FAQ
Will real users ever see the honeypot field?
No. The field is wrapped in an absolutely-positioned div at -9999px, with aria-hidden="true", tabindex="-1", and pointer-events:none. Screen readers skip it, keyboard navigation skips it, real users never tab into it.
Does Spam Shield call out to any 3rd-party service?
Only when you opt in:
- Geo blocking queries
ip-api.com(free, cached 24h) - StopForumSpam queries their public API (cached 1h)
- Akismet uses your Akismet API key, if present
Honeypot, timing, rate limit, blocklist, allowlist, link/pattern scoring, and disposable-email matching are all local.
Can I exempt a single email from every check?
Yes. Add it to the allowlist as type = email. The check fires first in OSpam_Checker::run() and short-circuits everything below.
What's the difference between a blocklist keyword and a scored keyword?
Blocklist keywords cause an instant block on substring match. Scored keywords (ospam_score_keywords, JSON-encoded) add to the score and only block if the threshold is crossed. Use keyword blocking for known-bad phrases, scored keywords for fuzzy heuristics.
How long are logs kept?
The weekly ospam_prune_log cron drops rows older than ospam_log_retention_days (default 30 days).
Does it work with a form I built myself?
Yes. Enable the generic integration in Integrations and include the two fields in your form (ospam_confirm_email invisible input + ospam_ts hidden input). Call OSpam_Checker::run() from your submission handler.