Getting Started with BD AntiSpam

What Is BD AntiSpam?

BD AntiSpam is an invisible spam protection plugin for WordPress that blocks bots and spam submissions without CAPTCHAs or any user-facing challenges. It works silently in the background, evaluating every form submission against multiple heuristics and assigning a composite spam score. If the score exceeds your configured threshold, the submission is blocked, flagged, or logged depending on your settings.

BD AntiSpam protects WordPress comments, user registration forms, WooCommerce checkout and registration, and popular form plugins including Contact Form 7, WPForms, Gravity Forms, and Elementor Forms. It also provides a generic form interceptor that covers any HTML form on your site.

Installation

Download the BD AntiSpam plugin ZIP file from your BDShield account.
In your WordPress admin, go to Plugins → Add New → Upload Plugin.
Select the ZIP file and click Install Now, then Activate.
After activation, you will be redirected to the BD AntiSpam dashboard automatically.
Navigate to the License tab and enter your license key to enable spam protection. Without an active license, all protection modules remain disabled.

Tip: BD AntiSpam requires a valid license key for spam protection to function. The plugin installs cleanly and creates its database tables on activation, but no form submissions will be checked until you activate your license.

How Invisible Protection Works

BD AntiSpam uses a multi-layered scoring system. Each form submission is evaluated against up to nine different checks, and each check contributes points to a total spam score. When the score meets or exceeds the spam threshold (default: 5 points), the submission is treated as spam. Here is how each layer works:

1. Honeypot Trap

The honeypot is a hidden form field that is completely invisible to human visitors but irresistible to automated bots. BD AntiSpam injects a hidden input field into every form on your site. The field uses CSS to be positioned off-screen (absolute positioning at -9999px), has aria-hidden="true" and tabindex="-1" so screen readers and keyboard navigation skip it, and its autocomplete is set to off.

The field name rotates daily for stealth. Each day, the plugin selects from a pool of 16 realistic-sounding field names such as website_url, home_phone, fax_number, company_address, middle_name, and others. The rotation is derived from a keyed hash so it is consistent across your site for the day but unpredictable to bots.

The honeypot is injected in two ways:

Server-side: Directly into WordPress comment forms, registration forms, and WooCommerce forms via action hooks.
Client-side: A JavaScript snippet in the footer scans for all <form> elements on the page and injects the honeypot field. A MutationObserver watches for dynamically added forms (such as those loaded by AJAX or page builders) and injects the field into those as well.

If a bot fills in the honeypot field, the submission receives 5 spam points by default (configurable), which alone meets the default threshold.

2. Time-Based Analysis

When the honeypot field is injected, a hidden timestamp field (_bdas_ts) is also added to the form. This records the server time when the page was rendered. When the form is submitted, the plugin calculates how many seconds elapsed. If the submission arrives faster than the minimum time (default: 3 seconds), it is flagged as suspicious and receives 3 spam points.

Legitimate users take at least a few seconds to read the form and fill in fields. Bots typically submit forms instantly.

3. JavaScript Token Verification

This layer proves that the submission came from a real web browser capable of executing JavaScript. The process works as follows:

When a user interacts with the page (mouse click, touch, or keypress), the frontend script requests a challenge token from the server via an AJAX call to wp_ajax_bdas_get_token.
The server returns a 16-character challenge string derived from a time-rotating HMAC secret (rotates every 2 hours).
The browser computes a SHA-256 hash combining the challenge with client-specific data (user agent, screen width, and timezone offset), producing a unique token.
This token is injected as a hidden field (_bdas_jt) into all forms on the page.
On form submission, the server validates that the token prefix matches the expected challenge hash for the current or previous 2-hour window.

If no JavaScript token is present, the submission receives 4 spam points. If the token is present but invalid, it receives 2 points. The token is pre-generated on first user interaction (mousedown, touchstart, keydown, or focus) so there is no delay when the user actually submits the form.

4. Content Analysis

The content analyzer scans all text fields in the submission for known spam patterns. It runs ten separate checks:

Generic spam keywords: Phrases like “buy now,” “limited time,” “free money,” “work from home opportunity,” “lottery winner,” and phishing language such as “your account has been suspended.”
Pharmaceutical spam: Drug names like xanax, viagra, tramadol, “online pharmacy,” and “discount pharmacy.”
Casino/gambling spam: Terms like “online casino,” “free slots,” “sports betting,” and “slot machines online.”
SEO spam: “Buy backlinks,” “guaranteed rankings,” “cheap seo,” and “dofollow links.”
Cyrillic/Latin mixing: Detects character obfuscation where Cyrillic characters are mixed with Latin letters within the same word.
Excessive capitalization: Flags text where more than 60% of alphabetic characters are uppercase (for text longer than 20 characters).
Repetitive characters: Detects the same character repeated 5 or more times in a row, or the same word repeated 4 or more times.
BBCode/HTML injection: Flags [url], [link], [img] BBCode tags and HTML tags like <a>, <script>, <iframe> in plain text fields.
Encoded/obfuscated content: Detects long Base64 strings and excessive URL-encoded characters.
Cryptocurrency scam patterns: “Bitcoin investment,” “crypto trading signal,” “NFT giveaway,” “airdrop claim,” and similar phrases.

5. Link Spam Detection

The plugin counts all links in the submission including HTTP/HTTPS URLs, www. references, HTML anchor tags, and BBCode URL tags. If the count exceeds the configured limit (default: 2 links), the submission receives 3 spam points.

6. Disposable Email Blocking

When an email address is provided with the submission, the plugin checks the domain against a curated list of over 130 known disposable email services including Mailinator, Guerrilla Mail, Temp Mail, YOPmail, TrashMail, and many others. Disposable email domains add 3 spam points. The list can be extended via the bdas_disposable_email_domains filter.

7. User Agent Analysis

The plugin checks the visitor’s user agent string for known bot signatures. An empty user agent adds 3 points. Known bot patterns (curl, wget, python-requests, scrapy, ahrefs, semrush, and 30+ others) add 4 points. Legitimate search engine bots are not included in this list.

8. IP Reputation Tracking

BD AntiSpam tracks every IP address that triggers spam detection. When an IP accumulates 3 or more spam attempts, it is marked as a repeat offender and receives additional penalty points (default: 4). The plugin implements progressive blocking:

3 spam attempts: IP blocked for 1 hour.
5 spam attempts: IP blocked for 24 hours.
10+ spam attempts: IP blocked for 7 days.

IP reputation records are automatically cleaned up after 14 days of inactivity for non-blocked IPs.

9. Referer Validation

The plugin checks the HTTP referer header on form submissions. An empty referer adds 1 point. A referer from an external domain (not matching your site URL) adds 2 points. Legitimate form submissions from your own site always include a valid referer.

Supported Form Integrations

BD AntiSpam works with the following form sources out of the box. Each integration can be individually enabled or disabled in Settings:

WordPress Comments: Hooks into preprocess_comment to check all comment submissions. Admins and editors with the moderate_comments capability are automatically bypassed.
WordPress Registration: Hooks into registration_errors to validate new user signups.
Contact Form 7: Hooks into the wpcf7_spam filter to flag spam submissions within CF7’s own spam workflow.
WPForms: Hooks into wpforms_process_before to block spam before the form entry is saved.
Gravity Forms: Hooks into gform_entry_is_spam to integrate with Gravity Forms’ spam detection system.
Elementor Forms: Hooks into elementor_pro/forms/validation to add validation errors on spam detection.
WooCommerce: Protects customer registration, checkout order submissions, and login forms. Login protection checks if the IP is currently blocked.
Generic HTML Forms: Intercepts any POST request that contains the honeypot or timestamp field. Only blocks on high confidence (score of 8 or higher) to avoid false positives on unknown forms.

Dashboard Overview

After activating your license, the BD AntiSpam dashboard displays four key metrics for the last 30 days:

Spam Blocked: Total submissions blocked or flagged.
Clean Submissions: Legitimate submissions that passed all checks.
Spam Rate: Percentage of all submissions that were spam.
Lifetime Blocked: Cumulative total of all spam ever blocked.

The dashboard also includes a 30-day bar chart showing daily blocked vs. allowed submissions, a breakdown of spam by form source, a top offenders table showing the most active spam IPs, and status panels for all protection modules and form integrations.

License Requirements

BD AntiSpam requires an active license for all protection features. Without a license:

No frontend JavaScript assets are loaded (no honeypot injection, no JS token generation).
Protection components (Honeypot, JS Token, Integrations, Logger) are not initialized.
The admin dashboard and settings remain accessible so you can view existing data and enter your license key.

Licenses are available in three tiers: Starter (1 site), Professional (3 sites), and Agency (unlimited sites). All tiers include all protection modules and form integrations. Professional and Agency tiers include priority support. Purchase a license at getbdshield.com/shop.