內容簡介
總結:
Samurai Honeypot 是一個透過使用 Proof of Work、行為分析和速率限制等技術打造的全新防禦架構。這個外掛在保護每個 Contact Form 7 和 WPForms 表單時,透過 15 層獨立防禦層,有效地擋下各類垃圾機器人。
問題與答案:
1. 這個外掛是否需要使用 HTTPS 才能運作?
- 是的,由於使用 Web Crypto API,這個外掛需要使用 HTTPS 才能正常運作。
2. Samurai Honeypot 原始目標是什麼?
- 最初目標是創建一個輕量級的蜜罐陷阱,以捕捉基本機器人。
3. 提到的三層分類系統是怎麼樣的?
- Tier 1 (Pass): 得分低於閾值(默認為50)- 電子郵件會正常發送。
- Tier 2 (Quarantine): 得分在閾值和99之間- 電子郵件將被靜默抑制(Silent Kill),並將提交保存到內置的隔離日誌供管理員審查。
- Tier 3 (Drop / Instant Kill): 得分為100或更高- 電子郵件將被靜默抑制,並提交將永久放棄,而無需記錄。這可以保護您的數據庫免受 DDoS 或大規模機器人攻擊導致的膨脹。
4. 為什麼需要注意虛警(False Positives)?
- 根據您的環境,合法的電子郵件有時可能被標記為垃圾郵件。企業代理、嚴格的公司防火牆、過時的瀏覽器、VPN 和不尋常的網絡配置都可能觸發檢測層。您必須定期檢查隔離日誌,以識別並恢復任何虛警。外掛無法自動區分所有邊緣情況。
外掛標籤
開發者團隊
原文外掛簡介
Note: This plugin requires HTTPS to function (due to Web Crypto API usage).
The Story: The Forging of the Ultimate Defense
This project began with a simple goal: to create a lightweight honeypot trap to catch basic bots. But during development, we faced a harsh reality: Simple traps are obsolete. Modern AI bots and headless browsers can easily step over traditional defenses. A basic trap was no longer enough; we needed a fortress.
So, we forged a completely new architecture. We added Proof of Work, Behavioral Analysis, and Rate Limiting. What started as a simple honeypot evolved into a 15-layer invisible firewall. Like a samurai’s blade, it operates with absolute precision—completely invisible to your real customers, yet ruthlessly executing a “Silent Kill” on spam bots before they ever reach your inbox or database.
Samurai Honeypot protects every Contact Form 7 and WPForms form with fifteen independent defense layers.
Each layer contributes a score, and blocked submissions are handled by a 3-Tier Triage System:
3-Tier Triage System
Tier 1 (Pass): Score below the threshold (default 50) — email is sent normally.
Tier 2 (Quarantine): Score between the threshold and 99 — email is silently suppressed (Silent Kill) and the submission is saved to the built-in Quarantine Log for admin review.
Tier 3 (Drop / Instant Kill): Score of 100 or higher — email is silently suppressed and the submission is permanently dropped without logging. This protects your database from bloat during DDoS or mass bot attacks.
Warning — False Positives: Depending on your environment, legitimate emails may occasionally be flagged as spam. Enterprise proxies, strict corporate firewalls, outdated browsers, VPNs, and unusual network configurations can trigger detection layers. You MUST check the Quarantine Log periodically to identify and recover any false positives. The plugin cannot distinguish all edge cases automatically.
Defense Layers
JS Injection Gate — Blocks bots that cannot execute JavaScript. Tokens are fetched via REST API for full page-cache compatibility.
Polymorphic Honeypot — Decoy field name is cryptographically derived per token (not exposed in the API response), hidden from humans via CSS.
Token Signature — HMAC-SHA256 signed stateless token with IP and Form ID binding.
Time Trap — Detects impossibly fast submissions. Browser autofill is automatically exempt.
Proof of Work — SHA-256 computational challenge via Web Crypto API that forces CPU cost on bots.
Behavioral Entropy — Hash-verified human-like event counters: mouse, keyboard, touch, scroll. Uniqueness tracking detects script reuse.
Headless UA Block — Server-side User-Agent check instantly blocks known headless browsers and automated tools (Headless Chrome, Puppeteer, PhantomJS, Selenium, Playwright, Nightmare, Electron). Toggleable in settings for E2E testing compatibility.
Headless Detection — Detects automated browser environments (navigator.webdriver, plugin count, window.chrome, language count).
UA Age Detection — Scores based on Chrome version age. 2+ years: +10, 3+ years: +20, 4+ years: +30. Bots often use hardcoded old User-Agent strings that never update.
Rate Limiting — Per-IP submission rate limiting with IPv6 /64 normalization.
Replay Protection — Atomic token consumption (INSERT IGNORE) + TTL expiry enforcement.
IP Blacklist — Manually configured IP/CIDR blacklist for known bad actors.
Content: URL Limit — Flags messages containing more URLs than the configured threshold.
Content: BBCode — Detects BBCode link syntax ([url=...]) that never appears in legitimate form submissions.
Content: Denylist — Matches against WordPress Disallowed Comment Keys (Settings > Discussion).
Key Features
3-Tier Triage — Pass, Quarantine (with local log), or Drop. No legitimate message is lost without a trace — quarantined submissions are saved for admin review.
Built-in Quarantine Log — Blocked Tier 2 submissions are saved to a local database table (up to 1,000 entries, FIFO). View date, score, trigger reasons, and full form data from the admin panel. No external plugin required.
DDoS-Resilient Tier 3 Drop — Submissions scoring 100+ are immediately dropped from memory without any database write. This prevents database exhaustion during mass bot attacks.
GDPR Compliant — No cookies, no external service calls, no plugin-specific PII stored. IP addresses are one-way hashed with a site-specific salt before any storage — raw IPs never touch the database. No consent banner required.
Stateless Tokens — No database writes for token generation; prevents DoS via DB bloat.
Zero Trust Client — All client-submitted data is verified server-side with HMAC signatures and hash integrity checks.
Zero Configuration — Activate and all Contact Form 7 / WPForms forms are protected automatically.
Cache Compatible — Tokens are fetched via REST API, so page caching works fine.
Multiple Forms — Works correctly with multiple forms on the same page.
IP Whitelist / Blacklist — Whitelist trusted IPs or CIDR ranges to skip all scoring. Blacklist known bad IPs to add +100 score instantly. Optionally whitelist all logged-in WordPress users.
Headless Browser Blocking — Server-side User-Agent check instantly blocks Headless Chrome, Puppeteer, Selenium, and other automated browsers (+100 score). Enabled by default; can be toggled off for E2E testing.
Content Rules — Detect spam patterns in form content: excessive URLs, BBCode link syntax, and WordPress Disallowed Comment Keys matching.
Trusted Proxy Support — Optional mode for Cloudflare and reverse proxy environments with IP range validation.
Lightweight — Three PHP files, no external dependencies, no jQuery.
