Contact Form 7 Rest API blocking for better protection

2026-03-20 09:14:27 -04:00
parent 75f247c402
commit 51d2ea7896
1 changed files with 62 additions and 0 deletions
--- a/dapper.php
+++ b/dapper.php
@@ -1248,6 +1248,68 @@ if ( class_exists( 'WPCF7' ) ) {
          </span>';
          return $hp . $form;
      }
+    add_filter('rest_pre_dispatch', 'dapper_block_cf7_rest_spam', 10, 3);
+
+    function dapper_block_cf7_rest_spam($result, $server, $request) {
+
+      $route = $request->get_route();
+      $ip = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
+      dapper_debug_log("CF7 REST HIT from IP: $ip → $route");
+
+      // Only target CF7 submissions
+      if (strpos($route, '/contact-form-7/') === false) {
+          return $result;
+        }
+
+      // LOG ALL HITS
+      dapper_debug_log('CF7 REST HIT → ' . $route);
+
+      $params = $request->get_params();
+
+      // 1. Require JS token
+      if (empty($params['dapper_token']) || strpos($params['dapper_token'], 'dpr_') !== 0) {
+
+          dapper_debug_log('BLOCKED REST: Missing JS token');
+
+          return new WP_Error(
+              'dapper_spam_block',
+              'Spam detected',
+              ['status' => 403]
+            );
+      }
+
+      // 2. Require timestamp
+      if (empty($params['dapper_ts'])) {
+
+        dapper_debug_log('BLOCKED REST: Missing timestamp');
+
+        return new WP_Error(
+            'dapper_spam_block',
+            'Spam detected',
+            ['status' => 403]
+        );
+      }
+
+      // 3. Speed check
+      $elapsed = time() - (int)$params['dapper_ts'];
+
+      if ($elapsed < 3) {
+
+          dapper_debug_log('BLOCKED REST: Too fast');
+
+          return new WP_Error(
+              'dapper_spam_block',
+              'Spam detected',
+              ['status' => 403]
+            );
+          }
+
+          return $result;
+    }
+
+
+
+
 }