Security fix: Elementor Pro forms are now actually bot-protected by default. The previous guard never fired on real (admin-ajax) submissions. Update recommended for any site using Elementor Pro forms.<\/p>","1.6.0":"
Adds Contact Form 7 protection, on by default. CF7 submissions (sent over its REST feedback endpoint) are now bot-checked on their own toggle without enabling the broad REST guard. Anonymous spam is blocked; verified browsers and authenticated API calls are unaffected.<\/p>","1.5.0":"
Adds WPForms protection (on by default; covers the Mesmerize \/ Materialis contact form) and scopes REST \/ admin-ajax protection to anonymous traffic, so authenticated API calls (WooCommerce REST, Application Passwords, OAuth) are no longer blocked. It is now safe to enable REST \/ admin-ajax protection alongside API integrations.<\/p>","1.4.2":"
Fixes a false-positive 403 on early Performance: the SDK and bootstrap now load deferred (non-render-blocking) with a preconnect hint to the edge, removing the render-blocking penalty. No behaviour or configuration change.<\/p>","1.4.0":" Compatibility hardening for caching \/ optimization stacks (WP Rocket, LiteSpeed, SiteGround, Perfmatters, Autoptimize, FlyingPress, Cloudflare). The verification SDK now resists being self-hosted, rewritten or stripped and self-heals if it never loads. No configuration change needed.<\/p>","1.3.0":" Adds a bulk-add picker for the Allowed Domains list (Multisite, WPML, Polylang, or paste). No behaviour change for existing installs \u2014 fresh sites still auto-allow only the main domain.<\/p>","1.2.9":" Listing copy refresh only \u2014 no behaviour change.<\/p>","1.2.6":" Compliance update: scripts and styles are now enqueued the WordPress way. No\nbehaviour change.<\/p>","1.2.5":" Adds the verified-session layer and global AJAX\/REST coverage. Existing sites\nstay in Monitor mode until you opt into enforcement.<\/p>","1.2.0":" Major enforcement overhaul: missing tokens are no longer silently allowed.\nExisting installs upgrade safely into Monitor (logging only) mode.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3545156,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3545156,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.2.6","1.2.7","1.2.8","1.2.9","1.3.0","1.4.0","1.4.1","1.5.0","1.6.0","1.6.1"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3545156,"resolution":"1","location":"assets","locale":"","width":2244,"height":1798},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3545156,"resolution":"2","location":"assets","locale":"","width":2238,"height":1810},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3545156,"resolution":"3","location":"assets","locale":"","width":2252,"height":1828}},"screenshots":{"1":"TrustSig dashboard overview: protection status, recent verifications, and the current mode at a glance.","2":"Protection details: per-form coverage across WordPress core, WooCommerce, BuddyPress, EDD, and Elementor.","3":"Settings: switch between Monitor, Challenge, and Enforce, configure brute-force lockout, and link an optional dashboard account."}},"plugin_section":[],"plugin_tags":[166108,2439,600,599,286],"plugin_category":[45,54],"plugin_contributors":[264124],"plugin_business_model":[],"class_list":["post-315143","plugin","type-plugin","status-publish","hentry","plugin_tags-bot-protection","plugin_tags-brute-force","plugin_tags-security","plugin_tags-spam","plugin_tags-woocommerce","plugin_category-ecommerce","plugin_category-security-and-spam-protection","plugin_contributors-robertvahhi","plugin_committers-robertvahhi"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/trustsig-security\/assets\/icon-128x128.png?rev=3545156","icon_2x":"https:\/\/ps.w.org\/trustsig-security\/assets\/icon-256x256.png?rev=3545156","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/trustsig-security\/assets\/screenshot-1.png?rev=3545156","caption":"TrustSig dashboard overview: protection status, recent verifications, and the current mode at a glance."},{"src":"https:\/\/ps.w.org\/trustsig-security\/assets\/screenshot-2.png?rev=3545156","caption":"Protection details: per-form coverage across WordPress core, WooCommerce, BuddyPress, EDD, and Elementor."},{"src":"https:\/\/ps.w.org\/trustsig-security\/assets\/screenshot-3.png?rev=3545156","caption":"Settings: switch between Monitor, Challenge, and Enforce, configure brute-force lockout, and link an optional dashboard account."}],"raw_content":"\n TrustSig Security protects WordPress forms and API endpoints from scripted bots and brute-force attacks.<\/strong> No puzzles. No \"I am not a robot\" checkboxes. No third-party signup required to start. Coverage depends on the protection mode you choose \u2014 see \"Protection modes\" below.<\/p>\n\n <\/a>\n<\/a>\n<\/a><\/p>\n\n TrustSig injects a lightweight browser SDK, signs every rendered form with a per-site secret, and verifies submissions against the TrustSig Edge service. Real visitors pass an invisible check in about a second; scripted clients that never run JavaScript are stopped.<\/p>\n\n When a request arrives without a valid token, TrustSig does not silently fail\nopen. Depending on the mode you choose it serves a lightweight \"please wait\"\ninterstitial that re-verifies the browser and then transparently continues the\noriginal request \u2014 or blocks it.<\/p>\n\n The plugin works out of the box with no account and no API keys<\/strong> (anonymous\nfree tier). Connecting a TrustSig dashboard account is optional and only adds\nanalytics and higher limits.<\/p>\n\n Browser forms are protected automatically with no code:<\/p>\n\n It also includes optional brute-force lockout for repeated failed logins, an\nopt-in admin-ajax \/ REST API guard, and a developer verification API.<\/p>\n\n This plugin relies on the TrustSig Edge<\/strong> service to decide whether a request\ncomes from a human or an automated client. This bot-detection verdict cannot be\nproduced locally, so the service is required for the plugin's core\nfunctionality.<\/p>\n\n Service provider:<\/strong> TrustSig \u2014 https:\/\/trustsig.eu<\/p>\n\n Remote script loaded in the browser:<\/strong>\n https:\/\/edge.trustsig.eu\/trustsig.js is loaded on pages that contain a\nprotected form, on the login screen, and on the verification interstitial. The\nscript runs the non-interactive browser check and produces a verification\ntoken.<\/p>\n\n Data sent from the visitor's browser \/ your server to\n https:\/\/edge.trustsig.eu\/verify:<\/strong><\/p>\n\n When data is sent:<\/strong> when the SDK loads on a protected page, when a protected\nform is submitted, and once per browser when the optional verified-session\ncookie is bootstrapped.<\/p>\n\n Data stored locally on your site:<\/strong> TrustSig writes a verification log to\nyour own WordPress database (custom tables) that includes visitor IP addresses,\nthe action attempted, and the verdict. This data is not sent to TrustSig; you\ncan clear it at any time from Settings \u2192 TrustSig \u2192 Tools.<\/p>\n\n By installing and activating this plugin you (the site administrator) consent to\nthis data being sent to TrustSig so that requests can be verified. Inform your\nown site's visitors as required by your local privacy obligations.<\/p>\n\n No. The plugin protects your forms immediately on activation using the\nanonymous free tier. An account is only needed for analytics and higher limits.<\/p><\/dd>\n A browser verification token, your site host name (or your secret key if you\nconnect an account), and standard HTTPS request metadata are sent to the\nTrustSig Edge service. See the \"External services\" section above for the full\ndisclosure, including links to the Terms of Service and Privacy Policy.<\/p><\/dd>\n In Challenge mode (the default) a visitor whose token is missing sees a brief\n\"please wait\" page that re-verifies the browser and then continues the original\nrequest automatically. Monitor mode never blocks. Enforce mode is the strictest\nand can block visitors with JavaScript disabled.<\/p><\/dd>\n Yes. Forms are signed with a server-issued nonce and the SDK fills the token\nclient-side, so cached pages are still protected.<\/p><\/dd>\n Settings \u2192 TrustSig \u2192 Tools shows a private recovery URL that bypasses all\nchecks once. You can also add your IP to the whitelist.<\/p><\/dd>\n Yes, it is licensed GPLv2 or later.<\/p><\/dd>\n\n<\/dl>\n\n\nlei_ajax_settings=1<\/code> bootstrap requests under API protection. Tightly scoped allowlist \u2014 not a general bypass.<\/p>","1.4.1":"Why TrustSig<\/h4>\n\n
\n
trustsig_verify()<\/code>, REST endpoint \/wp-json\/trustsig\/v1\/verify<\/code>, filters and actions for custom forms.<\/li>\nHow it works<\/h4>\n\n
Protection modes<\/h4>\n\n
\n
What it protects<\/h4>\n\n
\n
[trustsig_form]<\/code>\nshortcode, or a hidden trustsig-response<\/code> input)<\/li>\n<\/ul>\n\nFor developers<\/h4>\n\n
\n
trustsig_verify( array( 'token' => $t, 'action' => 'my_form' ) )<\/code>\nreturns pass<\/code> | fail<\/code> | challenge<\/code>. Filters: trustsig_pre_verify<\/code>,\n trustsig_result. Action: trustsig_blocked<\/code>.<\/li>\nPOST \/wp-json\/trustsig\/v1\/verify<\/code> with { \"token\": \"...\" }<\/code>.<\/li>\n<\/ul>\n\nKnown limitations<\/h4>\n\n
\n
xmlrpc.php<\/code>) is intentionally out of scope and is not verified.\nDisable XML-RPC separately if it is unused on your site.<\/li>\nExternal services<\/h3>\n\n
\n
example.com<\/code>) on the anonymous free tier, or, if\nyou connect a dashboard account, the secret key you entered;<\/li>\n\n
\n
trustsig-security<\/code> folder to \/wp-content\/plugins\/<\/code>, or install\nthe plugin through the WordPress Plugins screen.<\/li>\n\n
Do I need an account or API keys?<\/h3><\/dt>\n
What data leaves my site?<\/h3><\/dt>\n
Will this block real visitors?<\/h3><\/dt>\n
Does it work with caching plugins?<\/h3><\/dt>\n
How do I temporarily bypass protection if I lock myself out?<\/h3><\/dt>\n
Is the plugin GPL?<\/h3><\/dt>\n
1.6.1<\/h4>\n\n
\n
elementor_pro\/forms\/validation<\/code> hook inside the protection-hooks loader, which is skipped on admin-ajax requests \u2014 and Elementor submits over admin-ajax, so the hook never ran on a real submission. An anonymous tokenless POST to the Elementor form action was not bot-checked unless the broad admin-ajax guard was enabled. Elementor forms are now guarded directly in the request interceptor on their own default-on toggle, mirroring WPForms. Verified browsers pass through; tokenless submissions are blocked.<\/li>\n<\/ul>\n\n1.6.0<\/h4>\n\n
\n
POST \/contact-form-7\/v1\/contact-forms\/<id>\/feedback<\/code>, which previously was only covered if the broad REST guard was switched on. It is now bot-checked on its own toggle, like WPForms. Only anonymous tokenless submissions are challenged\/blocked; verified browsers and any authenticated request pass straight through. Matched narrowly to the submission route, so CF7's other endpoints and unrelated REST traffic are never touched.<\/li>\ntrustsig_rest_form_guards<\/code> filter so integrators can register additional form-plugin REST submission endpoints for default-on protection without enabling the broad REST guard.<\/li>\n<\/ul>\n\n1.5.0<\/h4>\n\n
\n
wpforms_submit<\/code> action used by the Mesmerize \/ Materialis contact section and any [wpforms]<\/code> embed) is now bot-checked on its own toggle, without having to enable the broad admin-ajax guard. Anonymous tokenless submissions are blocked; a verified browser passes straight through.<\/li>\nrest_pre_dispatch<\/code>), where authentication is resolved, instead of too early on init<\/code>. Only anonymous writes (POST\/PUT\/PATCH\/DELETE) are verified; reads pass through.<\/li>\ntrustsig_rest_allowlist<\/code> and trustsig_ajax_allowlist<\/code> filters) for unauthenticated-but-legitimate callbacks such as signature-verified payment webhooks.<\/li>\n<\/ul>\n\n1.4.2<\/h4>\n\n
\n
lei_ajax_settings=1<\/code> settings ping fired before the SDK has loaded (so it can carry no token) is now allowed through. Strictly scoped \u2014 only a POST body containing exactly that one field set to \"1\" and nothing else is exempt; any additional field falls through to the normal guard.<\/li>\n<\/ul>\n\n1.4.1<\/h4>\n\n
\n
defer<\/code> attribute so they no longer block first paint, plus a preconnect\/dns-prefetch hint to the edge so the connection is warmed in parallel with page parsing. Removes the render-blocking penalty without weakening protection \u2014 pending submissions still wait for the verifier.<\/li>\n<\/ul>\n\n1.4.0<\/h4>\n\n
\n
1.3.0<\/h4>\n\n
\n
1.2.9<\/h4>\n\n
\n
1.2.8<\/h4>\n\n
\n
1.2.7<\/h4>\n\n
\n
1.2.6<\/h4>\n\n
\n
1.2.5<\/h4>\n\n
\n
1.2.0<\/h4>\n\n
\n
1.0.0<\/h4>\n\n
\n
![<\/a>\n](\"https:\/\/ps.w.org\/trustsig-security\/assets\/screenshot-1.png\"){kind=link}
![<\/a>\n](\"https:\/\/ps.w.org\/trustsig-security\/assets\/screenshot-2.png\"){kind=link}
![<\/a><\/p>\n\nWhy TrustSig<\/h4>\n\n\nProtects every important form out of the box<\/strong> \u2014 login, registration, comments, password reset, WooCommerce checkout, BuddyPress signup, Easy Digital Downloads, Elementor Pro forms, WPForms (including the Mesmerize \/ Materialis contact form), Contact Form 7, and any custom form via shortcode.<\/li>\nStops brute-force login attempts<\/strong> with built-in lockout after repeated failures.<\/li>\nInvisible to humans<\/strong> \u2014 real visitors are verified in under a second by a non-interactive browser check. No CAPTCHA, no images to click.<\/li>\nThree protection modes<\/strong> \u2014 Monitor (log only), Challenge (default, soft block with auto-retry), Enforce (hard block).<\/li>\nZero configuration<\/strong> \u2014 activate the plugin and protection is live immediately. Anonymous free tier needs no account.<\/li>\nWorks with caching plugins, WPML, multisite and most themes<\/strong> \u2014 forms are signed server-side with a per-site secret.<\/li>\nDeveloper-friendly<\/strong> \u2014 PHP helper trustsig_verify()<\/code>, REST endpoint \/wp-json\/trustsig\/v1\/verify<\/code>, filters and actions for custom forms.<\/li>\nOptional admin-ajax and REST API guard<\/strong> for advanced sites.<\/li>\nGPLv2<\/strong> \u2014 fully open source.<\/li>\n<\/ul>\n\nHow it works<\/h4>\n\nTrustSig injects a lightweight browser SDK, signs every rendered form with a per-site secret, and verifies submissions against the TrustSig Edge service. Real visitors pass an invisible check in about a second; scripted clients that never run JavaScript are stopped.<\/p>\n\nWhen a request arrives without a valid token, TrustSig does not silently fail\nopen. Depending on the mode you choose it serves a lightweight \"please wait\"\ninterstitial that re-verifies the browser and then transparently continues the\noriginal request \u2014 or blocks it.<\/p>\n\nThe plugin works out of the box with no account and no API keys<\/strong> (anonymous\nfree tier). Connecting a TrustSig dashboard account is optional and only adds\nanalytics and higher limits.<\/p>\n\nProtection modes<\/h4>\n\n\nMonitor<\/strong> \u2014 verify and log only, never block. Used for safe rollout; the\nupgrade path also pins existing sites here so behaviour never changes\nsilently on update.<\/li>\nChallenge<\/strong> (default for new installs) \u2014 a missing or invalid token shows\nthe interstitial, then continues or blocks.<\/li>\nEnforce<\/strong> \u2014 a missing or invalid token is blocked immediately.<\/li>\n<\/ul>\n\nWhat it protects<\/h4>\n\nBrowser forms are protected automatically with no code:<\/p>\n\n\nWordPress core \u2014 login, registration, comments, lost\/reset password<\/li>\nWooCommerce \u2014 login, registration, checkout, pay order, lost password<\/li>\nBuddyPress \u2014 registration<\/li>\nEasy Digital Downloads \u2014 login, registration<\/li>\nElementor Pro forms<\/li>\nWPForms \u2014 contact and other forms, on by default (covers the Mesmerize \/ Materialis contact section)<\/li>\nContact Form 7 \u2014 feedback submissions, on by default (guarded on the REST endpoint CF7 submits to)<\/li>\nAny other form (site-wide \"protect all forms\" option, the [trustsig_form]<\/code>\nshortcode, or a hidden trustsig-response<\/code> input)<\/li>\n<\/ul>\n\nIt also includes optional brute-force lockout for repeated failed logins, an\nopt-in admin-ajax \/ REST API guard, and a developer verification API.<\/p>\n\nFor developers<\/h4>\n\n\nPHP: trustsig_verify( array( 'token' => $t, 'action' => 'my_form' ) )<\/code>\nreturns pass<\/code> | fail<\/code> | challenge<\/code>. Filters: trustsig_pre_verify<\/code>,\n trustsig_result. Action: trustsig_blocked<\/code>.<\/li>\nREST: POST \/wp-json\/trustsig\/v1\/verify<\/code> with { \"token\": \"...\" }<\/code>.<\/li>\n<\/ul>\n\nKnown limitations<\/h4>\n\n\nXML-RPC (xmlrpc.php<\/code>) is intentionally out of scope and is not verified.\nDisable XML-RPC separately if it is unused on your site.<\/li>\nadmin-ajax and the REST API are only protected when explicitly enabled in\nSettings, to avoid breaking third-party integrations.<\/li>\nFile-upload and AJAX submissions cannot show the interstitial; under\nChallenge or Enforce mode a missing token on those is blocked, never\nsilently allowed.<\/li>\n<\/ul>\n\nExternal services<\/h3>\n\nThis plugin relies on the TrustSig Edge<\/strong> service to decide whether a request\ncomes from a human or an automated client. This bot-detection verdict cannot be\nproduced locally, so the service is required for the plugin's core\nfunctionality.<\/p>\n\nService provider:<\/strong> TrustSig \u2014 https:\/\/trustsig.eu<\/p>\n\nRemote script loaded in the browser:<\/strong>\n https:\/\/edge.trustsig.eu\/trustsig.js is loaded on pages that contain a\nprotected form, on the login screen, and on the verification interstitial. The\nscript runs the non-interactive browser check and produces a verification\ntoken.<\/p>\n\nData sent from the visitor's browser \/ your server to\n https:\/\/edge.trustsig.eu\/verify:<\/strong><\/p>\n\n\nthe TrustSig verification token generated by the SDK in the visitor's browser;<\/li>\nyour site's host name (e.g. example.com<\/code>) on the anonymous free tier, or, if\nyou connect a dashboard account, the secret key you entered;<\/li>\nas part of any HTTPS request, the visitor's IP address and standard request\nmetadata (such as the user-agent) are visible to the service.<\/li>\n<\/ul>\n\nWhen data is sent:<\/strong> when the SDK loads on a protected page, when a protected\nform is submitted, and once per browser when the optional verified-session\ncookie is bootstrapped.<\/p>\n\nData stored locally on your site:<\/strong> TrustSig writes a verification log to\nyour own WordPress database (custom tables) that includes visitor IP addresses,\nthe action attempted, and the verdict. This data is not sent to TrustSig; you\ncan clear it at any time from Settings \u2192 TrustSig \u2192 Tools.<\/p>\n\nBy installing and activating this plugin you (the site administrator) consent to\nthis data being sent to TrustSig so that requests can be verified. Inform your\nown site's visitors as required by your local privacy obligations.<\/p>\n\n\nTerms of Service: https:\/\/trustsig.eu\/terms-of-service\/<\/li>\nPrivacy Policy: https:\/\/trustsig.eu\/privacy<\/li>\n<\/ul>\n\n\n\nUpload the trustsig-security<\/code> folder to \/wp-content\/plugins\/<\/code>, or install\nthe plugin through the WordPress Plugins screen.<\/li>\nActivate the plugin through the 'Plugins' menu in WordPress.<\/li>\nNavigate to Settings \u2192 TrustSig. Protection is active immediately with no\nfurther configuration.<\/li>\n(Optional) Enter your Site Key and Secret Key to link a TrustSig dashboard\naccount for analytics and higher limits.<\/li>\n<\/ol>\n\n\n\nDo I need an account or API keys?<\/h3><\/dt>\nNo. The plugin protects your forms immediately on activation using the\nanonymous free tier. An account is only needed for analytics and higher limits.<\/p><\/dd>\nWhat data leaves my site?<\/h3><\/dt>\nA browser verification token, your site host name (or your secret key if you\nconnect an account), and standard HTTPS request metadata are sent to the\nTrustSig Edge service. See the \"External services\" section above for the full\ndisclosure, including links to the Terms of Service and Privacy Policy.<\/p><\/dd>\nWill this block real visitors?<\/h3><\/dt>\nIn Challenge mode (the default) a visitor whose token is missing sees a brief\n\"please wait\" page that re-verifies the browser and then continues the original\nrequest automatically. Monitor mode never blocks. Enforce mode is the strictest\nand can block visitors with JavaScript disabled.<\/p><\/dd>\nDoes it work with caching plugins?<\/h3><\/dt>\nYes. Forms are signed with a server-issued nonce and the SDK fills the token\nclient-side, so cached pages are still protected.<\/p><\/dd>\nHow do I temporarily bypass protection if I lock myself out?<\/h3><\/dt>\nSettings \u2192 TrustSig \u2192 Tools shows a private recovery URL that bypasses all\nchecks once. You can also add your IP to the whitelist.<\/p><\/dd>\nIs the plugin GPL?<\/h3><\/dt>\nYes, it is licensed GPLv2 or later.<\/p><\/dd>\n\n<\/dl>\n\n\n1.6.1<\/h4>\n\n\nSecurity fix: Elementor Pro form protection now actually fires. The guard was registered on the elementor_pro\/forms\/validation<\/code> hook inside the protection-hooks loader, which is skipped on admin-ajax requests \u2014 and Elementor submits over admin-ajax, so the hook never ran on a real submission. An anonymous tokenless POST to the Elementor form action was not bot-checked unless the broad admin-ajax guard was enabled. Elementor forms are now guarded directly in the request interceptor on their own default-on toggle, mirroring WPForms. Verified browsers pass through; tokenless submissions are blocked.<\/li>\n<\/ul>\n\n1.6.0<\/h4>\n\n\nAdded first-class Contact Form 7 protection, enabled by default. CF7 submits over the REST route POST \/contact-form-7\/v1\/contact-forms\/<id>\/feedback<\/code>, which previously was only covered if the broad REST guard was switched on. It is now bot-checked on its own toggle, like WPForms. Only anonymous tokenless submissions are challenged\/blocked; verified browsers and any authenticated request pass straight through. Matched narrowly to the submission route, so CF7's other endpoints and unrelated REST traffic are never touched.<\/li>\nAdded a trustsig_rest_form_guards<\/code> filter so integrators can register additional form-plugin REST submission endpoints for default-on protection without enabling the broad REST guard.<\/li>\n<\/ul>\n\n1.5.0<\/h4>\n\n\nAdded first-class WPForms protection, enabled by default: the contact-form submission (the wpforms_submit<\/code> action used by the Mesmerize \/ Materialis contact section and any [wpforms]<\/code> embed) is now bot-checked on its own toggle, without having to enable the broad admin-ajax guard. Anonymous tokenless submissions are blocked; a verified browser passes straight through.<\/li>\nREST API and admin-ajax protection are now scoped to anonymous traffic only. Authenticated requests \u2014 logged-in cookie + nonce, Application Passwords, WooCommerce REST API keys and OAuth \u2014 defer to WordPress's own authorization. This fixes legitimate API traffic (WooCommerce REST, headless front-ends, server-to-server integrations) being blocked for carrying no browser token, which could cascade into side effects such as order emails not being sent.<\/li>\nREST verification now runs at dispatch time (rest_pre_dispatch<\/code>), where authentication is resolved, instead of too early on init<\/code>. Only anonymous writes (POST\/PUT\/PATCH\/DELETE) are verified; reads pass through.<\/li>\nAdded route and action allowlists (Advanced \u2192 API surface, plus the trustsig_rest_allowlist<\/code> and trustsig_ajax_allowlist<\/code> filters) for unauthenticated-but-legitimate callbacks such as signature-verified payment webhooks.<\/li>\n<\/ul>\n\n1.4.2<\/h4>\n\n\nFixed a false-positive 403 on early theme\/app bootstrap requests under API protection: a frontend lei_ajax_settings=1<\/code> settings ping fired before the SDK has loaded (so it can carry no token) is now allowed through. Strictly scoped \u2014 only a POST body containing exactly that one field set to \"1\" and nothing else is exempt; any additional field falls through to the normal guard.<\/li>\n<\/ul>\n\n1.4.1<\/h4>\n\n\nPerformance: the SDK and bootstrap now load with the native defer<\/code> attribute so they no longer block first paint, plus a preconnect\/dns-prefetch hint to the edge so the connection is warmed in parallel with page parsing. Removes the render-blocking penalty without weakening protection \u2014 pending submissions still wait for the verifier.<\/li>\n<\/ul>\n\n1.4.0<\/h4>\n\n\nCompatibility hardening for caching and performance-optimization stacks. The verification SDK now always loads live from the edge, even when a host aggressively optimizes assets.<\/li>\nThe SDK and bootstrap script tags carry opt-out markers (data-cfasync, data-no-optimize, data-no-minify, data-no-defer, data-no-lazy) so Cloudflare Rocket Loader, WP Rocket, Autoptimize, LiteSpeed, WP Fastest Cache, Perfmatters and SiteGround Optimizer leave them alone instead of minifying, combining, deferring or self-hosting them.<\/li>\nAdded server-side exclusion filters for WP Rocket, SiteGround Optimizer, Perfmatters, Autoptimize and FlyingPress (each a no-op when its plugin is absent).<\/li>\nAdded a client-side self-heal: if the SDK never initialises \u2014 e.g. LiteSpeed \"Localize Resources\", a CDN rewrite, an over-eager optimizer or an ad blocker rehosted or stripped it \u2014 the canonical edge source is re-injected automatically. It fires only when nothing loaded, so a working copy is never duplicated.<\/li>\nAdded a trustsig_sdk_url filter so operators can repoint the SDK source (e.g. an intentional proxy) without forking the plugin.<\/li>\n<\/ul>\n\n1.3.0<\/h4>\n\n\nNew \"Discover & bulk-add\" picker for the Allowed Domains list \u2014 operators with many country \/ alias domains can pull candidates from WordPress Multisite, WPML and Polylang, or paste a freeform list (newline \/ comma \/ space \/ semicolon separated).<\/li>\nAllowed-domain entries are normalised on save: scheme, userinfo, port, path and trailing dots are stripped, IDN labels are converted to punycode when the intl extension is available, and IPs \/ wildcards \/ single-label hosts are rejected.<\/li>\nFresh installs still auto-allow only the main site domain \u2014 the picker is opt-in, so the zero-config experience is unchanged.<\/li>\n<\/ul>\n\n1.2.9<\/h4>\n\n\nListing copy: removed emoji bullets and tightened the tagline to reflect actual scope (forms plus opt-in admin-ajax \/ REST API guard). No behaviour change.<\/li>\n<\/ul>\n\n1.2.8<\/h4>\n\n\nListing rewrite republished: screenshots now show at the top of the description, feature bullets prominent. No behaviour change.<\/li>\n<\/ul>\n\n1.2.7<\/h4>\n\n\nRewrote the wordpress.org listing: tighter marketing copy, feature bullets, and a 3-shot screenshot carousel (dashboard overview, per-form coverage, settings).<\/li>\nAdded a 256\u00d7256 plugin icon and 128\u00d7128 search-results icon.<\/li>\nNo behaviour change.<\/li>\n<\/ul>\n\n1.2.6<\/h4>\n\n\nAll front-end and admin scripts\/styles are now registered and enqueued via\nwp_enqueue_script\/wp_enqueue_style with configuration passed through\nwp_localize_script; no inline script\/style is printed in the normal page\npipeline.<\/li>\nFixed the Terms of Service link in the readme.<\/li>\n<\/ul>\n\n1.2.5<\/h4>\n\n\nAdded the verified-session layer: after a passing scan the browser is trusted\nvia a signed cookie with no further edge calls, protecting AJAX\/REST globally.<\/li>\nAdded a rate-limited grace window for non-auth APIs during SDK bootstrap.<\/li>\nHardened cookie handling (HMAC-signed, user-agent anomaly downgrade, revocation).<\/li>\nAdded the developer verify API and opt-in admin-ajax \/ REST protection.<\/li>\n<\/ul>\n\n1.2.0<\/h4>\n\n\nEnforcement overhaul. Removed the universal fail-open on a missing token.<\/li>\nAdded an HMAC-signed per-site form nonce (auto-generated, works on the free tier).<\/li>\nAdded the interstitial challenge: re-verify and transparently resubmit, or block.<\/li>\nAdded Monitor \/ Challenge \/ Enforce policy and configurable edge-down behaviour.<\/li>\nDecoupled brute-force counting from the token path.<\/li>\nSafe migration: existing installs upgrade into Monitor with an admin notice.<\/li>\n<\/ul>\n\n1.0.0<\/h4>\n\n\nInitial release.<\/li>\n<\/ul>","raw_excerpt":"Stop bots, spam and brute-force attacks on every WordPress form. No CAPTCHA. No account. No keys. Installs and protects in one click.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/frp.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/315143","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/frp.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/frp.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/frp.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=315143"}],"author":[{"embeddable":true,"href":"https:\/\/frp.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/robertvahhi"}],"wp:attachment":[{"href":"https:\/\/frp.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=315143"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/frp.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=315143"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/frp.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=315143"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/frp.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=315143"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/frp.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=315143"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/frp.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=315143"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}](\"https:\/\/ps.w.org\/trustsig-security\/assets\/screenshot-3.png\"){kind=link}