BD AntiSpam

AntiSpam Settings & Fine-Tuning

Updated March 9, 2026 9 min read

Accessing Settings

Navigate to BD AntiSpam → Settings in your WordPress admin menu, or click the Settings tab in the BD AntiSpam dashboard. The settings page is organized into five sections: Global Protection, Protection Modules, Form Integrations, Spam Scoring, and Behavior (including Allow & Block Lists).

Global Protection Toggle

The Enable AntiSpam Protection toggle at the top of the Settings tab is the master switch for all spam protection. When disabled, no form submissions are checked regardless of individual module settings. This is useful for temporarily disabling protection during testing or troubleshooting.

Important: This toggle only controls whether submissions are evaluated. The plugin will still load its frontend assets and inject honeypot fields. To completely stop all plugin activity, deactivate the plugin itself or deactivate your license.

Protection Modules

Each protection layer can be individually enabled or disabled:

Honeypot Trap

Toggle: Honeypot Trap (default: enabled). Injects an invisible field into all forms. Bots that fill in this field are immediately flagged. This is the most reliable single check and is recommended to always remain enabled.

Time Analysis

Toggle: Time Analysis (default: enabled). Checks that the form was not submitted faster than humanly possible.

Setting: Minimum Submit Time (seconds) (default: 3, range: 1-30). This is the minimum number of seconds between page load and form submission. Submissions faster than this receive penalty points. Increase this value if you are seeing false negatives on simple forms. Decrease it if you have very short forms (such as a single-field newsletter signup) that legitimate users can submit quickly.

Tip: A value of 3 seconds works well for most forms. For long contact forms, you might increase this to 5 seconds. For single-field subscription forms, consider lowering it to 2 seconds.

JavaScript Verification

Toggle: JavaScript Verification (default: enabled). Requires real browser JavaScript execution to generate a cryptographic proof-of-browser token. This is highly effective against headless bots and script-based spam tools that do not execute JavaScript.

Note: This check will penalize submissions from users who have JavaScript disabled in their browser. If your audience includes users who frequently disable JavaScript, consider reducing the No JavaScript Token point value in the scoring section.

Content Analysis

Toggle: Content Analysis (default: enabled). Scans submitted text for spam keywords, pharmaceutical spam, casino/gambling terms, SEO spam, cryptocurrency scams, Cyrillic character mixing, excessive capitalization, repetitive characters, BBCode/HTML injection, and encoded/obfuscated content.

Disposable Email Blocker

Toggle: Disposable Email Blocker (default: enabled). Rejects submissions from temporary/throwaway email services. The plugin includes a curated list of 130+ disposable email domains. You can extend this list programmatically using the bdas_disposable_email_domains WordPress filter.

Max Links Allowed

Setting: Max Links Allowed (default: 2, range: 0-50). The maximum number of links (URLs, HTML anchors, and BBCode links) allowed in a submission before triggering the link spam check. Set to 0 to penalize any submission containing links. Increase this value if your forms legitimately accept URLs (for example, a form that asks for a website address).

Form Integrations

Each form integration can be independently toggled. All are enabled by default:

  • WordPress Comments: Protects the built-in comment form. Administrators and editors are automatically bypassed.
  • WordPress Registration: Protects the default WordPress registration form at wp-login.php?action=register.
  • Contact Form 7: Integrates with CF7’s spam detection system. Only active if Contact Form 7 is installed.
  • WPForms: Intercepts WPForms submissions before processing. Only active if WPForms is installed.
  • Gravity Forms: Hooks into Gravity Forms’ spam evaluation. Only active if Gravity Forms is installed.
  • Elementor Forms: Validates Elementor Pro form submissions. Only active if Elementor Pro is installed.
  • WooCommerce: Protects WooCommerce registration, checkout, and login forms. Only active if WooCommerce is installed.
  • Generic HTML Forms: Catches any HTML form submission that contains the honeypot or timestamp field. Uses a higher confidence threshold (score of 8+) to avoid false positives on unknown forms.

Tip: The dashboard’s Form Integrations panel shows the status of each integration: “Protected” (enabled and plugin installed), “Disabled” (toggled off), or “Not Installed” (the target plugin is not active). You do not need to disable integrations for plugins that are not installed — they simply will not activate.

Spam Scoring

BD AntiSpam uses a point-based scoring system. Each check that fails adds points to the submission’s total score. When the total meets or exceeds the threshold, the submission is treated as spam.

Spam Threshold

Setting: Spam Threshold (default: 5, range: 1-20). This is the score at which a submission is considered spam. Lower values are stricter (more aggressive blocking), higher values are more lenient.

  • Strict (3-4): Good for sites with heavy spam. May increase false positives.
  • Default (5): Balanced setting. A single honeypot trigger (5 points) will block the submission. A combination of two minor checks (e.g., no JS token at 4 + empty referer at 1) will also trigger blocking.
  • Lenient (7-10): Only blocks submissions that fail multiple checks. Good for sites with diverse, international audiences where some checks may trigger on legitimate users.

Point Values

You can customize how many points each check contributes (range: 0-10 for each):

  • Honeypot Triggered (default: 5) — The honeypot field was filled in by a bot.
  • Time Check Failed (default: 3) — Form was submitted faster than the minimum time.
  • No JavaScript Token (default: 4) — No JS proof-of-browser token was present.
  • Excessive Links (default: 3) — More links than the allowed limit were found.
  • Bad Content Patterns (default: 3) — Content analysis detected spam patterns. The actual score is capped at 2x this value.
  • Disposable Email (default: 3) — The email domain is on the disposable email list.
  • Repeat Offender (default: 4) — The IP has 3 or more previous spam attempts.

Tip: Set a point value to 0 to effectively disable that check without turning off the module entirely. For example, setting “No JavaScript Token” to 0 means the check still runs and logs results, but it will not contribute to the spam score.

Behavior Settings

Block Mode

This controls what happens when a submission is identified as spam:

  • Reject (default): Shows an error message to the submitter. The message is configurable via the Rejection Message field. For WordPress comments, this uses wp_die() with a 403 response and a back link. For form plugins, the error is added to the plugin’s own error handling system.
  • Flag: Silently marks the submission as spam without showing an error to the user. For WordPress comments, the comment is saved with a “spam” status. The submission is still logged.
  • Silent: Logs the spam detection but does not block or flag the submission. The form submission proceeds normally. This is useful for a testing/monitoring period where you want to evaluate the plugin’s accuracy before enabling blocking.

Rejection Message

Setting: Rejection Message (default: “Your submission could not be processed. Please try again.”). This is the message shown to users when their submission is blocked in “Reject” mode. Keep this message generic so it does not reveal your spam detection methods.

Enable Logging

Toggle: Enable Logging (default: enabled). When enabled, every form submission that is evaluated (both spam and legitimate) is logged to the database with the IP address, email, user agent, form source, spam score, triggered reasons, and status. Disable this to stop recording log entries, which may be useful for privacy compliance or to reduce database size on high-traffic sites.

Log Retention (Days)

Setting: Log Retention (default: 30, range: 1-365). The number of days to keep log entries before they are automatically deleted by the daily cleanup cron job. Daily statistics are retained for 90 days regardless of this setting. IP reputation records for non-blocked IPs are cleaned up after 14 days of inactivity.

Allow and Block Lists

IP Whitelist

A list of IP addresses that are always allowed through without any spam checks. Enter one IP per line. CIDR notation is supported for IP ranges (for example, 192.168.1.0/24 to whitelist an entire subnet). Lines starting with # are treated as comments and ignored.

Tip: Add your own IP address and your team’s IPs to the whitelist to ensure you are never blocked during testing. You can also whitelist the IP addresses of services that submit forms programmatically (such as CRM integrations).

IP Blacklist

A list of IP addresses that are always blocked, regardless of spam score. Enter one IP per line. CIDR notation is supported. Any submission from a blacklisted IP immediately receives 10 spam points and is blocked.

This is different from the IP Manager’s block feature: the blacklist is a static settings-based list, while the IP Manager provides dynamic blocking with expiration times and reputation tracking.

Email Whitelist

A list of email addresses that bypass all spam checks. Enter one email per line. You can use domain wildcards with the *@domain.com syntax to whitelist all addresses from a specific domain. For example, *@yourcompany.com would allow all submissions from your company’s email domain.

Spam Logs

The Spam Logs tab provides a filterable, paginated log of all evaluated submissions. Each log entry shows:

  • Date: When the submission occurred.
  • IP: The visitor’s IP address.
  • Email: The email address provided (if any).
  • Source: Which form integration triggered the check (Comments, Registration, CF7, WPForms, Gravity Forms, Elementor, WooCommerce, or Generic).
  • Score: The total spam score for that submission.
  • Status: Blocked, Flagged, or Allowed.
  • Reasons: Tags showing which specific checks were triggered (e.g., “Honeypot trap triggered,” “No JavaScript token,” “Disposable email domain detected”).

Filtering Logs

You can filter logs by:

  • Search: Search by IP address or email address.
  • Status: Filter by Blocked, Flagged, or Allowed.
  • Source: Filter by form source (Comments, Registration, Contact Form 7, WPForms, Gravity Forms, Elementor, WooCommerce, or Generic).

Log Actions

  • Export CSV: Download all logs as a CSV file for external analysis. The export includes ID, Date, IP Address, Email, Form Source, Score, Status, Reasons, and User Agent.
  • Clear All: Permanently delete all log entries. This action cannot be undone.
  • Block IP: Block the IP address directly from a log entry.
  • Delete: Remove individual log entries.

IP Manager

The IP Manager tab provides tools for manual IP blocking and shows all currently blocked IPs.

Blocking an IP Manually

Enter an IP address and choose a block duration:

  • Permanent: Blocked until manually unblocked.
  • 1 Hour: Temporary block that expires automatically.
  • 24 Hours: One-day temporary block.
  • 7 Days: One-week temporary block.
  • 30 Days: One-month temporary block.

You can also add optional notes to document why an IP was blocked.

Currently Blocked IPs

The table shows all IPs currently blocked by manual action or by the progressive auto-blocking system. For each blocked IP, you can see the spam count, expiration time (or “Permanent”), notes, and an Unblock button. Unblocking an IP also resets its spam count to zero.

Progressive Auto-Blocking

BD AntiSpam automatically blocks IPs based on repeated spam attempts:

  • 3 spam attempts: Blocked for 1 hour.
  • 5 spam attempts: Blocked for 24 hours.
  • 10+ spam attempts: Blocked for 7 days.

When a blocked IP attempts to submit a form, it receives 10 spam points immediately, ensuring the submission is always blocked regardless of other checks.

Fine-Tuning for Your Site

High-Traffic Blog with Comments

If your primary spam vector is blog comments, ensure WordPress Comments integration is enabled. Consider increasing the Honeypot Triggered score to 6 or 7 and lowering the threshold to 4 for more aggressive blocking. Enable Disposable Email Blocker to catch throwaway accounts.

WooCommerce Store

Enable WooCommerce integration. Be careful with the threshold — set it to 5 or higher to avoid blocking legitimate customers. Whitelist your payment processor IPs if they make callbacks that could be mistaken for form submissions. Consider setting Block Mode to “Flag” for checkout forms so customers are not shown an error page during purchase.

Multilingual / International Sites

If your site serves an international audience, consider disabling or reducing the points for the Cyrillic/Latin mixing content check, which is part of Content Analysis. You can do this by reducing the Bad Content Patterns point value. Also consider increasing the threshold to 7 to reduce false positives from legitimate international submissions.

Monitoring Before Blocking

When first installing BD AntiSpam, set the Block Mode to “Silent” for the first week. This logs all spam evaluations without blocking any submissions. Review the logs to see what would have been blocked, then switch to “Reject” mode once you are confident in the accuracy.

Automatic Maintenance

BD AntiSpam runs a daily cron job (bdas_daily_cleanup) that automatically:

  • Deletes log entries older than the configured retention period.
  • Removes daily statistics older than 90 days.
  • Cleans up IP reputation records for non-blocked IPs that have not been seen in 14 days.

All cron hooks are cleared on plugin deactivation. No data is deleted on deactivation — your logs, statistics, and settings are preserved if you reactivate the plugin later.