NoCaptcha Spam Filter for Contact Form 7

NoCaptcha Spam Filter for Contact Form 7 provides a deterministic, cache-safe, multi-layered defense against automated form submissions for Contact Form 7 without the need for CAPTCHAs or external libraries.

The plugin uses a combination of:

• Unique Honeypot: A site-specific hidden field that traps bots.
• Cryptographic Signing: Ensures form tokens are genuine and haven’t been tampered with.
• Anti-Replay Nonces: Each submission is unique; tokens cannot be reused.
• Time-Check Validation: Blocks bots that fill out forms faster than humanly possible.
• Cache-Safe Architecture: Automatically detects stale tokens on cached pages and refreshes them via a lightweight REST API fallback.

Scope of Protection

This plugin is designed to block the vast majority of automated spam submissions (99% of common web crawlers) in Contact Form 7, with zero impact on user experience or performance. However, please note:

• Not a WAF: It is not a substitute for a Web Application Firewall or server-level security layers for mitigating sophisticated DDoS attacks.
• Targeted Attacks: Highly sophisticated bots using headless browsers or manual human bypasses (spam farms) fall outside the scope of lightweight algorithmic protection.

For maximum security, we recommend using this plugin as part of a multi-layered defense strategy.

Configuration (optional, only for advanced users)

You can override defaults in ‘wp-config.php’:
php
define('CF7NCSP_DOMAIN_SALT', 'your-random-string');
define('CF7NCSP_TTL', 2400); // Token lifetime (seconds)
define('CF7NCSP_MIN_TIME', 20); // Minimum time before submission
Recommendations
* Use a long, random string for ‘CF7NCSP_DOMAIN_SALT’
* Keep ‘CF7NCSP_MIN_TIME’ between 10–30 seconds

Privacy Policy

This plugin is designed with privacy-first principles:
* No PII Collection: It does not collect, store, or transmit any Personally Identifiable Information (PII).
* No Persistent IP Storage: IP addresses are used transiently for rate limiting and are not stored in plain form or retained beyond a short-lived, temporary cache.
* Local Processing: All validation happens on your server. No data is sent to third-party services.
* Cookieless: The plugin does not set any browser cookies.

Disclaimer

This plugin is provided “as is”, without warranty of any kind, express or implied. Use at your own risk. While best efforts have been made to ensure reliability and security, the author is not liable for any damages or losses resulting from its use.

** DEVELOPER’S NOTE: **

This plugin is designed to be a lightweight, “set and forget” solution. It focuses on stability and minimal maintenance, with updates provided as needed for bug fixes and compatibility with WordPress and Contact Form 7. Because it is built to be self-sufficient, please be aware that the developer will not implement non-critical feature requests.