Rate Limiting & Spam Protection

The plugin uses multiple layers of protection to prevent abuse and spam.

1. One Review Per User Per Event

Logged-in users are tracked by user ID; guests are tracked by IP address. Before the form renders and again during submission, the plugin checks for existing reviews (published or pending) from the same identity for the same event. Duplicates are rejected.

2. Honeypot Field

The form includes a hidden field (idver_website) that is invisible to real users but filled by bots. When detected, the submission is silently redirected — no error message is shown.

3. Pending Moderation

All reviews start as “Pending” regardless of who submits them. This ensures nothing reaches the frontend without administrator approval.

4. Require Login (Pro)

Pro users can enable the Require Login setting to restrict reviews to logged-in WordPress users only. When enabled, guests see a login prompt instead of the form.

Additional Security

• Nonce verification — Every form includes a WordPress nonce verified on submission.
• Event validation — The handler confirms the event is a valid, published idver_event post.
• Input sanitization — All inputs are sanitized. Guest emails are validated with is_email().
• IP logging — The submitter’s IP address is stored in review meta for admin reference.