Stop fake leads, form spam, and bot registrations before they reach your database. AI-powered fraud scoring across 100+ signals. No CAPTCHA required.
Opportify Fraud Protection uses a hybrid approach to secure every WordPress form:
- Client-side: The Opportify JS SDK loads silently in the page header, collecting behavioral signals, device fingerprints, and bot indicators with no visible impact on the user experience.
- Server-side: On every form submission, the Opportify PHP SDK sends the data to the Fraud Protection API, which analyzes 100+ signals across email risk, IP intelligence, device fingerprinting, and behavioral correlation. It returns a normalized risk score and level.
- You decide: Per integration, configure whether to Allow, Flag (store risk metadata and proceed), or Block (reject with a custom message) at each risk level.
- Real-time fraud scoring on every form submission. No CAPTCHAs, no user friction.
- Behavioral fingerprinting via the Opportify JS SDK (async, CDN-hosted, auto-versioned)
- 5-level risk scale: Lowest, Low, Medium, High, Highest, with explainable contributing factors
- Per-integration control: configure Allow / Flag / Block independently per form plugin and per risk level
- Reports dashboard with risk distribution charts, submission log, and site health checklist
- Risk metadata columns in WP Comments, Users, and WooCommerce Orders list tables
- Config file lock (
opportify-config.php) for DevOps, Bedrock, Trellis, and version-controlled environments - Skip admins option to bypass checks for
manage_optionsusers during development - Automatic log retention via WP-Cron (configurable, default 30 days)
- Caching plugin compatible: script registered via
wp_enqueue_scriptswith named handleopportify-telemetry - Fully translated: 10 locales:
de_DE,es_ES,fr_FR,it_IT,ja,nl_NL,pl_PL,pt_BR,ru_RU,zh_CN
| Integration | WordPress Hook |
|---|---|
| WordPress Comments | preprocess_comment |
| WordPress Registration | registration_errors |
| WooCommerce Checkout | woocommerce_after_checkout_validation |
| WooCommerce Registration | woocommerce_registration_errors |
| Contact Form 7 | wpcf7_spam |
| WPForms | wpforms_process_before_form_data |
| Gravity Forms | gform_validation |
| Elementor Pro Forms | elementor_pro/forms/validation |
| Ninja Forms | ninja_forms_submit_data |
| Fluent Forms | fluentform/before_insert_submission |
| Forminator | forminator_custom_form_submit_errors |
| Formidable Forms | frm_validate_entry |
| Mailchimp for WP (MC4WP) | mc4wp_form_errors |
| Integration | WordPress Hook |
|---|---|
| Brevo (formerly Sendinblue) | init |
| Email Subscribers | ig_es_validate_subscription |
| FluentCRM | fluentcrm_contact_created |
| Kit (formerly ConvertKit) | init, rest_request_before_callbacks |
| MailerLite | wp_ajax_nopriv_mailerlite_subscribe_form |
| MailPoet | mailpoet_subscription_before_subscribe |
| Newsletter | newsletter_subscription |
- PHP 8.1+
- WordPress 6.0+
- An Opportify account. Start your free trial at app.opportify.ai to get your API keys.
- Download the latest release zip from Releases
- Go to Plugins → Add New → Upload Plugin
- Activate and go to Opportify → Settings
- Enter your Private API Key and Public Key from app.opportify.ai
- Enable protection and configure your integrations
git clone https://github.com/opportify/wordpress-fraud-protection.git opportify-fraud-protection
cd opportify-fraud-protection
composer install --no-dev --optimize-autoloaderThen upload the directory to wp-content/plugins/.
Copy opportify-config-sample.php to your WordPress root (ABSPATH) as opportify-config.php:
return [
'private_key' => env('OPPORTIFY_PRIVATE_KEY', 'sk_live_...'),
'public_key' => env('OPPORTIFY_PUBLIC_KEY', 'pk_live_...'),
'enabled' => true,
'skip_admins' => true,
'log_enabled' => true,
'log_retention_days' => 90,
'integrations' => [
'wordpress' => ['enabled' => true, 'action_medium' => 'flag', 'action_high' => 'block', 'action_highest' => 'block'],
'woocommerce'=> ['enabled' => true, 'action_medium' => 'flag', 'action_high' => 'block', 'action_highest' => 'block'],
'cf7' => ['enabled' => true, 'action_medium' => 'flag', 'action_high' => 'block', 'action_highest' => 'block'],
// ... all other integrations
],
];When this file is detected, the WordPress admin UI becomes read-only and shows a notice. Suitable for Bedrock, Trellis, and any setup where WordPress config is version-controlled.
When an action is set to Flag, the submission proceeds normally and Opportify writes risk metadata using each integration's native storage:
| Integration | Metadata location | Keys |
|---|---|---|
| WP Comments | comment_meta |
_opportify_score, _opportify_level, _opportify_factors |
| WP Registration | user_meta |
same keys |
| WooCommerce | Order meta | same keys |
| Form plugins | Plugin entry meta | same keys |
Flagged entries show a Risk badge in their respective WP Admin list tables (Comments, Users, WooCommerce Orders).
The plugin resolves the latest JS SDK URL from the Opportify CDN manifest:
GET https://cdn.opportify.ai/f/latest.json
→ { "version": "1.3.4", "scriptUrl": "https://cdn.opportify.ai/f/v1.3.4.min.js", ... }
The resolved URL is cached as a WordPress transient for 2 hours (opportify_js_url). Cache is invalidated on every settings save and on plugin uninstall.
| Service | URL | Purpose | Auth |
|---|---|---|---|
| Fraud Protection API | https://api.opportify.ai |
Server-side submission analysis | Private API key (server-side only) |
| JS SDK CDN | https://cdn.opportify.ai |
Client-side behavioral telemetry script | Public key (via data-opportify-key attribute) |
See Opportify Privacy Policy and Terms of Service.
Use the Makefile to produce a clean, production-only ZIP for manual installation or local testing.
# 1. Install dev dependencies (once, or after pulling changes)
make install
# 2. Run quality checks
make lint # PHP code style (Laravel Pint)
make test # PHPUnit test suite
# 3. Build the ZIP
make build
# → dist/opportify-fraud-protection.zipmake build does all of the following automatically:
- Copies source files, excluding dev artifacts (
.git,tests/,docs/,Makefile,pint.json, etc.) - Runs
composer install --no-dev --optimize-autoloaderinside the build copy - Strips dev files from all vendor packages (
tests/,.github/, CI configs) - Removes
composer.lock(not needed at runtime) - Produces
dist/opportify-fraud-protection.zip
New versions are deployed to the WordPress.org plugin directory automatically via the SVN deploy workflow when a GitHub release is published. See docs/workflow/git-workflow.md for the full release process.
Upload via WordPress Admin → Plugins → Add New → Upload Plugin, or extract directly:
unzip dist/opportify-fraud-protection.zip -d /path/to/wp-content/plugins/git clone https://github.com/opportify/wordpress-fraud-protection.git opportify-fraud-protection
cd opportify-fraud-protection
composer install./vendor/bin/pint # auto-fix
./vendor/bin/pint --test # check without fixing./vendor/bin/phpunit # all tests
./vendor/bin/phpunit --testsuite Unit # unit only
./vendor/bin/phpunit --testsuite Feature # feature only
./vendor/bin/phpunit --no-coverage # skip coverage reportpip install pre-commit
pre-commit installHooks run Pint (PHP style) and PHPUnit on every commit.
GitHub Actions runs Pint + PHPUnit on PHP 8.1, 8.2, and 8.3 on every PR and push to main. See .github/workflows/pr-validation.yml.
The plugin ships pre-compiled .mo files for 10 locales in languages/. To regenerate the POT file and update locale .po/.mo files after adding new translatable strings, use xgettext + msgmerge + msgfmt against all PHP files outside vendor/, tests/, and .build/.
.
├── opportify-fraud-protection.php # Plugin bootstrap, constants, activation hooks
├── opportify-config-sample.php # Config file template for DevOps use
├── includes/
│ ├── class-opportify.php # Singleton core: orchestrates all hooks
│ ├── class-opportify-loader.php # Hook collector; registers in bulk via run()
│ ├── class-opportify-settings.php # All settings keys, defaults, config-file loader
│ ├── class-opportify-api.php # Opportify PHP SDK wrapper
│ ├── class-opportify-script.php # JS SDK enqueue + CDN manifest versioning
│ ├── class-opportify-logger.php # DB logging + WP-Cron retention purge
│ ├── class-opportify-i18n.php # Text domain loader
│ ├── class-opportify-activator.php
│ ├── class-opportify-deactivator.php
│ └── integrations/
│ ├── class-opportify-integration.php # Abstract base
│ ├── class-opportify-integration-wordpress.php
│ ├── class-opportify-integration-woocommerce.php
│ ├── class-opportify-integration-cf7.php
│ ├── class-opportify-integration-wpforms.php
│ ├── class-opportify-integration-gravity-forms.php
│ ├── class-opportify-integration-elementor.php
│ ├── class-opportify-integration-ninja-forms.php
│ ├── class-opportify-integration-fluent-forms.php
│ ├── class-opportify-integration-forminator.php
│ ├── class-opportify-integration-formidable.php
│ └── class-opportify-integration-mc4wp.php
├── admin/
│ ├── class-opportify-admin.php # Menu, assets, AJAX handlers, WP list table columns
│ └── partials/
│ ├── reports-page.php # Main plugin page: charts, health checklist, log table
│ ├── settings-page.php # General + Integrations tabs
│ ├── brand-header.php # Shared header partial (logo, page title, about panel)
│ └── dashboard-widget.php # WP Dashboard widget
├── assets/
│ ├── css/admin.css
│ ├── js/admin.js
│ └── images/
│ └── logo-horizontal.svg
├── languages/
│ └── opportify-fraud-protection-{locale}.{po,mo} # 10 locales
├── tests/
│ ├── bootstrap.php
│ ├── Unit/
│ └── Feature/
├── composer.json
├── phpunit.xml
├── pint.json
├── .pre-commit-config.yaml
└── readme.txt # WordPress.org listing
- Add developer hooks API for third-party plugin customization without modifying source
- Add risk level explanation panel to Integrations settings tab
- Add AGENTS.md cross-tool AI instruction system for consistent development workflows
- Chore: improve .gitignore to exclude OS and IDE artifacts
- Fix Gravity Forms flag action now uses native
gform_entry_is_spamfilter — notifications are suppressed for flagged entries - Fix Gravity Forms flag description in settings page (was incorrectly showing "starred")
- Add integration compatibility matrix documentation (
docs/compatibility.md)
- Update screenshots and documentation
- Add enriched email and IP intelligence chips to fraud log entries (deliverable status, email type, connection type, country, blocklist flag)
- Add Full Details button per log row linking to app.opportify.ai for deeper analysis
- Fix flag action now produces visible indicators in native UIs: WordPress comments routed to spam, WooCommerce orders placed on hold, Gravity Forms entries marked as spam (via native
gform_entry_is_spamfilter, notifications suppressed), Forminator entries marked as spam, Fluent Forms entries starred - Fix Ninja Forms block action now correctly halts submission using the first real field ID
- Fix WPForms integration now correctly sends all submitted fields to the Opportify API
- Add plugin banner images for WordPress.org directory
- Fix build pipeline to correctly exclude
.wordpress-orgdirectory from plugin ZIP
- Add WordPress.org plugin directory assets (icons and screenshots)
- Initial release
Adds public developer hooks API for third-party extensibility. Adds cross-tool AI instruction system. No breaking changes.
Fixes Gravity Forms flag action to suppress notifications for flagged entries using the native spam filter API.
Documentation and screenshot updates only; no functional changes.
Adds enriched email and IP intelligence to fraud logs, fixes flag action visibility in native UIs, fixes Ninja Forms block action, and fixes WPForms field extraction.
Initial release.
AI coding assistants (Copilot, Cursor, Kiro, etc.) should start with AGENTS.md — the single source of truth for project rules, standards, and context. Tool-specific pointer files redirect automatically.
GPL-2.0-or-later © Opportify