Title: Cardea Ìtumọ̀ Yorùbá: &#8211; Proof-of-Work Comment Spam Protection
Author: omikheev
Published: <strong>Igbe 18, 2026</strong>
Last modified: Igbe 19, 2026

---

Ṣàwárí àwọn plugin

![](https://ps.w.org/cardea/assets/banner-772x250.png?rev=3509895)

![](https://ps.w.org/cardea/assets/icon-256x256.png?rev=3509895)

# Cardea Ìtumọ̀ Yorùbá: – Proof-of-Work Comment Spam Protection

 Láti ọwọ́ [omikheev](https://profiles.wordpress.org/omikheev/)

[Ṣe ìgbàsílẹ̀](https://downloads.wordpress.org/plugin/cardea.1.0.0.zip)

 * [Àwọn àlàyé](https://yor.wordpress.org/plugins/cardea/#description)
 * [Àwọn àgbéyẹ̀wò](https://yor.wordpress.org/plugins/cardea/#reviews)
 *  [Ìgbéwọlẹ̀](https://yor.wordpress.org/plugins/cardea/#installation)
 * [Ìdàgbàsókè](https://yor.wordpress.org/plugins/cardea/#developers)

 [Ìrànlọ́wọ́](https://wordpress.org/support/plugin/cardea/)

## Àpèjúwe

Are you tired of anti-spam plugins that bloat your site, inject third-party tracking,
or constantly upsell you on premium SaaS subscriptions? Are you looking for a straightforward,
lightweight solution that just protects your comments without the extra baggage?

Then Cardea is the right tool for you.

Cardea is a radically simple, zero-dependency Proof-of-Work (PoW) comment spam protector.
Developed transparently on GitHub as a purely open-source project, it does one thing
and does it perfectly: it stops automated bot spam on native WordPress comments.

### Why Choose Cardea?

Cardea offers distinct advantages for site owners who value simplicity, privacy,
and performance:

 1. **Hyper-Focused & Zero Bloat** Ìtumọ̀ Yorùbá: – Cardea is strictly dedicated to
    the native WordPress comment system. Unlike multi-purpose anti-spam plugins that
    inject heavy compatibility layers for various form builders and e-commerce platforms,
    Cardea remains extremely lightweight and performant—protecting only what you need
    protected.
 2. **100% Standalone & Sovereign** Ìtumọ̀ Yorùbá: – No external API keys. No commercial
    SaaS tiers. No phone-home telemetry. Cardea is entirely self-hosted and self-contained.
    Your comment protection never depends on a third-party service staying alive.
 3. **Strict Privacy (GDPR Compliant)** Ìtumọ̀ Yorùbá: – Because the Proof-of-Work 
    computation happens locally in each visitorÌtumọ̀ Yorùbá: ’s browser, there are
    no tracking cookies, no user profiles, and no third-party data transfers. Unlike
    cloud-based CAPTCHA solutions, Cardea transmits nothing to external servers—making
    it inherently GDPR-friendly.
 4. **Reduced Attack Surface** Ìtumọ̀ Yorùbá: – By doing one thing perfectly (protecting
    native comments), Cardea avoids the security vulnerabilities inherent in massive,
    multi-ecosystem integrations. A focused codebase means fewer CVEs and tighter security.
 5. **Plug-and-Play Simplicity** Ìtumọ̀ Yorùbá: – No complex routing rules. No integration
    toggles. No configuration mazes. Users simply activate Cardea and their discussion
    threads are protected immediately.

To view the source code, contribute, or report issues, visit the [Cardea GitHub Repository](https://github.com/bornmw/cardea).

### How It Works

 1. **Challenge Generation**: When a page with a comment form loads, the server generates
    a cryptographically signed challenge using HMAC-SHA256. No database write occurs
    at this stage.
 2. **Client-Side Mining**: When a user focuses on the comment textarea, a JavaScript
    Web Worker begins mining in the background.
 3. **Solution Discovery**: The worker repeatedly hashes the challenge string (nonce
    + timestamp + salt) with incrementing counter values until it finds a hash with
    the required number of leading zeros.
 4. **Server Verification**: On submission, the server first verifies the HMAC signature(
    ensuring the challenge wasnÌtumọ̀ Yorùbá: ’t tampered with), then validates the
    PoW solution, and finally stores a transient to prevent replay attacks.

### Features

 * **Zero Database Bloat on Load** Ìtumọ̀ Yorùbá: – Challenges are generated using
   stateless HMAC signatures, meaning the plugin requires exactly zero database 
   writes when a visitor loads a page.
 * **Zero Dependencies** Ìtumọ̀ Yorùbá: – No external APIs or services required.
 * **Client-Side Mining** Ìtumọ̀ Yorùbá: – Heavy computation happens in the userÌtumọ̀
   Yorùbá: ’s browser using Web Workers.
 * **Deferred Execution** Ìtumọ̀ Yorùbá: – The cryptographic mining engine only 
   spins up when a user interacts with the comment field, ensuring casual readers
   incur zero performance penalty.
 * **Self-Cleaning Replay Protection** Ìtumọ̀ Yorùbá: – Server-side state is only
   stored upon a successful comment submission to prevent bot replay attacks, and
   expired tokens are automatically swept by WordPress cron.
 * **Server-Side Verification** Ìtumọ̀ Yorùbá: – Server verifies HMAC signature 
   first, then performs SHA-256 PoW validation.
 * **Configurable Difficulty** Ìtumọ̀ Yorùbá: – Adjust the number of leading zeros
   required (1-8).
 * **Configurable Time Window** Ìtumọ̀ Yorùbá: – Set how long challenges remain 
   valid (5-120 minutes).
 * **Non-Intrusive** Ìtumọ̀ Yorùbá: – Works transparently for legitimate users; 
   spammers must complete the PoW challenge.
 * **WordPress Standards** Ìtumọ̀ Yorùbá: – Follows WordPress coding standards and
   best practices.
 * **Privacy First (GDPR Friendly)** Ìtumọ̀ Yorùbá: – No cookies, no user tracking,
   no CAPTCHA popups, and absolutely zero data sent to third-party cloud APIs.
 * **Smart Pathway Protection** Ìtumọ̀ Yorùbá: – Flawlessly protects frontend forms
   and blocks XML-RPC botnets, while seamlessly allowing native Trackbacks and authenticated
   REST API requests.
 * **Page Caching Compatible** Ìtumọ̀ Yorùbá: – Uses dynamic REST API endpoint to
   fetch fresh challenges, ensuring compatibility with edge caching (Cloudflare,
   Varnish) and full-page caching plugins.
 * **Logged-In User Bypass** Ìtumọ̀ Yorùbá: – Skips PoW challenge for authenticated
   users, eliminating unnecessary CPU usage on the frontend.

### Architecture & Testing

Cardea is built with an enterprise-grade engineering stack focused on reliability
and performance:

**Frontend Architecture:**
 * Zero-dependency JavaScript using native Web Crypto
APIs (crypto.subtle) * Web Workers for background cryptographic mining (non-blocking
UI) * Dynamic challenge fetching via REST API (compatible with page caching) * Skip
PoW for logged-in users (zero CPU overhead for authenticated commenters)

**Backend Architecture:**
 * Localized replay protection using WordPress transients*
Auto-cleaning expired tokens via WordPress cron * Single verification pass: signature
check + PoW validation

**Testing Stack:**
 * **PHPUnit** Ìtumọ̀ Yorùbá: – Backend logic verification (HMAC
generation, challenge validation, replay prevention) * **Jest** Ìtumọ̀ Yorùbá: –
Cryptographic worker validation (difficulty checking, solution finding, message 
interface) * **Playwright** Ìtumọ̀ Yorùbá: – End-to-End browser testing integrated
with WordPress Playground (full WordPress environment)

This comprehensive testing approach ensures the plugin handles legitimate users 
seamlessly while actively blocking sophisticated bot attacks.

### Developer Rigor

Cardea is built with an enterprise-grade engineering stack focused on reliability
and performance:

**Architecture:**
 * **Zero Database Bloat on Load** Ìtumọ̀ Yorùbá: – Stateless 
HMAC signatures ensure zero database writes on page load * **Self-Cleaning Replay
Protection** Ìtumọ̀ Yorùbá: – Uses WordPress transients that auto-expire via cron***
Deferred Execution** Ìtumọ̀ Yorùbá: – Mining only starts when user interacts with
comment field

**Testing Stack:**
 * **PHPUnit** Ìtumọ̀ Yorùbá: – Backend logic verification (HMAC
generation, challenge validation, replay prevention) * **Jest** Ìtumọ̀ Yorùbá: –
Cryptographic worker validation (difficulty checking, solution finding, message 
interface) * **Playwright** Ìtumọ̀ Yorùbá: – End-to-End browser testing integrated
with WordPress Playground (full WordPress environment)

**Cross-Theme Compatibility:**
 * Uses HTMLFormElement.prototype.submit.call() to
bypass DOM clobbering issues * Graceful fallback for browsers without Web Worker
support

## Ìgbéwọlẹ̀

 1. Upload the `cardea` folder to your `/wp-content/plugins/` directory.
 2. Activate the plugin through the ‘Plugins’ menu in WordPress.
 3. Configure the settings under Settings > Cardea PoW.

## FAQ

### Does this plugin slow down comment submission?

For legitimate users, the mining happens in the background while they type their
comment. Most users wonÌtumọ̀ Yorùbá: ’t notice any delay. The default difficulty
level (4 zeros) typically takes 1-5 seconds on modern devices.

### Can spammers bypass this?

While no solution is 100% foolproof, this makes automated spam economically unviable.
Spammers would need significant CPU resources to submit comments, making mass spam
campaigns impractical.

### Does this work on mobile devices?

Yes, but the mining may take slightly longer on older or slower mobile devices. 
You can reduce the difficulty setting if you notice issues.

### Does this protect against human-spammers?

This plugin primarily protects against automated bots. For human-spammers, consider
using additional measures like moderation queues or other anti-spam plugins.

### Will this affect SEO bots or REST API submissions?

This plugin only affects the native WordPress comment form. REST API comments, XML-
RPC, and other methods are not affected.

### Does it track users?

No, this plugin is 100% local and does not track users. The PoW challenge is generated
per-session and is not tied to any user data.

### Will this break my comment form for legitimate users?

No. The mining happens transparently in the background while users type. Most users
wonÌtumọ̀ Yorùbá: ’t even notice it happening. The default difficulty is set to 
provide a good balance between security and user experience.

### What happens if JavaScript is disabled?

The comment form will still work, but submissions without a valid PoW solution will
be rejected. This is intentional Ìtumọ̀ Yorùbá: – automated spammers typically donÌtumọ̀
Yorùbá: ’t execute JavaScript.

### Does this plugin add database entries on page load?

No! This is a key differentiator. Unlike most security plugins that query the database
on every page load, Cardea generates challenges using stateless HMAC signatures.
Database writes only occur when a user actually submits a comment, making this ideal
for high-traffic sites.

## Àwọn àgbéyẹ̀wò

Kò sí àwọn àgbéyẹ̀wò fún plugin yìí.

## Àwọn Olùkópa & Olùgbéejáde

“Cardea Ìtumọ̀ Yorùbá: – Proof-of-Work Comment Spam Protection” jẹ́ ètò ìṣàmúlò 
orísun ṣíṣí sílẹ̀. Àwọn ènìyàn wọ̀nyí ti ṣe ìkópa sí plugin yìí.

Àwọn Olùkópa

 *   [ omikheev ](https://profiles.wordpress.org/omikheev/)

A ti túmọ̀ “Cardea Ìtumọ̀ Yorùbá: – Proof-of-Work Comment Spam Protection” sí èdè
agbègbè 1 kan. Ọpẹ́lọpẹ́ fún [àwọn atúmọ̀ èdè](https://translate.wordpress.org/projects/wp-plugins/cardea/contributors)
fún àwọn ìkópa wọn.

[Túmọ̀ “Cardea Ìtumọ̀ Yorùbá: – Proof-of-Work Comment Spam Protection” sí èdè rẹ.](https://translate.wordpress.org/projects/wp-plugins/cardea)

### Ṣe o nífẹ̀ẹ́ sí ìdàgbàsókè?

[Ṣàwárí koodu](https://plugins.trac.wordpress.org/browser/cardea/), ṣàyẹ̀wò [ibi ìpamọ́ SVN](https://plugins.svn.wordpress.org/cardea/),
tàbí ṣe àgbékalẹ̀ sí [àkọsílẹ̀ ìdàgbàsókè](https://plugins.trac.wordpress.org/log/cardea/)
nípasẹ̀ [RSS](https://plugins.trac.wordpress.org/log/cardea/?limit=100&mode=stop_on_copy&format=rss).

## Àkọsílẹ̀ àwọn àyípadà

#### 1.0.0

 * Initial release
 * HMAC-signed challenge generation (zero DB writes on page load)
 * Web Worker-based client-side mining
 * Admin settings page
 * Configurable difficulty and time window
 * Self-cleaning replay protection via WordPress transients

## Àkójọpọ̀ Meta

 *  Ẹ̀yà **1.0.0**
 *  Ìgbàgbọ́hùn tó kẹ́yìn **oṣù 3 sẹ́yìn**
 *  Àwọn ìgbéwọlẹ̀ tó ṣiṣẹ́ **Tó kéré sí 10**
 *  Ẹ̀yà WordPress ** 6.0 tàbí ju bẹ́ẹ̀ lọ **
 *  Dánwò dé **6.9.4**
 *  Ẹ̀yà PHP ** 7.4 tàbí ju bẹ́ẹ̀ lọ **
 *  Àwọn èdè
 * [English (US)](https://wordpress.org/plugins/cardea/) àti [Russian](https://ru.wordpress.org/plugins/cardea/).
 *  [Túmọ̀ sí èdè rẹ](https://translate.wordpress.org/projects/wp-plugins/cardea)
 * Àwọn àmì
 * [anti-spam](https://yor.wordpress.org/plugins/tags/anti-spam/)[comments](https://yor.wordpress.org/plugins/tags/comments/)
   [Proof of Work](https://yor.wordpress.org/plugins/tags/proof-of-work/)[protection](https://yor.wordpress.org/plugins/tags/protection/)
   [spam](https://yor.wordpress.org/plugins/tags/spam/)
 *  [Ìwòye Tó Péye](https://yor.wordpress.org/plugins/cardea/advanced/)

## Àwọn ìbò

Kò sí ìwádìí tí a tíì fi ránṣẹ́.

[Your review](https://wordpress.org/support/plugin/cardea/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/cardea/reviews/)

## Àwọn Olùkópa

 *   [ omikheev ](https://profiles.wordpress.org/omikheev/)

## Ìrànlọ́wọ́

Nǹkan wà tí o fẹ́ sọ? Ṣé o nílò ìrànlọ́wọ́?

 [Wo àpéjọ ìrànlọ́wọ́](https://wordpress.org/support/plugin/cardea/)