DigitaleZen AntiSpam Shield for CF7

plugin banner

The ultimate shield for Contact Form 7. Blocks spam with honeypots, tokens and a live blacklist—no CAPTCHA.

Author:Riccardo Rosignoli (profile at wordpress.org)
WordPress version required:5.6
WordPress version tested:6.8.3
Plugin version:1.0.0
Added to WordPress repository:08-12-2025
Last updated:08-12-2025
Rating, %:0
Rated by:0
Plugin URI:
Total downloads:129
plugin download
Click to start download

????️ DigitaleZen AntiSpam Shield for CF7 is a lightweight yet powerful plugin that protects Contact Form 7 forms from spam, bots, and suspicious submissions.

It combines a multi-layered defense system, including:

  • Invisible honeypot field
  • Hourly-expiring SHA256 token
  • Automatic flood protection
  • Temporary IP firewall
  • Real-time blacklist updates every 24h (StopForumSpam, Spamhaus, SpamCop)
  • Advanced CSV logging
  • Interactive dashboard with chart and bot log
  • Weekly report via email (configurable)

✅ No complex setup. No CAPTCHA. No data collection.
Works out-of-the-box.

Features

  • ???? Invisible honeypot protection
  • ⏱️ Minimum send time (4 seconds)
  • ???? SHA256 token valid for 2 hours
  • ???? Soft IP firewall (10-minute ban)
  • ???? Dynamic blacklist: IPs, emails, domains, keywords, usernames
  • ???? Flood protection: 3 submissions = auto ban
  • ???? Detailed logging (date, IP, email, reason, trigger)
  • ???? Interactive chart of blocked spam by type and timeframe
  • ???? Weekly email reports
  • ???? Clean and minimalist DigitaleZen-style UI
  • ???? Admin-only dashboard access

External services

This plugin periodically downloads an updated anti-spam blacklist from a service operated by DigitaleZen and hosted on Google Apps Script (domain: script.google.com).

• Purpose: fetch a JSON list of abusive/disposable emails and domains used by the plugin’s firewall checks.
• When data is sent: once per day via WP-Cron (and when an admin triggers a manual update).
• What data is sent: no form submissions and no user personal data are sent. The request is server-to-server (HTTP GET) and only standard headers (e.g., User-Agent) are included.
• Storage: the downloaded JSON is stored locally within your WordPress site (e.g. under wp-content/uploads in a plugin-specific folder).

Provider policies (service owner): DigitaleZen — https://digitalezen.it/terms/ • https://digitalezen.it/privacy-policy/
Hosting platform policies (infrastructure): Google — https://policies.google.com/terms • https://policies.google.com/privacy

FAQ
ChangeLog