IP protection

[jenstornell]

It does not seems to be an IP protection of some kind to prevent spam. If someone breaks the honeypot it would be open for 1000+ comments spam?

Max 5 comments with the same IP on 10 posts on each day could be a solution. It should be optional if implemented, both to turn on/off and how many to allow before blocked.

[florianpircher]

The plugin requires a unique session ID for submitting a comment, for which you have to request a new form. This does slows bots down. Implementing a temporary IP block-list would add to the plugins bot protection, but if someone is trying to attack you, limiting the bot comments to 10 comments a day is still annoying and your the plugin still has to do a lot of work handing the blocking process. If an IP is attacking your site, the best course of action is to block this IP on the server level.

[jenstornell]

Then the question is if an IP protection is still a good idea or if session ID is enough? Maybe just have an option to block IP:s manually from an array.

[florianpircher]

Blocking IPs manually make a lot more sense to me, but if someone is attacking the comments, why not block them on the server level? They are clearly not interested in buying your product/reading your blog.

[jenstornell]

Ahh, you mean with htaccess like this:

http://www.htaccess-guide.com/deny-visitors-by-ip-address/

That make total sense. Coming from the WordPress world, I'm a bit blinded by old habits. Maybe add something about this in the docs (for others like me):

This plugin does not block comments by IP. Instead of preventing bots from accessing your comments, block them from your site completely, in your htaccess file like this: [...]