All blocking seems to rely only on (client-side) cookies, which can be circumvented completely

[enton8]

In file class-wpzerospam.php `` public function set_access_cookies( $access ) { these cookies are created:

$access = array( 'ip_checked' => $ip, 'has_access' => true, 'access_checked' => false, 'cached' => false, 'blacklist_api' => false, 'attempts' => false,

); i.e. wpzerospam_ip_checked, wpzerospam_has_access, wpzerospam_access_checked, wpzerospam_cached, wpzerospam_blacklist_api, wpzerospam_attempts.

If a potential bot/spammer creates those cookies manually, they seem to be able to circumvent the complete blocking functionality of the plugin.

The potential problem starts here:

// 1. Check if an access check has already been ran for this IP.
        if ( $this->get_cookie( 'access_checked' ) && $this->get_cookie( 'ip_checked' ) === $ip ) {
            // IP has already been checked, return the saved access.
            foreach ( $access as $key => $value ) {
                $access[ $key ] = $this->get_cookie( $key );
            }

If the wpzerospam_access_checked cookie is set to "true" and the wpzerospam_ip_checked cookie is set to the bot's ip, the values in the other cookies from the client are copied over to the server without further checks. I would never trust the client's cookies...

[bmarshall511]

Understood, but as I'm sure you know, there's no 100% way to defeat spam, only help prevent it. Cookies are put in place to balance site performance with security. There is a plan to improve this check but haven't had time to dig into it. Feel free to fork the repo and contribute if you'd like this updated sooner rather than later.

[bmarshall511]

v5 has been released and no longer relies on or uses cookies.