{"id":297705,"date":"2026-04-18T22:52:11","date_gmt":"2026-04-18T22:52:11","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/cardea-proof-of-work-comment-spam-protection\/"},"modified":"2026-04-19T07:11:42","modified_gmt":"2026-04-19T07:11:42","slug":"cardea","status":"publish","type":"plugin","link":"https:\/\/uz.wordpress.org\/plugins\/cardea\/","author":21099010,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"1.0.0","stable_tag":"1.0.0","tested":"6.9.4","requires":"6.0","requires_php":"7.4","requires_plugins":null,"header_name":"Cardea - Proof-of-Work Comment Spam Protection","header_author":"Oleg Mikheev","header_description":"Lightweight, zero-dependency Proof-of-Work anti-spam protection for WordPress comments. Uses client-side cryptographic mining to filter out automated spam.","assets_banners_color":"4b3f32","last_updated":"2026-04-19 07:11:42","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/olegmikheev.com\/cardea","header_author_uri":"https:\/\/olegmikheev.com","rating":0,"author_block_rating":0,"active_installs":0,"downloads":181,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.0":{"tag":"1.0.0","author":"omikheev","date":"2026-04-19 07:11:42"}},"upgrade_notice":{"1.0.0":"

Initial release of the Cardea - Proof-of-Work Comment Spam Protection plugin.<\/p>"},"ratings":[],"assets_icons":{"icon-256x256.png":{"filename":"icon-256x256.png","revision":3509895,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3509895,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3509895,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.0"],"block_files":[],"assets_screenshots":[],"screenshots":[],"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[2656,107,34331,1178,599],"plugin_category":[44,54],"plugin_contributors":[260544],"plugin_business_model":[],"class_list":["post-297705","plugin","type-plugin","status-publish","hentry","plugin_tags-anti-spam","plugin_tags-comments","plugin_tags-proof-of-work","plugin_tags-protection","plugin_tags-spam","plugin_category-discussion-and-community","plugin_category-security-and-spam-protection","plugin_contributors-omikheev","plugin_committers-omikheev"],"banners":{"banner":"https:\/\/ps.w.org\/cardea\/assets\/banner-772x250.png?rev=3509895","banner_2x":"https:\/\/ps.w.org\/cardea\/assets\/banner-1544x500.png?rev=3509895","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/cardea\/assets\/icon-256x256.png?rev=3509895","icon_2x":"https:\/\/ps.w.org\/cardea\/assets\/icon-256x256.png?rev=3509895","generated":false},"screenshots":[],"raw_content":"\n

Are you tired of anti-spam plugins that bloat your site, inject third-party tracking, or constantly upsell you on premium SaaS subscriptions? Are you looking for a straightforward, lightweight solution that just protects your comments without the extra baggage?<\/p>\n\n

Then Cardea is the right tool for you.<\/p>\n\n

Cardea is a radically simple, zero-dependency Proof-of-Work (PoW) comment spam protector. Developed transparently on GitHub as a purely open-source project, it does one thing and does it perfectly: it stops automated bot spam on native WordPress comments.<\/p>\n\n

Why Choose Cardea?<\/h3>\n\n

Cardea offers distinct advantages for site owners who value simplicity, privacy, and performance:<\/p>\n\n

    \n

  1. Hyper-Focused & Zero Bloat<\/strong> - Cardea is strictly dedicated to the native WordPress comment system. Unlike multi-purpose anti-spam plugins that inject heavy compatibility layers for various form builders and e-commerce platforms, Cardea remains extremely lightweight and performant\u2014protecting only what you need protected.<\/p><\/li>\n

  2. 100% Standalone & Sovereign<\/strong> - No external API keys. No commercial SaaS tiers. No phone-home telemetry. Cardea is entirely self-hosted and self-contained. Your comment protection never depends on a third-party service staying alive.<\/p><\/li>\n

  3. Strict Privacy (GDPR Compliant)<\/strong> - Because the Proof-of-Work computation happens locally in each visitor's browser, there are no tracking cookies, no user profiles, and no third-party data transfers. Unlike cloud-based CAPTCHA solutions, Cardea transmits nothing to external servers\u2014making it inherently GDPR-friendly.<\/p><\/li>\n

  4. Reduced Attack Surface<\/strong> - By doing one thing perfectly (protecting native comments), Cardea avoids the security vulnerabilities inherent in massive, multi-ecosystem integrations. A focused codebase means fewer CVEs and tighter security.<\/p><\/li>\n

  5. Plug-and-Play Simplicity<\/strong> - No complex routing rules. No integration toggles. No configuration mazes. Users simply activate Cardea and their discussion threads are protected immediately.<\/p><\/li>\n<\/ol>\n\n

    To view the source code, contribute, or report issues, visit the Cardea GitHub Repository<\/a>.<\/p>\n\n

    How It Works<\/h3>\n\n
      \n
    1. Challenge Generation<\/strong>: When a page with a comment form loads, the server generates a cryptographically signed challenge using HMAC-SHA256. No database write occurs at this stage.<\/li>\n
    2. Client-Side Mining<\/strong>: When a user focuses on the comment textarea, a JavaScript Web Worker begins mining in the background.<\/li>\n
    3. Solution Discovery<\/strong>: The worker repeatedly hashes the challenge string (nonce + timestamp + salt) with incrementing counter values until it finds a hash with the required number of leading zeros.<\/li>\n
    4. Server Verification<\/strong>: On submission, the server first verifies the HMAC signature (ensuring the challenge wasn't tampered with), then validates the PoW solution, and finally stores a transient to prevent replay attacks.<\/li>\n<\/ol>\n\n

      Features<\/h3>\n\n
        \n
      • Zero Database Bloat on Load<\/strong> - Challenges are generated using stateless HMAC signatures, meaning the plugin requires exactly zero database writes when a visitor loads a page.<\/li>\n
      • Zero Dependencies<\/strong> - No external APIs or services required.<\/li>\n
      • Client-Side Mining<\/strong> - Heavy computation happens in the user's browser using Web Workers.<\/li>\n
      • Deferred Execution<\/strong> - The cryptographic mining engine only spins up when a user interacts with the comment field, ensuring casual readers incur zero performance penalty.<\/li>\n
      • Self-Cleaning Replay Protection<\/strong> - Server-side state is only stored upon a successful comment submission to prevent bot replay attacks, and expired tokens are automatically swept by WordPress cron.<\/li>\n
      • Server-Side Verification<\/strong> - Server verifies HMAC signature first, then performs SHA-256 PoW validation.<\/li>\n
      • Configurable Difficulty<\/strong> - Adjust the number of leading zeros required (1-8).<\/li>\n
      • Configurable Time Window<\/strong> - Set how long challenges remain valid (5-120 minutes).<\/li>\n
      • Non-Intrusive<\/strong> - Works transparently for legitimate users; spammers must complete the PoW challenge.<\/li>\n
      • WordPress Standards<\/strong> - Follows WordPress coding standards and best practices.<\/li>\n
      • Privacy First (GDPR Friendly)<\/strong> - No cookies, no user tracking, no CAPTCHA popups, and absolutely zero data sent to third-party cloud APIs.<\/li>\n
      • Smart Pathway Protection<\/strong> - Flawlessly protects frontend forms and blocks XML-RPC botnets, while seamlessly allowing native Trackbacks and authenticated REST API requests.<\/li>\n
      • Page Caching Compatible<\/strong> - Uses dynamic REST API endpoint to fetch fresh challenges, ensuring compatibility with edge caching (Cloudflare, Varnish) and full-page caching plugins.<\/li>\n
      • Logged-In User Bypass<\/strong> - Skips PoW challenge for authenticated users, eliminating unnecessary CPU usage on the frontend.<\/li>\n<\/ul>\n\n

        Architecture & Testing<\/h3>\n\n

        Cardea is built with an enterprise-grade engineering stack focused on reliability and performance:<\/p>\n\n

        Frontend Architecture:<\/strong>\n* Zero-dependency JavaScript using native Web Crypto APIs (crypto.subtle)\n* Web Workers for background cryptographic mining (non-blocking UI)\n* Dynamic challenge fetching via REST API (compatible with page caching)\n* Skip PoW for logged-in users (zero CPU overhead for authenticated commenters)<\/p>\n\n

        Backend Architecture:<\/strong>\n* Localized replay protection using WordPress transients\n* Auto-cleaning expired tokens via WordPress cron\n* Single verification pass: signature check + PoW validation<\/p>\n\n

        Testing Stack:<\/strong>\n* PHPUnit<\/strong> - Backend logic verification (HMAC generation, challenge validation, replay prevention)\n* Jest<\/strong> - Cryptographic worker validation (difficulty checking, solution finding, message interface)\n* Playwright<\/strong> - End-to-End browser testing integrated with WordPress Playground (full WordPress environment)<\/p>\n\n

        This comprehensive testing approach ensures the plugin handles legitimate users seamlessly while actively blocking sophisticated bot attacks.<\/p>\n\n

        Developer Rigor<\/h3>\n\n

        Cardea is built with an enterprise-grade engineering stack focused on reliability and performance:<\/p>\n\n

        Architecture:<\/strong>\n* Zero Database Bloat on Load<\/strong> - Stateless HMAC signatures ensure zero database writes on page load\n* Self-Cleaning Replay Protection<\/strong> - Uses WordPress transients that auto-expire via cron\n* Deferred Execution<\/strong> - Mining only starts when user interacts with comment field<\/p>\n\n

        Testing Stack:<\/strong>\n* PHPUnit<\/strong> - Backend logic verification (HMAC generation, challenge validation, replay prevention)\n* Jest<\/strong> - Cryptographic worker validation (difficulty checking, solution finding, message interface)\n* Playwright<\/strong> - End-to-End browser testing integrated with WordPress Playground (full WordPress environment)<\/p>\n\n

        Cross-Theme Compatibility:<\/strong>\n* Uses HTMLFormElement.prototype.submit.call() to bypass DOM clobbering issues\n* Graceful fallback for browsers without Web Worker support<\/p>\n\n\n

          \n
        1. Upload the cardea<\/code> folder to your \/wp-content\/plugins\/<\/code> directory.<\/li>\n
        2. Activate the plugin through the 'Plugins' menu in WordPress.<\/li>\n
        3. Configure the settings under Settings > Cardea PoW.<\/li>\n<\/ol>\n\n\n
          \n

          Does this plugin slow down comment submission?<\/h3><\/dt>\n

          For legitimate users, the mining happens in the background while they type their comment. Most users won't notice any delay. The default difficulty level (4 zeros) typically takes 1-5 seconds on modern devices.<\/p><\/dd>\n

          Can spammers bypass this?<\/h3><\/dt>\n

          While no solution is 100% foolproof, this makes automated spam economically unviable. Spammers would need significant CPU resources to submit comments, making mass spam campaigns impractical.<\/p><\/dd>\n

          Does this work on mobile devices?<\/h3><\/dt>\n

          Yes, but the mining may take slightly longer on older or slower mobile devices. You can reduce the difficulty setting if you notice issues.<\/p><\/dd>\n

          Does this protect against human-spammers?<\/h3><\/dt>\n

          This plugin primarily protects against automated bots. For human-spammers, consider using additional measures like moderation queues or other anti-spam plugins.<\/p><\/dd>\n

          Will this affect SEO bots or REST API submissions?<\/h3><\/dt>\n

          This plugin only affects the native WordPress comment form. REST API comments, XML-RPC, and other methods are not affected.<\/p><\/dd>\n

          Does it track users?<\/h3><\/dt>\n

          No, this plugin is 100% local and does not track users. The PoW challenge is generated per-session and is not tied to any user data.<\/p><\/dd>\n

          Will this break my comment form for legitimate users?<\/h3><\/dt>\n

          No. The mining happens transparently in the background while users type. Most users won't even notice it happening. The default difficulty is set to provide a good balance between security and user experience.<\/p><\/dd>\n

          What happens if JavaScript is disabled?<\/h3><\/dt>\n

          The comment form will still work, but submissions without a valid PoW solution will be rejected. This is intentional - automated spammers typically don't execute JavaScript.<\/p><\/dd>\n

          Does this plugin add database entries on page load?<\/h3><\/dt>\n

          No! This is a key differentiator. Unlike most security plugins that query the database on every page load, Cardea generates challenges using stateless HMAC signatures. Database writes only occur when a user actually submits a comment, making this ideal for high-traffic sites.<\/p><\/dd>\n\n<\/dl>\n\n\n

          1.0.0<\/h4>\n\n
            \n
          • Initial release<\/li>\n
          • HMAC-signed challenge generation (zero DB writes on page load)<\/li>\n
          • Web Worker-based client-side mining<\/li>\n
          • Admin settings page<\/li>\n
          • Configurable difficulty and time window<\/li>\n
          • Self-cleaning replay protection via WordPress transients<\/li>\n<\/ul>","raw_excerpt":"Lightweight, zero-dependency Proof-of-Work anti-spam protection for WordPress comments.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/uz.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/297705","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/uz.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/uz.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/uz.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=297705"}],"author":[{"embeddable":true,"href":"https:\/\/uz.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/omikheev"}],"wp:attachment":[{"href":"https:\/\/uz.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=297705"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/uz.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=297705"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/uz.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=297705"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/uz.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=297705"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/uz.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=297705"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/uz.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=297705"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}