W WPKINGZ

Make your WordPress better

SlySpam — Fast, privacy-friendly anti-spam

Stop bots across comments, registration, and forms — no external API, no PII leakage. Pro adds advanced scoring, curated rule packs, and integrations.

Download ZIP (v1.1) Buy Pro License
Free core · No external requests · Works with PHP 7.4+

SlySpam Anti-Spam

Version 1.1 · Lightweight & extendable

GPLv2+

The free plugin blocks obvious bots using honeypot, timestamp checksum, rate-limit, and smart server-side checks. Pro adds an advanced scoring engine, rule packs (spam words, disposable email domains, URL shorteners), and native integrations: Woo, WPForms, Gravity, Elementor.

Free

Core protection

  • Honeypot + timestamp & checksum
  • JS presence cookie (no tracking)
  • Rate-limit per IP/time window
  • Logs, stats & CSV export
  • Contact Form 7 support
Pro

Advanced features

  • Advanced content scoring (links, caps, repeats, non-Latin, duplicates)
  • Rule packs: spam words, disposable emails, shorteners
  • WooCommerce, WPForms, Gravity Forms, Elementor
  • Import/Export JSON packs
  • Fine-tuned thresholds & dry-run mode
Download Free Buy Pro See Screenshots

Screenshots

Screenshot #1

Dashboard — Overview

Screenshot #2

Settings — Scoring

Screenshot #3

Settings — Rules

Screenshot #4

Logs — Recent events

SlySpam — User Manual

Comprehensive setup & usage guide for Free and Pro editions.

TL;DR

  • Free protects comments, registration, and Contact Form 7 using honeypot, timestamp & checksum, JS cookie, and rate-limit.
  • Pro adds Advanced Scoring, Rule Packs, and integrations for WooCommerce, WPForms, Gravity Forms, and Elementor Forms.
  • Decisions = Free gates + Pro score vs thresholds (Advanced tab). Use Dry-run to calibrate safely.

1) Requirements & Compatibility

2) Quick Start

  1. Install the ZIP: Plugins → Add New → Upload Plugin, then Activate.
  2. Open Settings → SlySpam. Keep JavaScript enabled for best accuracy.
  3. (Optional) Enable Dry-run for 24–48 hours to observe scores without blocking.
  4. (Pro) Enter License (email + key) to unlock Pro tabs & toggles.

3) Configuration — Tabs & Fields

General

  • Rate limit: e.g., 3 submissions per 5 minutes per IP. Prevents bursts without hurting legit users.
  • Logging: Enable/disable logs and set Retention (days). Logs help audit & tune thresholds.
  • Dry-run mode: Never block; only log the “would block/moderate” decision. Perfect for first deployment.
  • Form integrations: Free includes Contact Form 7. Pro toggles: WooCommerce, WPForms, Gravity Forms, Elementor.

License (Pro)

Enter your license email & key. Activation is local (no external calls). Pro tabs & switches become active immediately.

Advanced

Final decision compares total score to thresholds:

Total score Decision Notes
< Moderate threshold Allow Submission goes through.
≥ Moderate, < Block Moderate Held for review (comments/forms). Woo checkout remains permissive by default.
≥ Block threshold Block Submission is denied with an error.

Recommended defaults: Moderate 5, Block 10.

Scoring (Pro)

Pro adds content heuristics. Free gates always run; Pro score is added on top.

Links

  • Allow links free of charge — Links allowed without penalty (e.g., 1).
  • Points per extra link — Penalty per extra link beyond allowance (e.g., 2–3).
  • Shortener link penalty — Extra points for shorteners (bit.ly, t.co) from packs (e.g., 4–8).

Content

  • Spam word penalty — Applies to words from your Rules (whole-word, case-insensitive).
  • Duplicate content penalty — Same content posted again in a short window.
  • Character repeats / Uppercase / Non-Latin ratio — Detect shouty or machine-like text.

Email reputation

  • Blacklisted domain penalty — Your blocklist domains (Rules).
  • Disposable email penalty — From the disposable domains pack (Rules).

Presets (suggested)

  • Blog: Allow links 1, Extra link 3, Shortener 6, Spam word 3–4.
  • Contact: Allow links 0, Extra link 4, Shortener 8, Spam word 5.
  • Woo/e-commerce: Allow links 1–2, Extra link 2, Shortener 4–6.

Rules & Rule Packs (Pro)

Rules provide the data that Scoring uses. Enable packs or add your own lists.

  • Block lists: Words, domains, emails (one per line). Words match as whole words; domains match subdomains too.
  • Allow lists: Whitelists for domains/emails (override blocks).
  • Rule packs: Toggle curated packs: spam words, disposable domains, URL shorteners.
  • Import/Export JSON: Supported keys: spam_words, disposable_domains, url_shorteners.

Sample Rule Pack JSON

{
  "spam_words": ["casino","viagra","loan","betting"],
  "disposable_domains": ["mailinator.com","guerrillamail.com"],
  "url_shorteners": ["bit.ly","t.co","goo.gl","tinyurl.com"]
}

Tip: increase Spam word penalty to ≥ your Block threshold if you want a single word to block immediately.

Logs

  • See recent events (Allow/Moderate/Block) with score and reasons.
  • 7-day stats summary, CSV export, and retention purge.
  • Data stored locally: timestamp, source, IP, email (if available), reasons, and basic meta (UA, referrer).

Form Integrations (Pro)

WooCommerce Checkout

  • Enable toggle in General → Form integrations.
  • Hidden fields injected, validation runs on woocommerce_checkout_process.
  • Moderate does not block checkout; Block shows an error notice.

Contact Form 7 (Free)

  • Toggle on in General. Fields auto-injected, works with AJAX.
  • Generic validator catches posts with SlySpam hidden fields.

WPForms

  • Injection through frontend output filter; validation on process hook.
  • On block, a global form error is displayed.

Gravity & Elementor

  • Gravity: hidden fields before submit; validation via central filter.
  • Elementor: inject after fields; validation before actions (AJAX-safe).

4) Testing & Calibration

  1. Dry-run first: enable for 24–48h and watch Logs → reasons and total scores.
  2. Honeypot check: reveal the hidden field sly_hp in devtools, type anything, submit → should Block.
  3. Fast submit: load a page and submit < 1s → expect fast_submit to add points (often Moderate).
  4. Rule test (Pro): add casino in Block words and set Spam word penalty high → a single word should Block.
  5. Woo checkout: place a normal order → Allow; try disposable email + spam word → Block.
Tip: If many legit posts hit Moderate, raise Moderate threshold or lower specific penalties (e.g., Uppercase).

5) Troubleshooting

Nothing appears in Logs

  • Ensure Logging is enabled and retention > 0.
  • Visit the Logs tab once (initializes table if needed).
  • Submit a test form/comment to trigger logging.

“Checksum / No JS cookie” on legit users

  • Confirm assets/frontend.js loads (Network 200).
  • Ad blockers shouldn’t block it; use a neutral path/name.

Too strict on multi-language content

  • Lower or disable Non-Latin ratio penalty.
  • Keep thresholds at 5/10 to avoid accidental blocks.

Woo checkout blocked

  • Check reasons (Logs). Disposable email is a common single-trigger Block.
  • Consider lowering penalties or raising Block threshold.

6) Privacy & Data

7) Reference — Fields & Selectors

Purpose Field name Notes
Honeypot sly_hp Hidden text input; any value triggers Block.
Timestamp sly_ts Epoch seconds; used for fast-submit check and checksum.
Checksum sly_cs Computed by frontend.js: (ts*17+1337).toString(36).
JS Cookie slyspam_js=1 Presence-only (no tracking); improves confidence.

Selectors example (registration): form#registerform input[name="sly_hp"]

Upgrade to SlySpam Pro

Advanced scoring, rule packs, and form integrations. Cancel anytime.

Buy License Compare Free vs Pro

FAQ

Does SlySpam send data to external servers?

No. All checks run locally on your site. Pro license activation is local as well.

Will it block legitimate WooCommerce orders?

With default thresholds the checkout is conservative. Only clear spam patterns (e.g., disposable email + spam words) trigger a block.

What’s the difference between Moderate and Block?

Moderate holds comments/forms for review (where applicable). Block stops the submission immediately with an error.

How do Rule Packs work?

They extend your own lists with curated data: spam words, disposable domains, and URL shorteners. Enable packs in Rules and adjust penalties in Scoring.

Does it work without JavaScript?

Yes. JavaScript improves accuracy (checksum & cookie) but the core protections still apply without it.

What data is stored in Logs?

Timestamp, source, IP (forensics), email (if available), score, decision, reasons, basic meta (user agent, referrer). Retention is configurable.