=== Honeypot Spam ===
Contributors: snehalpancholi
Tags: spam, honeypot, anti-spam, captcha alternative, bot protection
Requires at least: 6.0
Tested up to: 6.7
Stable tag: 1.0.0
Requires PHP: 8.1
License: GPL-2.0+
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Drop-in honeypot + time-trap anti-spam for WordPress forms. No CAPTCHA. Three silent mechanisms keep bots out without frustrating your visitors.

== Description ==

**Honeypot Spam** protects your WordPress forms against automated spam submissions without forcing visitors to solve puzzles or click distorted images. Three layered traps work silently in the background:

**1. Honeypot Field**
A text field is added to the form and hidden from human visitors using CSS positioning. It's never visible, so humans never fill it in. Bots that blindly populate every field will trigger this trap immediately.

**2. Time Trap**
A hidden timestamp is embedded when the form page loads. Submissions that arrive faster than your configured minimum (default: 3 seconds) are rejected. Real humans always take longer to read and complete a form.

**3. Checkbox Trap**
A hidden checkbox labelled "Leave this unchecked" is added to the form. Bots that attempt to check every input field will set this to checked — and be blocked.

**Randomised Field Names**
On first activation, a random 8-character suffix is generated and appended to all field names (e.g. `addlc_hp_a3f9b2c1_website`). This makes field names unpredictable, defeating bots that specifically target known honeypot implementations.

**Spam Log**
Every blocked submission is logged with the trap type that caught it, the form source, the IP address, and the time. View summary stats and the most recent 50 entries from the admin settings page.

**Integrations**
- Native WordPress comment form (built-in)
- Contact Form 7 (auto-detected, no configuration required)
- Manual wrapping via `[honeypot_form]` shortcode

= Features =

* Three-layer silent spam protection
* No CAPTCHA — zero impact on user experience
* Randomised field names per installation
* Optional spam log with stats dashboard
* Contact Form 7 integration (auto-detected)
* `[honeypot_form]` shortcode for custom forms
* Lightweight — no jQuery, no external requests
* GDPR-friendly — no third-party data sharing
* Automatic updates via the AddonLogic update server

== Installation ==

1. Upload the `honeypot-spam` folder to the `/wp-content/plugins/` directory.
2. Activate the plugin through the **Plugins** menu in WordPress.
3. Go to **Settings > Honeypot Spam** to configure.
4. Protection is active immediately after activation — no per-form configuration needed for comments and CF7.

== Frequently Asked Questions ==

= How does it work without a CAPTCHA? =

Three invisible traps are added to your forms. Humans never interact with them (the fields are off-screen via CSS). Bots fill in the honeypot field, submit too fast to pass the time trap, or check the hidden checkbox. Any one of these failures blocks the submission silently.

= Does it affect SEO? =

No. The hidden fields use CSS positioning, not `display:none` or `visibility:hidden`. They contain no meaningful content and will not be indexed or affect page rankings.

= Is it compatible with Contact Form 7? =

Yes. When CF7 is active and the option is enabled, honeypot fields are automatically injected into all CF7 forms via the `wpcf7_form_elements` and `wpcf7_spam` filters. No shortcode or per-form setup needed.

= Can I use it with other form plugins? =

Use the `[honeypot_form]` shortcode to wrap any HTML form. The trap fields are appended before the form content. You will need to call `addlc_hps_verify_submission()` in your form processing logic and handle the result.

= Will the time trap block slow internet connections? =

The minimum submission time defaults to 3 seconds. No human form takes less than 3 seconds from page load to submit — even on slow connections. You can raise this to 5 or 10 seconds for extra confidence, or lower it to 1 second if you have legitimate fast-submit scenarios.

= What happens to the spam log? =

Log entries are stored in the `{prefix}hps_spam_log` database table. You can view the most recent 50 entries and purge all logs from the settings page. Entries are permanently deleted on plugin uninstall.

= Does it store personal data? =

If logging is enabled, IP addresses are stored in the spam log table. This is used purely for diagnostic purposes and is never shared with third parties. Disable logging in Settings > Honeypot Spam if you prefer not to store any IP data.

= Is it GDPR compliant? =

The plugin makes no external requests (except to check for plugin updates from addonlogic.com) and does not share visitor data with third parties. If logging is enabled and you operate under GDPR, mention IP logging in your privacy policy.

= What is cleaned up on uninstall? =

The `{prefix}hps_spam_log` table and all options (`addlc_hps_options`, `addlc_hps_db_version`, `addlc_hps_field_suffix`) are removed. The update cache transient is also deleted.

== Screenshots ==

1. Settings page showing minimum time, logging toggle, and integration options.
2. Active Trap Fields card showing randomised field names per installation.
3. Spam Log with summary stats (total blocked, by trap type) and recent entries table.
4. Spam log badge colour-coding: yellow for honeypot, blue for time trap, green for checkbox trap.

== Changelog ==

= 1.0.0 =
* Initial release.
* Three-layer spam protection: honeypot field, time trap, checkbox trap.
* Randomised field name suffix generated on activation.
* Spam log with summary stats, recent entries table, and purge button.
* Native WordPress comment form integration.
* Contact Form 7 auto-integration via `wpcf7_spam` filter.
* `[honeypot_form]` shortcode for manual wrapping.
* Automatic update checking via AddonLogic update server.

== Upgrade Notice ==

= 1.0.0 =
Initial release. No upgrade steps required.
