[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$foQjxkq33AeLUMRTRVIEH6RNhTdxXbHPXlgQJwztRc3s":3},{"slug":4,"display_name":5,"profile_url":6,"plugin_count":7,"total_installs":8,"avg_security_score":9,"avg_patch_time_days":10,"trust_score":11,"computed_at":12,"plugins":13},"satoshin99","Team beta version","https:\u002F\u002Fprofiles.wordpress.org\u002Fsatoshin99\u002F",1,0,100,30,94,"2026-05-20T04:49:45.657Z",[14],{"slug":15,"name":16,"version":17,"author":5,"author_profile":6,"description":18,"short_description":19,"active_installs":8,"downloaded":20,"rating":8,"num_ratings":8,"last_updated":21,"tested_up_to":22,"requires_at_least":23,"requires_php":24,"tags":25,"homepage":31,"download_link":32,"security_score":9,"vuln_count":8,"unpatched_count":8,"last_vuln_date":33,"fetched_at":34},"samurai-honeypot-for-forms","Samurai Honeypot for Forms","1.1.5","\u003Cp>\u003Cstrong>Note: This plugin requires HTTPS to function (due to Web Crypto API usage).\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>The Story: The Forging of the Ultimate Defense\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>This project began with a simple goal: to create a lightweight honeypot trap to catch basic bots. But during development, we faced a harsh reality: \u003Cstrong>Simple traps are obsolete.\u003C\u002Fstrong> Modern AI bots and headless browsers can easily step over traditional defenses. A basic trap was no longer enough; we needed a fortress.\u003C\u002Fp>\n\u003Cp>So, we forged a completely new architecture. We added Proof of Work, Behavioral Analysis, and Rate Limiting. What started as a simple honeypot evolved into a \u003Cstrong>15-layer invisible firewall\u003C\u002Fstrong>. Like a samurai’s blade, it operates with absolute precision—completely invisible to your real customers, yet ruthlessly executing a “Silent Kill” on spam bots before they ever reach your inbox or database.\u003C\u002Fp>\n\u003Cp>Samurai Honeypot protects every Contact Form 7 and WPForms form with fifteen independent defense layers.\u003Cbr \u002F>\nEach layer contributes a score, and blocked submissions are handled by a \u003Cstrong>3-Tier Triage System\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Ch4>3-Tier Triage System\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Tier 1 (Pass):\u003C\u002Fstrong> Score below the threshold (default 50) — email is sent normally.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Tier 2 (Quarantine):\u003C\u002Fstrong> Score between the threshold and 99 — email is silently suppressed (Silent Kill) and the submission is saved to the built-in \u003Cstrong>Quarantine Log\u003C\u002Fstrong> for admin review.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Tier 3 (Drop \u002F Instant Kill):\u003C\u002Fstrong> Score of 100 or higher — email is silently suppressed and the submission is \u003Cstrong>permanently dropped without logging\u003C\u002Fstrong>. This protects your database from bloat during DDoS or mass bot attacks.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Warning — False Positives:\u003C\u002Fstrong> Depending on your environment, legitimate emails may occasionally be flagged as spam. Enterprise proxies, strict corporate firewalls, outdated browsers, VPNs, and unusual network configurations can trigger detection layers. \u003Cstrong>You MUST check the Quarantine Log periodically\u003C\u002Fstrong> to identify and recover any false positives. The plugin cannot distinguish all edge cases automatically.\u003C\u002Fp>\n\u003Ch4>Defense Layers\u003C\u002Fh4>\n\u003Col>\n\u003Cli>\u003Cstrong>JS Injection Gate\u003C\u002Fstrong> — Blocks bots that cannot execute JavaScript. Tokens are fetched via REST API for full page-cache compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Polymorphic Honeypot\u003C\u002Fstrong> — Decoy field name is cryptographically derived per token (not exposed in the API response), hidden from humans via CSS.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Signature\u003C\u002Fstrong> — HMAC-SHA256 signed stateless token with IP and Form ID binding.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Time Trap\u003C\u002Fstrong> — Detects impossibly fast submissions. Browser autofill is automatically exempt.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Proof of Work\u003C\u002Fstrong> — SHA-256 computational challenge via Web Crypto API that forces CPU cost on bots.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Behavioral Entropy\u003C\u002Fstrong> — Hash-verified human-like event counters: mouse, keyboard, touch, scroll. Uniqueness tracking detects script reuse.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Headless UA Block\u003C\u002Fstrong> — Server-side User-Agent check instantly blocks known headless browsers and automated tools (Headless Chrome, Puppeteer, PhantomJS, Selenium, Playwright, Nightmare, Electron). Toggleable in settings for E2E testing compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Headless Detection\u003C\u002Fstrong> — Detects automated browser environments (navigator.webdriver, plugin count, window.chrome, language count).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>UA Age Detection\u003C\u002Fstrong> — Scores based on Chrome version age. 2+ years: +10, 3+ years: +20, 4+ years: +30. Bots often use hardcoded old User-Agent strings that never update.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Rate Limiting\u003C\u002Fstrong> — Per-IP submission rate limiting with IPv6 \u002F64 normalization.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Replay Protection\u003C\u002Fstrong> — Atomic token consumption (INSERT IGNORE) + TTL expiry enforcement.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP Blacklist\u003C\u002Fstrong> — Manually configured IP\u002FCIDR blacklist for known bad actors.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Content: URL Limit\u003C\u002Fstrong> — Flags messages containing more URLs than the configured threshold.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Content: BBCode\u003C\u002Fstrong> — Detects BBCode link syntax (\u003Ccode>[url=...]\u003C\u002Fcode>) that never appears in legitimate form submissions.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Content: Denylist\u003C\u002Fstrong> — Matches against WordPress Disallowed Comment Keys (Settings > Discussion).\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>Key Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>3-Tier Triage\u003C\u002Fstrong> — Pass, Quarantine (with local log), or Drop. No legitimate message is lost without a trace — quarantined submissions are saved for admin review.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Built-in Quarantine Log\u003C\u002Fstrong> — Blocked Tier 2 submissions are saved to a local database table (up to 1,000 entries, FIFO). View date, score, trigger reasons, and full form data from the admin panel. No external plugin required.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>DDoS-Resilient Tier 3 Drop\u003C\u002Fstrong> — Submissions scoring 100+ are immediately dropped from memory without any database write. This prevents database exhaustion during mass bot attacks.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>GDPR Compliant\u003C\u002Fstrong> — No cookies, no external service calls, no plugin-specific PII stored. IP addresses are one-way hashed with a site-specific salt before any storage — raw IPs never touch the database. No consent banner required.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Stateless Tokens\u003C\u002Fstrong> — No database writes for token generation; prevents DoS via DB bloat.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Zero Trust Client\u003C\u002Fstrong> — All client-submitted data is verified server-side with HMAC signatures and hash integrity checks.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Zero Configuration\u003C\u002Fstrong> — Activate and all Contact Form 7 \u002F WPForms forms are protected automatically.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Cache Compatible\u003C\u002Fstrong> — Tokens are fetched via REST API, so page caching works fine.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multiple Forms\u003C\u002Fstrong> — Works correctly with multiple forms on the same page.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP Whitelist \u002F Blacklist\u003C\u002Fstrong> — Whitelist trusted IPs or CIDR ranges to skip all scoring. Blacklist known bad IPs to add +100 score instantly. Optionally whitelist all logged-in WordPress users.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Headless Browser Blocking\u003C\u002Fstrong> — Server-side User-Agent check instantly blocks Headless Chrome, Puppeteer, Selenium, and other automated browsers (+100 score). Enabled by default; can be toggled off for E2E testing.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Content Rules\u003C\u002Fstrong> — Detect spam patterns in form content: excessive URLs, BBCode link syntax, and WordPress Disallowed Comment Keys matching.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Trusted Proxy Support\u003C\u002Fstrong> — Optional mode for Cloudflare and reverse proxy environments with IP range validation.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Lightweight\u003C\u002Fstrong> — Three PHP files, no external dependencies, no jQuery.\u003C\u002Fli>\n\u003C\u002Ful>\n","Invisible 15-layer anti-spam for Contact Form 7 & WPForms. Score-based 3-Tier Triage silently blocks bots — no CAPTCHA, no user friction.",380,"2026-03-03T06:28:00.000Z","6.9.4","5.9","7.4",[26,27,28,29,30],"antispam","contact-form-7","honeypot","spam","wpforms","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsamurai-honeypot-for-forms.1.1.5.zip",null,"2026-04-06T09:54:40.288Z"]