From 51d2ea7896de16170360d5869eb8d8c991950248 Mon Sep 17 00:00:00 2001 From: carpentryplus25 Date: Fri, 20 Mar 2026 09:14:27 -0400 Subject: [PATCH] Contact Form 7 Rest API blocking for better protection --- dapper.php | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/dapper.php b/dapper.php index a37014b..f3e59c9 100644 --- a/dapper.php +++ b/dapper.php @@ -1248,6 +1248,68 @@ if ( class_exists( 'WPCF7' ) ) { '; return $hp . $form; } + add_filter('rest_pre_dispatch', 'dapper_block_cf7_rest_spam', 10, 3); + + function dapper_block_cf7_rest_spam($result, $server, $request) { + + $route = $request->get_route(); + $ip = $_SERVER['REMOTE_ADDR'] ?? 'unknown'; + dapper_debug_log("CF7 REST HIT from IP: $ip → $route"); + + // Only target CF7 submissions + if (strpos($route, '/contact-form-7/') === false) { + return $result; + } + + // LOG ALL HITS + dapper_debug_log('CF7 REST HIT → ' . $route); + + $params = $request->get_params(); + + // 1. Require JS token + if (empty($params['dapper_token']) || strpos($params['dapper_token'], 'dpr_') !== 0) { + + dapper_debug_log('BLOCKED REST: Missing JS token'); + + return new WP_Error( + 'dapper_spam_block', + 'Spam detected', + ['status' => 403] + ); + } + + // 2. Require timestamp + if (empty($params['dapper_ts'])) { + + dapper_debug_log('BLOCKED REST: Missing timestamp'); + + return new WP_Error( + 'dapper_spam_block', + 'Spam detected', + ['status' => 403] + ); + } + + // 3. Speed check + $elapsed = time() - (int)$params['dapper_ts']; + + if ($elapsed < 3) { + + dapper_debug_log('BLOCKED REST: Too fast'); + + return new WP_Error( + 'dapper_spam_block', + 'Spam detected', + ['status' => 403] + ); + } + + return $result; + } + + + + }