Broken plugin

Hi @lemurnick , Please remember that this is not the support forum and that it is possible that the error you are seeing is due to some incompatibility or other issue not strictly related to the plugin (or as you claim, to all installations of the plugin), that I cannot currently identify given the limited information I have. Yesterday, the plugin was downloaded by 3,000 people, and so far, you are the only one reporting this issue. I ask you not to be so disrespectful to those who produce free software.

What else can I tell you? Here’s my answer after the update… data_mismatch: Version mismatch ” != ‘0.7.1’ bot_fingerprint: timezone, platform, screens, user_agent, app_version, webdriver, session_storage, bot_fingerprint, memory bot_fingerprint_extras: activity 0, mouseclick_activity, mousemove_activity, webgl, webgl_render browser_language: missing browser language language_field: missing language field timestamp: undefined If you don’t test your code before production, what other relationship can there be? Don’t worry too much, I’ve already removed it and installed another plugin that doesn’t cause any “incompatibility” issues.

Hi @lemurnick , I don’t understand how you can claim that I don’t test my code before production. I personally use every new release for at least a couple of days on my own blog ( https://modul-r.codekraft.it/contacts/ ). I also deploy it on 4-5 of my clients’ websites, which receive at least ten form submissions daily (I obviously cannot share these for privacy reasons). Furthermore, I have automated End-to-End (E2E) and unit tests running for every pull request to the repository, a practice that, to my knowledge, few plugins—including popular ones like CF7—have. The specific problem you are describing can happen, and I suspect you have JavaScript issues on your site. This would prevent the script designed to “observe” the form completion from executing correctly. I remain quite confident that this issue is limited to your specific website. However, if you are right, we will certainly see many more feedback/reports/issues like yours within the next few days.

I am faced with the following problems (Apache 2.4 + PHP 8.4+MySQL 8+WP6.8.3): JavaScript is working incorrectly to fill in hidden fields. The JavaScript of the plugin does not fill in the required hidden fields of the form: _cf7a_address (IP address) _cf7a_version (plugin version) _cf7a_timestamp (timestamp) Fields for bot fingerprinting As a result, the plugin marks all shipments as spam due to the lack of necessary data. Critical error in the B8 filter database. A fatal PHP error occurs when submitting the form.: b8\storage\storage_base: The connected database is not a b8 v3 database PHP Fatal error: Uncaught Error: Call to a member function classify() on false The consequences are a complete failure of form processing, the form is not sent. A temporary solution is to reset B8 via the admin panel, they added it for a reason;) Although it was possible to add exception handling during B8 initialization and automatic database recovery in case of errors. Lack of graceful degradation in case of errors. If any component fails (IP detection, b8, etc.), the entire protection system stops working and collapses. There is no fallback mechanism – if there are errors in individual components, the rest of the checks do not continue. Problems with determining the IP address – the plugin does not take into account various proxy/CDN configurations. Only $_POST[‘_cf7a_address’] is used, but not the standard methods. There is no multi-level IP detection with a fallback to standard server methods in case of errors. Caching conflict – static timestamp and other dynamic data values are cached. When using page caching, time checking becomes ineffective. I didn’t go into much detail, but looking at the code, I can say that this plugin uses a “fragile” architecture.: Relies on client-side JavaScript for mission-critical data Has no backup processing mechanisms when client data is unavailable Ignores server-side methods for determining the same IP, which are standard …good luck with the development, maybe I’ll come back in a while 🙂

Hi @lemurnick , I appreciate that you have raised several valid and, in some cases, agreeable points regarding the architecture. However, I still don’t understand the punitive way used, which is not constructive at all. Aside from the (legitimate) choice not to use this plugin, you have the choice, for example, to disable the entire JS section and use only certain functions of the plugin, like the honeypots. Using JS has its pros and cons; for instance, many bots don’t execute it, making them easily “captured.” I find it somewhat amusing when you call the plugin’s architecture “fragile,” especially when compared to simple honeypot plugins that rely entirely on using JS to insert fields (which, as I mentioned, a large portion of bots do not execute). Are those plugins reliable? Did you leave a poor feedbacks for them too? I’d like to point out a couple of things: PHP 8.4 is currently only in beta support for WordPress, and that could easily be the source of the critical error you experienced with the B8 filter. The IP address is checked in a multi-layered way, not only using the frontend method you saw but also using PHP. You can find the server-side detection logic here: https://github.com/wp-blocks/cf7-antispam/blob/main/core/functions.php#L19-L46 You are correct that the plugin doesn’t have a backup mechanism for every component. But tell me: how many anti-spam WordPress plugins do you know that have that level of graceful degradation? Ideally, you are perfectly right about the architecture. If you feel strongly about these architectural issues, you are more than welcome to contribute to the development. I have never rejected a sensible pull request from anyone. Anyway, thanks, you’ve given me a couple of ideas in the end.

Okay, it got interesting. I decided to connect the plugin, diagnose the problem, and found the following: File /build/script.asset.php contains an empty array of dependencies: ‘dependencies’ => array() Because of this, the plugin scripts are not loaded, as WordPress does not know that jQuery and Contact Form 7 are needed. For a temporary fix, I had to manually register scripts with the correct dependencies. Diagnostic results after correction: === CF7A SIMPLE DIAGNOSTIC === DOM Ready: interactive CF7A Scripts found: 1 Script 1: script.js?ver=1829dacfa96318b4e905 ✅CF7A Settings: DEFINED kPrefix: cf7a Version: 1829dacfa96318b4e905 ✅jQuery: LOADED ✅CF7: LOADED CF7 Forms: 1 Form 1 CF7A fields: 1 === CF7A DELAYED CHECK === ✅CF7A Settings (delayed): DEFINED ✅jQuery (delayed): LOADED DOMContentLoaded Before the fix, it was:: === BUILD ISSUE RESOLVED === ❌Problem: Empty dependencies array in script.asset.php ✅Solution: Manually added dependencies: jQuery, Contact Form 7 ✅Script loaded: true ✅Settings defined: true ependencies loaded: ❌jQuery: false ✅CF7: true After fixing the script download, another problem appeared.: The plugin does not add the hidden field _cf7a_address to the Contact Form 7 forms. It is possible that the CF7 form check on the page is not working correctly. The result is the error "no_ip: Address field empty" when submitting any form. Forcibly added the IP address field to the forms via JavaScript, but it didn’t help – the data is already there, but the verification fails. The logs show: === CF7A POSTED DATA FILTER === Checking address field in posted data: _cf7a_address ❌ CF7A IP FIX (posted_data): Address field is empty CF7A IP FIX (posted_data): Real IP = XX.XX.XXX.XXX ✅ CF7A IP FIX (posted_data): Added encrypted IP I intercepted the form submission to add the IP address to the data, but it didn’t help. The data is already there, but the verification fails. There may be a problem with hook priorities. Scripts are registered on the wp_footer hook, but must be registered on wp_enqueue_scripts The checks occur before the data can be prepared. Look at the build system Check that the Webpack/importer defines the dependencies correctly. In build/script.asset.php must be: ‘dependencies’ => array(‘jquery’, ‘contact-form-7’) Fix adding and checking hidden fields Check the cf7a_add_hidden_fields() method in the CF7_AntiSpam_Frontend class. Make sure that the _cf7a_address field is added to all CF7 forms. Perhaps you need to optimize hook priorities. Register scripts on wp_enqueue_scripts, not wp_footer Check the data after it is fully prepared.

All logs and notes, how I came to this conclusion. === CF7 ANTISPAM ADVANCED ROOT CAUSE ANALYSIS === 1. DETAILED SCRIPT LOADING ANALYSIS: Total scripts on page: 92 CF7-related scripts: 6 Script 1: {src: 'INLINE SCRIPT', isCF7AntiSpam: 'YES', async: false, defer: false, readyState: undefined, …}async: falsedefer: falseisCF7AntiSpam: "YES"loaded: "LOADING/ERROR"readyState: undefinedsrc: "INLINE SCRIPT" ↳ Inline content preview: // Passing PHP diagnostics to JavaScript window.cf7a_php_diagnostics = {plugin_active: true,registered_scripts: 0,options_prefix: '_cf7a_' };... Script 2: {src: 'INLINE SCRIPT', isCF7AntiSpam: 'YES', async: false, defer: false, readyState: undefined, …}async: falsedefer: falseisCF7AntiSpam: "YES"loaded: "LOADING/ERROR"readyState: undefinedsrc: "INLINE SCRIPT" Script 3: {src: 'INLINE SCRIPT', isCF7AntiSpam: 'YES', async: false, defer: false, readyState: undefined, …}async: falsedefer: falseisCF7AntiSpam: "YES"loaded: "LOADING/ERROR"readyState: undefinedsrc: "INLINE SCRIPT" ↳ Inline content preview: // Updating the debug panel based on the results setTimeout(() => {const panel = document.querySelector('.cf7a-debug-panel');if (panel) {const status = panel.querySelector('.status');if (typeof cf7a_settings =... Script 4: {src: 'https://mysite.com/wp-content/plugins/contact-form-7/includes/swv/js/index.js?ver=6.1.3', isCF7AntiSpam: 'NO', async: false, defer: true, readyState: undefined, …}async: falsedefer: trueisCF7AntiSpam: "NO"loaded: "LOADING/ERROR"readyState: undefinedsrc: "https://mysite.com/wp-content/plugins/contact-form-7/includes/swv/js/index.js?ver=6.1.3" Script 5: {src: 'INLINE SCRIPT', isCF7AntiSpam: 'NO', async: false, defer: false, readyState: undefined, …}async: falsedefer: falseisCF7AntiSpam: "NO"loaded: "LOADING/ERROR"readyState: undefinedsrc: "INLINE SCRIPT" Script 6: {src: 'https://mysite.com/wp-content/plugins/contact-form-7/includes/js/index.js?ver=6.1.3', isCF7AntiSpam: 'NO', async: false, defer: true, readyState: undefined, …}async: falsedefer: trueisCF7AntiSpam: "NO"loaded: "LOADING/ERROR"readyState: undefinedsrc: "https://mysite.com/wp-content/plugins/contact-form-7/includes/js/index.js?ver=6.1.3" 2. WORDPRESS HOOKS AND INITIALIZATION: WordPress JS object: EXISTS wp.hooks: EXISTS wp.domReady: MISSING 3. CONTACT FORM 7 INITIALIZATION: wpcf7 version: UNKNOWN wpcf7 cached: 1 wpcf7 api settings: {root: 'https://mysite.com/wp-json/', namespace: 'contact-form-7/v1'}namespace: "contact-form-7/v1"root: "https://mysite.com/wp-json/"[[Prototype]]: Object CF7 forms found: 1 Form 1 classes: wpcf7-form init Form 1 init state: INITIALIZED 4. CF7 ANTISPAM PLUGIN DETECTION: true 5. SCRIPT LOADING ERRORS: Potentially failed scripts: 0 6. PLUGIN CONFLICT DETECTION: ✅ No obvious plugin conflicts detected 7. CF7 ANTISPAM STYLES DETECTION: CF7A style sheets: 0 8. DYNAMIC INITIALIZATION CHECK: 9. SCRIPT PATH ANALYSIS: CF7A REST routes detected: 13 /cf7-antispam/v1 /cf7-antispam/v1/force-geoip-download /cf7-antispam/v1/statu...

Hi @lemurnick , Thank you very much for taking the time to provide such a detailed analysis and for sharing the extensive logs. This level of detail is genuinely helpful for debugging. I need to address a couple of technical points regarding your findings:1. Script Dependencies in script.asset.php You correctly pointed out the empty dependencies array: 'dependencies' => array() . However, this array being empty is intentional and correct for this plugin . The file is autogenerated by WordPress’s build tools (like wp-scripts ) based on the import statements in the script. CF7 AntiSpam is written in plain ECMAscript and has NO dependencies on jQuery or Contact Form 7’s core JS. I personally aim to avoid loading jQuery on the frontend for anti-spam purposes, as it introduces unnecessary weight. An empty dependency array means the script does not require any other script to function. If jQuery or CF7 were required, they would appear here. Your manual fix to add these dependencies forced the script to load, but it indicates the original issue was likely deeper than just the dependency array itself.2. WordPress Environment and PHP 8.4 You are using PHP 8.4 , which is currently only in beta support for WordPress and many of its plugins. This is a very slippery slope and is likely the source of instability, particularly with the B8 library errors you mentioned (like the implicit nullable type deprecation warnings). The most telling sign from your advanced analysis is in the Environment Check: DOM Ready: loading wp.domReady: MISSING This indicates that something on your site is blocking or severely delaying the DOM from completing its load , and is preventing the standard WordPress and theme scripts (like those setting up wp.domReady ) from running correctly. This is usually due to a critical JavaScript error from another source that halts execution across the entire page. If the DOM is stuck in a loading state, my plugin’s script—which requires the DOM to be ready to inject fields—will inevitably fail to execute its logic properly, regardless of how it’s enqueued.Next Steps I am currently working to recreate your specific environment (Apache 2.4 + PHP 8.4 + WP 6.8.3) to debug the B8 filter and general stability with PHP 8.4. In the meantime, I strongly urge you to open your browser console (Developer Tools) and look for any JavaScript errors that appear when the page loads. I suspect you will find errors from a source other than CF7 AntiSpam, and those errors are the root cause of the “DOM Ready: loading” state and the subsequent failure of many client-side scripts, including mine, to execute. Thank you again for the detailed report; I will let you know once I have found something on my end.

I checked for JavaScript errors and others that occur when loading the page through the browser console (developer tools) first of all and monitored them constantly during tests (network, cache disabled) – zero errors. If there were mistakes, it would probably be easier to determine the cause.

@lemurnick , I have tried various methods and environments, but I am unable to identify your problem, which I believe is related to a conflict with some plugin at this point. You can see the blueprint of the plugin running nicely with php 8.4 with cf7 and flamingo without any errors (obviously it does not send emails, but the frontend js works). Could you tell me which plugins you have installed on your website? This could help me understand the problem. Thank you again for your cooperation.

All in One SEO Asset CleanUp: Page Speed Booster Async JavaScript Autoptimize Code Snippets Contact Form 7 Deep Core Elementor Email Encoder - Protect Email Addresses Flamingo Head & Footer Code ImageMagick Engine Object Cache 4 everyone ReCrawler Smart Custom 404 Error Page UpdraftPlus - Backup/Restore WP Crontrol WP Super Cache WP-Optimize My plugins. If I can’t find the problem, it’s not a big deal. I’ll be checking this thread, and if there’s any news, I’ll install the plugin and test it for you.

Hi @lemurnick , I’ve been investigating the root cause and I believe your problem, where the hidden fields are not being added, leading to the no_ip: Address field empty error, is related to a PHP hook not executing correctly on your site. This hook is responsible for adding the hidden fields to every form. I suspect you might be experiencing the exact same issue as this user (last message of the thread): https://wordpress.org/support/topic/form-no-longer-works-2/ Regarding your suggestions, I want to say that I take your input as good ideas for incoming improvements: Caching Check: The _cf7a_version field, which currently helps verify spam, could certainly be used to check if the version displayed to users is cached. If a version mismatch is detected, we could detect it and ask the administrator (via mail) to refresh the website cache. Update default options: I plan to activate only the most stable and “critical” checks by default. Users can then choose to activate higher protection levels if needed enabling, for example, advanced js fingerprinting only if needed. I was also working in parallel on another free plugin that allows using an external SMTP service for sending emails with Contact Form 7. In that plugin, I added a hook that CF7 AntiSpam will also use to send you a daily/weekly spam report. All these improvements (like others published in v0.7.x) were aimed at increasing stability and reliability. I sincerely apologize for the trouble you have experienced. Your detailed feedback is invaluable in making the plugin more robust for all users. I will keep you posted on any developments.

I figured out where the issue lies… this feature , which was actually introduced in version 0.7.0 and used to avoid loading all the frontend hooks if there is not at least one Contact Form 7 form on the page didn’t fire. And that’s why everything is missing, scripts and fields that are created by PHP before the form. I’ll try to find a solution, but as you know, I also have to deal with a fix to the system I use for updates.

Ciao, Signore Erik. Grazie mille per il lavoro svolto sulle correzioni. I noticed the plugin had been updated to version 0.7.2 and tested it. With the “Optimize scripts loading” checkbox unchecked, everything works correctly, and no errors occur.

Grazie mille a te @lemurnick 🙂 I tried to implement some of the things we discussed, for example, if I find that the contact form page is cached (using the cf7a version field), after a few failed emails the plugin sends you an email. Additionally, I have completely reworked the spam filters and now you can hook into the chain to add and remove filters, including add your own custom ones (examples here https://modul-r.codekraft.it/2025/11/developer-guide-customizing-cf7-antispam-filters/ ). Also other minor changes for example a better debug section with the current website installed plugin list and some info about the system, I hope everything is working fine now. But if that’s not the case, please open a support thread and usually I’ll try to fix it quickly. I try to keep the plugin up to date, but sometimes some changes have “unpredictable” effects on some installations, even though I try to test the plugin in every way possible. Erik PS. FYI, I discovered another bug affecting 0.7.1 (fixed in 0.7.2), about encrypted fields ( this) . Anyhow I believe it wasn’t your case.

It’s really cool that can now connect to the filter chain! 🤩 When your plugin became unavailable, so I had to develop a temporary spam protection solution. In the process, I got a little carried away and as a result, I also got a full-fledged plugin. Here are its main functions: Automatic ban by IP address Checking the browser language Checking the HTTP link Checking for prohibited words in the message text Checking an empty message Penalties if the message field is empty. Checking email for prohibited words Check the subject of the message for keywords User Agent Verification Check the time of filling out the form Honeypot The Honeypot button – send Added a hidden submit button that should not be marked. DNSBL Dynamic fields Adds dynamic fields using JavaScript that must remain empty or contain certain values. Interaction time analysis Analyzes the time and order of filling in the fields. Checking with regular expressions in the message text Analysis of the time required to fill in individual fields Tracks the focus time on each field and the order in which it is filled in. Penalty for filling in fields too quickly and for simultaneous/linear ordering. Token protection Reports and the Report Scheduler Settings: report_enabled, report_email, report_days Allows you to set up the sending of anti-spam reports by e-mail with a set frequency. To the address provided on the website, or you can specify another email address (reports for 1-30 days). Defining form fields Automatic detection of forms and form fields (name, email address, subject, message) allows you to configure them manually in the admin area and create exceptions. Logging Logs all messages with non-zero penalty points (both blocked and not) with details (IP, account, reasons, user agent, referrer, etc.). Admin panel management, quick actions, log cleanup, reset counters, disable all IP addresses, reset/save settings, export/import settings (json), export logs (csv) and prohibited IP(txt) CSS and JS to hide honeypot fields Optimized the admin panel for mobile devices The implementation of these functions helps a lot.: In addition to bad words, regex instantly cuts off 70% of spam through the admin panel – very effective. Checking for an empty message text prevents a preliminary reconnaissance by spammers and subsequent mailings – this often helps. Checking the timestamp is good. But what if the form was submitted on the specified time?, but the time to fill in each field was only 50-100 ms, which clearly indicates a bot. Therefore, I added focus and analysis of the interaction time when filling in each of the form fields and the order of filling in the aggregate. Reports have been added so that don’t have to log into the admin area every time. The plans are as follows: paragraphs 4 and 7 have compiled lists separately, but this is unnecessary. The list of bad words should have been created unified, but it should be processed on a per-field basis, I’ll finalize it later. as a priority,...

Hi @lemurnick , I’m incredibly happy to hear about that! As far as development goes, I am always open to proposals and prioritize feedback from users. Anyway, the best place to share and discuss these detailed architectural ideas and features (like Interaction Time Analysis, unified bad word lists, and DNSBL timeouts) is directly on GitHub in the Discussions section of the plugin repository. It keeps the conversation focused and allows for deeper technical back-and-forth. Just a couple of comments on your points: DNSBL Checks and Timeout: If you enable the plugin’s debug mode (by setting the WP_DEBUG or CF7ANTISPAM_DEBUG constant to true ), you will see an additional tab in the plugin admin panel. This tab allows you to verify the status and response time of all your DNSBL servers. DNSBL is fine, but not infallible. My current solution is to use just a few highly reliable servers and set a lower score (e.g., 0.5) when it fails, rather than fully blocking the submission. Caching Exclusion: Excluding the contact page from caching makes perfect sense. It enables a much wider spectrum of controls on the email sender. In my opinion, the performance loss on a single contact page is irrelevant when weighed against the benefits of better security. 100% Spam Block: Blocking 100% of spam and maintaining that continuously is likely impossible. However, my goal is to make a blocking event as rare as possible for legitimate users, while keeping spam filters highly effective. Thank you again for your contribution and testing. I look forward to seeing your future thoughts on GitHub !