內容簡介
TrustSig Security 是一款專為 WordPress 設計的安全外掛,能有效阻擋腳本機器人及暴力破解攻擊,保護網站的表單和 API 端點,無需繁瑣的驗證過程,輕鬆啟用即可生效。
【主要功能】
• 自動保護多種表單,包括登入、註冊及 WooCommerce 結帳
• 三種保護模式:監控、挑戰及強制封鎖
• 無需註冊帳號,匿名免費使用
• 與快取外掛及多數佈景主題相容
• 提供開發者 API 及驗證功能
外掛標籤
開發者團隊
原文外掛簡介
TrustSig Security stops scripted bots and brute-force attacks on WordPress forms and API endpoints. There are no puzzles to solve and no “I am not a robot” checkboxes to tick, and you do not have to sign up for anything before it starts working. What exactly gets checked depends on the protection mode you pick, described below.
Why TrustSig
Covers the forms that matter out of the box: login, registration, comments, password reset, WooCommerce checkout, BuddyPress signup, Easy Digital Downloads, Elementor Pro forms, WPForms (including the Mesmerize and Materialis contact form), Contact Form 7, SureForms, plus any custom form via a shortcode.
Locks out brute-force login attempts after repeated failures.
Real visitors never notice it. The browser check runs on its own and finishes in about a second, with no images to click.
Three protection modes: Monitor logs and never blocks, Challenge (the default) shows a short interstitial and retries, Enforce blocks outright.
Nothing to configure. Activate the plugin and protection is live. The anonymous free tier needs no account.
Works with caching plugins, WPML, multisite and most themes, because forms are signed server-side with a per-site secret.
A developer API: the PHP helper trustsig_verify(), the REST endpoint /wp-json/trustsig/v1/verify, and filters and actions for custom forms.
An optional guard for admin-ajax and the REST API on sites that need it.
An optional scan-on-submit mode that runs the browser check only when a visitor actually uses a form, not on every page view.
GPLv2, fully open source.
How it works
TrustSig loads a small browser SDK, signs every rendered form with a per-site secret, and checks submissions against the TrustSig Edge service. A real visitor passes the check in about a second without doing anything. A scripted client that never runs JavaScript produces no token and gets stopped.
When a request arrives without a valid token, the plugin does not quietly wave it through. Depending on the mode, it either serves a short “please wait” page that re-verifies the browser and then continues the original request, or blocks it.
No account and no API keys are needed; the anonymous free tier is the default. Connecting a TrustSig dashboard account is optional and only adds analytics and higher limits.
Protection modes
Monitor: verify and log only, never block. Good for a safe rollout. Upgrades also pin existing sites here, so behaviour never changes silently on update.
Challenge (default for new installs): a missing or invalid token triggers the interstitial, which then continues or blocks.
Enforce: a missing or invalid token is blocked immediately.
What it protects
Browser forms are covered automatically, no code needed:
WordPress core: login, registration, comments, lost and reset password
WooCommerce: login, registration, checkout, pay order, lost password
BuddyPress: registration
Easy Digital Downloads: login, registration
Elementor Pro forms
WPForms: contact and other forms, on by default (this also covers the Mesmerize and Materialis contact section)
Contact Form 7: feedback submissions, on by default, guarded on the REST endpoint CF7 submits to
SureForms: form submissions, on by default, guarded on the REST submit-form endpoint
Anything else via the site-wide “protect all forms” option, the [trustsig_form] shortcode, or a hidden trustsig-response input
On top of that there is an optional brute-force lockout for repeated failed logins, an opt-in guard for admin-ajax and the REST API, and a verification API for developers.
For developers
PHP: trustsig_verify( array( ‘token’ => $t, ‘action’ => ‘my_form’ ) ) returns pass, fail or challenge. Filters: trustsig_pre_verify, trustsig_result. Action: trustsig_blocked.
REST: POST /wp-json/trustsig/v1/verify with { “token”: “…” }.
Known limitations
XML-RPC (xmlrpc.php) is deliberately out of scope and is not verified. If your site does not use XML-RPC, disable it separately.
admin-ajax and the REST API are only guarded when you enable that in Settings. This is on purpose, so third-party integrations do not break the moment you install the plugin.
File uploads and AJAX submissions cannot show the interstitial. In Challenge or Enforce mode a missing token on those is blocked. It is never silently allowed.
External services
This plugin relies on the TrustSig Edge service to decide whether a request comes from a human or an automated client. That verdict cannot be produced locally, so the service is required for the plugin to do its job.
Service provider: TrustSig, https://trustsig.eu
Remote script loaded in the browser: https://edge.trustsig.eu/trustsig.js loads on pages that contain a protected form, on the login screen, and on the verification interstitial. It runs the non-interactive browser check and produces a verification token.
Data sent from the visitor’s browser or your server to https://edge.trustsig.eu/verify:
the TrustSig verification token generated by the SDK in the visitor’s browser;
your site’s host name (for example example.com) on the anonymous free tier, or the secret key you entered if you connect a dashboard account;
as with any HTTPS request, the visitor’s IP address and standard request metadata such as the user agent are visible to the service.
When data is sent: when the SDK loads on a protected page, when a protected form is submitted, and once per browser when the optional verified-session cookie is bootstrapped.
Data stored locally on your site: TrustSig writes a verification log to your own WordPress database (custom tables) with visitor IP addresses, the action attempted, and the verdict. This log is not sent to TrustSig, and you can clear it at any time under Settings, TrustSig, Tools.
By installing and activating this plugin you, the site administrator, consent to this data being sent to TrustSig so that requests can be verified. Inform your own visitors as your local privacy obligations require.
Terms of Service: https://trustsig.eu/terms-of-service/
Privacy Policy: https://trustsig.eu/privacy
