>2.3.0<\/h4>\n\n<ul>\n<li>Fix [Security]: Closed mass-assignment vulnerability in IPBan and IPLog classes. Properties are now set via explicit allowlist instead of <code>property_exists()<\/code>, preventing overwrite of internal state like the logger or ID fields.<\/li>\n<li>Fix [Security]: Replaced <code>parse_str()<\/code> on raw POST data in API verification with targeted regex extraction, eliminating a potential denial-of-service vector via deeply nested keys.<\/li>\n<li>Fix [Security]: Added <code>esc_html()<\/code> to spam error messages in <code>format_spam_message()<\/code> as defense-in-depth against potential XSS if future modules include dynamic content in messages.<\/li>\n<li>Fix [Security]: Added <code>defined('ABSPATH')<\/code> guards to 10 PHP files that were missing them (BaseController, BaseModul, Api, Browser, IP_Blacklist_Validator, Whitelist_Validator, Javascript_Validator, Log_WordPress_Interface, Validator, Browser_User_Agent).<\/li>\n<li>Fix [WooCommerce \/ WordPress Login]: Resolved a cross-concern filter leak where WooCommerce registration validation could accidentally bypass WordPress login spam checks (and vice versa). Each integration now uses its own scoped filter (<code>f12_cf7_captcha_wc_login_validated<\/code>, <code>f12_cf7_captcha_wc_registration_validated<\/code>).<\/li>\n<li>Fix [WordPress Registration]: Changed error code from integer <code>500<\/code> to string <code>'spam'<\/code> for consistency with all other controllers.<\/li>\n<li>Fix [Comments]: Replaced abrupt <code>wp_die()<\/code> with a proper error page that includes the specific spam reason, a \"Go Back\" link, and HTTP 403 status.<\/li>\n<li>Fix [CF7]: Changed greedy regex <code>(.*)<\/code> to non-greedy <code>(.*?)<\/code> in submit button detection, preventing incorrect captcha placement when multiple input elements exist on the same line.<\/li>\n<li>Fix [Telemetry]: Counters now track request-local deltas and merge them with the current database values at shutdown, significantly reducing lost updates under concurrent requests.<\/li>\n<li>Fix [Database]: Standardized all <code>$wpdb<\/code> null-checks in IPBan and IPLog to use strict <code>null === $wpdb<\/code> comparison consistently.\n&hellip;<\/li>\n<\/ul>","raw_excerpt":"SilentShield \u2013 the invisible shield against spam. Spam is the weed of the internet. It clogs your forms, steals your time, and corrupts your data.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/147547","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=147547"}],"author":[{"embeddable":true,"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/forge12"}],"wp:attachment":[{"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=147547"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=147547"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=147547"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=147547"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=147547"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=147547"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}