Cardea – Proof-of-Work Comment Spam Protection

Are you tired of anti-spam plugins that bloat your site, inject third-party tracking, or constantly upsell you on premium SaaS subscriptions? Are you looking for a straightforward, lightweight solution that just protects your comments without the extra baggage?

Then Cardea is the right tool for you.

Cardea is a radically simple, zero-dependency Proof-of-Work (PoW) comment spam protector. Developed transparently on GitHub as a purely open-source project, it does one thing and does it perfectly: it stops automated bot spam on native WordPress comments.

Why Choose Cardea?

Cardea offers distinct advantages for site owners who value simplicity, privacy, and performance:

1. Hyper-Focused & Zero Bloat – Cardea is strictly dedicated to the native WordPress comment system. Unlike multi-purpose anti-spam plugins that inject heavy compatibility layers for various form builders and e-commerce platforms, Cardea remains extremely lightweight and performant—protecting only what you need protected.

2. 100% Standalone & Sovereign – No external API keys. No commercial SaaS tiers. No phone-home telemetry. Cardea is entirely self-hosted and self-contained. Your comment protection never depends on a third-party service staying alive.

3. Strict Privacy (GDPR Compliant) – Because the Proof-of-Work computation happens locally in each visitor’s browser, there are no tracking cookies, no user profiles, and no third-party data transfers. Unlike cloud-based CAPTCHA solutions, Cardea transmits nothing to external servers—making it inherently GDPR-friendly.

4. Reduced Attack Surface – By doing one thing perfectly (protecting native comments), Cardea avoids the security vulnerabilities inherent in massive, multi-ecosystem integrations. A focused codebase means fewer CVEs and tighter security.

5. Plug-and-Play Simplicity – No complex routing rules. No integration toggles. No configuration mazes. Users simply activate Cardea and their discussion threads are protected immediately.

To view the source code, contribute, or report issues, visit the Cardea GitHub Repository.

How It Works

1. Challenge Generation: When a page with a comment form loads, the server generates a cryptographically signed challenge using HMAC-SHA256. No database write occurs at this stage.
2. Client-Side Mining: When a user focuses on the comment textarea, a JavaScript Web Worker begins mining in the background.
3. Solution Discovery: The worker repeatedly hashes the challenge string (nonce + timestamp + salt) with incrementing counter values until it finds a hash with the required number of leading zeros.
4. Server Verification: On submission, the server first verifies the HMAC signature (ensuring the challenge wasn’t tampered with), then validates the PoW solution, and finally stores a transient to prevent replay attacks.

Features

• Zero Database Bloat on Load – Challenges are generated using stateless HMAC signatures, meaning the plugin requires exactly zero database writes when a visitor loads a page.
• Zero Dependencies – No external APIs or services required.
• Client-Side Mining – Heavy computation happens in the user’s browser using Web Workers.
• Deferred Execution – The cryptographic mining engine only spins up when a user interacts with the comment field, ensuring casual readers incur zero performance penalty.
• Self-Cleaning Replay Protection – Server-side state is only stored upon a successful comment submission to prevent bot replay attacks, and expired tokens are automatically swept by WordPress cron.
• Server-Side Verification – Server verifies HMAC signature first, then performs SHA-256 PoW validation.
• Configurable Difficulty – Adjust the number of leading zeros required (1-8).
• Configurable Time Window – Set how long challenges remain valid (5-120 minutes).
• Non-Intrusive – Works transparently for legitimate users; spammers must complete the PoW challenge.
• WordPress Standards – Follows WordPress coding standards and best practices.
• Privacy First (GDPR Friendly) – No cookies, no user tracking, no CAPTCHA popups, and absolutely zero data sent to third-party cloud APIs.
• Smart Pathway Protection – Flawlessly protects frontend forms and blocks XML-RPC botnets, while seamlessly allowing native Trackbacks and authenticated REST API requests.
• Page Caching Compatible – Uses dynamic REST API endpoint to fetch fresh challenges, ensuring compatibility with edge caching (Cloudflare, Varnish) and full-page caching plugins.
• Logged-In User Bypass – Skips PoW challenge for authenticated users, eliminating unnecessary CPU usage on the frontend.

Architecture & Testing

Cardea is built with an enterprise-grade engineering stack focused on reliability and performance:

Frontend Architecture: * Zero-dependency JavaScript using native Web Crypto APIs (crypto.subtle) * Web Workers for background cryptographic mining (non-blocking UI) * Dynamic challenge fetching via REST API (compatible with page caching) * Skip PoW for logged-in users (zero CPU overhead for authenticated commenters)

Backend Architecture: * Localized replay protection using WordPress transients * Auto-cleaning expired tokens via WordPress cron * Single verification pass: signature check + PoW validation

Testing Stack: * PHPUnit – Backend logic verification (HMAC generation, challenge validation, replay prevention) * Jest – Cryptographic worker validation (difficulty checking, solution finding, message interface) * Playwright – End-to-End browser testing integrated with WordPress Playground (full WordPress environment)

This comprehensive testing approach ensures the plugin handles legitimate users seamlessly while actively blocking sophisticated bot attacks.

Developer Rigor

Cardea is built with an enterprise-grade engineering stack focused on reliability and performance:

Architecture: * Zero Database Bloat on Load – Stateless HMAC signatures ensure zero database writes on page load * Self-Cleaning Replay Protection – Uses WordPress transients that auto-expire via cron * Deferred Execution – Mining only starts when user interacts with comment field

Testing Stack: * PHPUnit – Backend logic verification (HMAC generation, challenge validation, replay prevention) * Jest – Cryptographic worker validation (difficulty checking, solution finding, message interface) * Playwright – End-to-End browser testing integrated with WordPress Playground (full WordPress environment)

Cross-Theme Compatibility: * Uses HTMLFormElement.prototype.submit.call() to bypass DOM clobbering issues * Graceful fallback for browsers without Web Worker support