Changelog
Version history for QWeb Spam Shield, straight from the release system. Dates are release dates.
- Security: stricter input sanitization across all form integrations and the Mail Guard admin (user agent headers, request parameters, and nonce values are sanitized at the point of reading).
- Security: the debug log moved into a protected plugin subfolder of the uploads directory, with directory listing and direct download blocked.
- Changed: Mail Guard admin styles and scripts are now enqueued through the WordPress asset pipeline instead of printed inline.
- Changed: admin screens no longer load a font from Google Fonts; the interface uses the system font stack, so admin pages make no external requests.
- Fixed: the plugin can be installed alongside the free QWeb Spam Shield edition without a fatal error. Whichever edition loads first runs; the other stays dormant and shows a notice.
Requires WordPress 5.8+ · Tested to 7.0 · PHP 7.4+
WooCommerce checkout never hard-rejects a real customer over content or pattern signals: a spam verdict at checkout is downgraded to a review flag so the order completes and is flagged for you to review (card-testing bursts still hard-block; the payment gateway still stops stolen cards). Also restored the bundled CDN IP-ranges file that was missing from 1.8.5, so sites behind a CDN (CloudFront/Cloudflare) resolve the real visitor IP instead of the CDN edge IP - fixing false spam matches on shared CDN ranges for both checkout and forms.
Requires WordPress 5.8+ · Tested to 6.8 · PHP 7.4+
- Fix - a domain/brand name answered in a form field (e.g. 'BustBunny.com') is no longer mistaken for gibberish (removes a held false positive).
- Change - the hands-off AI rescue now also reviews soft single-token held items so a brand/short answer it confirms is a real customer is auto-released; strong gibberish still blocks rescue.
Requires WordPress 5.8+ · Tested to 6.8 · PHP 7.4+
- Fix - an email address written in a message is no longer mistaken for a link (removes a 'contains URL' false positive on genuine messages).
- New - hands-off AI rescue: a held contact-form message with a valid email and no hard spam signal is checked by AI using your business profile as context and auto-released + delivered if it is clearly a real customer, while unrelated spam/outreach stays held. Fails safe (held on any AI error). Toggle in AI settings.
Requires WordPress 5.8+ · Tested to 6.8 · PHP 7.4+
Update-visibility fix. Clicking Check for updates now re-checks the license server immediately (a 12h cache previously hid freshly published releases from manual checks); background checks every 6h. Includes 1.8.0-1.8.2.
Requires WordPress 5.8+ · Tested to 6.8 · PHP 7.4+
Display fix. The Activity log could briefly read empty on a site that updated from an older version before its one-time database migration finished; the screen now self-heals (adds the columns on load) and degrades gracefully so logs always show. No data was affected. Includes 1.8.0/1.8.1 features.
Requires WordPress 5.8+ · Tested to 6.8 · PHP 7.4+
The one-time AI site profile now also builds automatically on update (not only fresh activation), so existing sites gain per-business context with no manual step. It builds once and is skipped on routine updates (no rebuild unless intentionally refreshed). Includes all 1.8.0 detection improvements and the 1.7.0 false-positive Recovery.
Requires WordPress 5.8+ · Tested to 6.8 · PHP 7.4+
One-time AI site profiling (judges spam in your business context, e.g. crypto/wholesale), context-aware URL scoring (link risk by field + URL quality), smarter gibberish detection, lead-aware handling so real B2B enquiries are never hard-blocked, stronger cold-outreach/scam coverage, disposable-email blocking on by default, and the managed AI tiebreaker on by default (gray-area only, cached, per-plan capped). Includes the 1.7.0 false-positive Recovery.
Requires WordPress 5.8+ · Tested to 6.8 · PHP 7.4+
False-positive recovery. Allow on a blocked or held submission now re-delivers it (rebuilds the form notification from the saved fields and sends it to the form's real recipient, falling back to the site admin email) and trusts the sender; it no longer deletes the log row, so a wrongly-held message is kept and recoverable until normal log rotation. New Forward-only action delivers once without trusting. Detection rules unchanged from 1.6.8.
Requires WordPress 5.8+ · Tested to 6.8 · PHP 7.4+
Federated threat-intel: confirmed-spammer source IP/CIDR ranges (Tor exits, datacenter VPS) now propagate across the fleet as a private DNSBL. Public, non-CDN ranges only; promoted solely on cross-site corroboration (never AI-verified, never PII). New sites inherit the fleet's known-bad ranges from day one. Includes the 1.6.7 checkout email-velocity log fix.
Requires WordPress 5.8+ · Tested to 6.8 · PHP 7.4+
Checkout fix: a WooCommerce checkout whose ONLY signal is email-velocity (a returning/retrying customer) is now allowed cleanly and never leaves a phantom "held" row in the Activity log. Real carding signals (IP burst, failed-payment velocity, gateway) and all content/honeypot checks unchanged. Rolls up 1.6.3–1.6.6: outbound Mail Guard email_missing fix, dashboard Recent Activity actions + 7-day trend chart + top-reasons breakdown.
Requires WordPress 5.8+ · Tested to 6.8 · PHP 7.4+
promoted the current production build to the official update channel (parity with reference deployments qwebmaster.com / bustbunny.com). Local pattern mining, federated spam patterns, managed AI tiebreaker, WooCommerce checkout card-testing defenses, Mail Guard.
Requires WordPress 5.8+ · Tested to 6.8 · PHP 7.4+