LukaCodes Comment Shield

LukaCodes Comment Shield is a lightweight, no-bloat plugin that gives you four independent tools to protect your WordPress comment section from spam:

• Disable Website Field — Removes the URL/website field from the comment form. Works with all themes, including those that hardcode the field (CSS fallback included).
• Strip Links from Comments — Automatically removes all <a href> hyperlinks from comment content — both on display and before saving to the database. Spammers get zero benefit from posting links.
• reCAPTCHA v3 — Adds Google’s invisible bot-score protection to your comment form. No checkbox, no puzzle, no friction for real users. Bots are silently blocked server-side.
• Cloudflare Turnstile — A privacy-friendly CAPTCHA alternative that shows a visible widget on the comment form. Verified server-side against Cloudflare’s API. Mutually exclusive with reCAPTCHA v3 — enabling one automatically disables the other.

All features are independent — enable only what you need.

Why Comment Shield?

Most anti-spam plugins are heavy, require accounts, or add ugly CAPTCHAs. LukaCodes Comment Shield is different:

• ~25 KB total — no external libraries, no jQuery dependency
• Settings page with live key testing — verify your reCAPTCHA or Turnstile keys before enabling
• Link stripping preview — paste any comment text and see exactly what gets removed
• Graceful fallback: if Google’s or Cloudflare’s API is unreachable, comments are held for moderation (never lost)
• Trusted users (administrators) bypass CAPTCHA checks automatically
• Mutual exclusion: reCAPTCHA v3 and Cloudflare Turnstile cannot be active at the same time — switching one on turns the other off automatically, both in the UI and on the server
• WP Coding Standards compliant — fully escaped output, nonce-protected AJAX

reCAPTCHA v3 — How it works

When a visitor submits a comment, our JavaScript silently requests a score token from Google. The token is sent with the comment and verified server-side against your minimum score threshold (configurable from 0.1 to 1.0). No user interaction required.

Cloudflare Turnstile — How it works

A Turnstile widget is rendered inside the comment form. When the visitor completes the challenge, a token is generated and submitted with the comment. The token is verified server-side against the Cloudflare API before the comment is accepted.

Third-Party Services

This plugin optionally uses the following third-party services:

Google reCAPTCHA v3

A service provided by Google LLC.

• What it does: Detects bots and spam on your comment form without user interaction.
• When data is sent: Only when reCAPTCHA v3 is enabled in settings. A token is sent to Google’s API (https://www.google.com/recaptcha/api/siteverify) when a visitor submits a comment.
• What data is sent: The visitor’s IP address and a reCAPTCHA token.
• Google Privacy Policy: https://policies.google.com/privacy
• Google Terms of Service: https://policies.google.com/terms

Cloudflare Turnstile

A service provided by Cloudflare, Inc.

• What it does: Presents a privacy-friendly CAPTCHA widget on the comment form and verifies the response server-side.
• When data is sent: Only when Cloudflare Turnstile is enabled in settings. A token is sent to Cloudflare’s API (https://challenges.cloudflare.com/turnstile/v0/siteverify) when a visitor submits a comment.
• What data is sent: The visitor’s IP address and a Turnstile token.
• Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/
• Cloudflare Terms of Service: https://www.cloudflare.com/website-terms/

Both services are entirely optional. If you do not enter API keys or enable either CAPTCHA, no data is sent to any third party.