SecurityElementor Pro form protection now actually fires. Its guard was registered on elementor_pro/forms/validation inside the protection-hooks loader, which is skipped on admin-ajax — and Elementor submits over admin-ajax, so the hook never ran and tokenless submissions went unchecked unless the broad admin-ajax guard was on. Elementor forms are now guarded directly in the request interceptor on their own default-on toggle, mirroring WPForms.
AddedFirst-class Contact Form 7 protection, enabled by default. CF7 submits over POST /contact-form-7/v1/contact-forms/<id>/feedback, previously only covered by the broad REST guard; it now has its own toggle, like WPForms. Only anonymous tokenless submissions are challenged — verified browsers and authenticated requests pass through. Matched narrowly to the feedback route, so other CF7 and REST endpoints are untouched.
AddedA trustsig_rest_form_guards filter to register additional form-plugin REST submission endpoints for default-on protection without enabling the broad REST guard.
First-class WPForms support + anonymous-only API guard
AddedFirst-class WPForms protection, enabled by default: the contact-form submission (the wpforms_submit action used by the Mesmerize / Materialis contact section and any [wpforms] embed) is now bot-checked on its own toggle, without having to enable the broad admin-ajax guard. Anonymous tokenless submissions are blocked; a verified browser passes straight through.
FixedREST API and admin-ajax protection are now scoped to anonymous traffic only. Authenticated requests — logged-in cookie + nonce, Application Passwords, WooCommerce REST API keys and OAuth — defer to WordPress's own authorization. This fixes legitimate API traffic (WooCommerce REST, headless front-ends, server-to-server integrations) being blocked for carrying no browser token, which could cascade into side effects such as order emails not being sent.
ChangedREST verification now runs at dispatch time (rest_pre_dispatch), where authentication is resolved, instead of too early on init. Only anonymous writes (POST/PUT/PATCH/DELETE) are verified; reads pass through.
AddedRoute and action allowlists (Advanced → API surface, plus the trustsig_rest_allowlist and trustsig_ajax_allowlist filters) for unauthenticated-but-legitimate callbacks such as signature-verified payment webhooks.
Frontend SDK
Bundle ~72% smaller + faster edge load
PerformanceWeb SDK bundle is ~72% smaller: dropped control-flow-flattening and self-defending obfuscation with a new terser pass (−54%), then mangled obfuscator identifiers (−39% on top). Much faster load.
PerformanceEdge: colo-cache static-asset subrequests plus a 1-hour Cache-Control at origin, cutting origin hops and re-downloads on trustsig.js / wasm fetches.
FixedLoader guards against double-injection via a window flag — no duplicate SDK if the script loads twice.
Dashboard
Onboarding guidance
AddedOnboarding guidance for new accounts: a documentation link in the welcome modal, plus a finish-setup banner on any project that hasn't received its first request yet.
FixedFalse-positive 403 on early theme/app bootstrap requests under API protection: a frontend lei_ajax_settings=1 settings ping fired before the SDK has loaded (so it can carry no token) is now allowed through. Strictly scoped — only a POST body containing exactly that one field set to “1” and nothing else is exempt; any additional field falls through to the normal guard.
PerformanceThe SDK and bootstrap now load with the native defer attribute so they no longer block first paint, plus a preconnect/dns-prefetch hint to the edge so the connection is warmed in parallel with page parsing. Removes the render-blocking penalty without weakening protection — pending submissions still wait for the verifier.
ChangedCompatibility hardening for caching and performance-optimization stacks. The verification SDK now always loads live from the edge, even when a host aggressively optimizes assets.
AddedThe SDK and bootstrap script tags carry opt-out markers (data-cfasync, data-no-optimize, data-no-minify, data-no-defer, data-no-lazy) so Cloudflare Rocket Loader, WP Rocket, Autoptimize, LiteSpeed, WP Fastest Cache, Perfmatters and SiteGround Optimizer leave them alone instead of minifying, combining, deferring or self-hosting them.
AddedServer-side exclusion filters for WP Rocket, SiteGround Optimizer, Perfmatters, Autoptimize and FlyingPress (each a no-op when its plugin is absent).
AddedClient-side self-heal: if the SDK never initialises — e.g. LiteSpeed “Localize Resources”, a CDN rewrite, an over-eager optimizer or an ad blocker rehosted or stripped it — the canonical edge source is re-injected automatically. It fires only when nothing loaded, so a working copy is never duplicated.
AddedA trustsig_sdk_url filter so operators can repoint the SDK source (e.g. an intentional proxy) without forking the plugin.
Frontend SDK
FixedSelf-hosted: pin the endpoint / SDK origin to the edge for correct routing on custom domains, and trust localhost / private-IP origins so local and intranet setups work.
Misc
AddedFull favicon and app-icon set for Google results and every platform / device.
AddedNew “Discover & bulk-add” picker for the Allowed Domains list — operators with many country / alias domains can pull candidates from WordPress Multisite, WPML and Polylang, or paste a freeform list (newline / comma / space / semicolon separated).
ChangedAllowed-domain entries are normalised on save: scheme, userinfo, port, path and trailing dots are stripped, IDN labels are converted to punycode when the intl extension is available, and IPs / wildcards / single-label hosts are rejected.
ChangedFresh installs still auto-allow only the main site domain — the picker is opt-in, so the zero-config experience is unchanged.
Frontend SDK
AddedTrial keys: 24-hour, monitor-only ephemeral site keys to try TrustSig before full provisioning.
Dashboard
Continue with Google + stability fixes
AddedContinue with Google — one-click sign-in and signup. The /signup/google interstitial matches the rest of the auth flow.
FixedDead or expired session cookies no longer throw a 401 and crash the dashboard — you are cleanly redirected back to sign in.
FixedThe billing overview no longer crashes when a tier or subscription is missing; usage is normalised to safe defaults before render.
FixedThe notifications popover is now fully opaque, and alert messages render their emphasis correctly — applied to Recent Alerts too.
Addedserver: in-memory replay cap for verifyLocal — by default a token may be reused at most 4 times before it is rejected (new replay.ts; adds the @noble/hashes dependency).
Addedtypes: replay-cap types.
Frontend SDK
ImprovedVerify tokens are now multi-use and the SDK proactively refreshes them before expiry — no more mid-session verify failures.
ImprovedAuto-scan now covers shadow DOM, iframes and form.submit() — catching more form flows.
ImprovedDev experience: local hosts are auto-allowed in the domain whitelist — no manual whitelisting for local dev.
FixedFixed an SDK re-init hang and an IIFE wrapper issue.
FixedEdge: preserve the query string when proxying to the backend.
Dashboard
ImprovedTroubleshoot: duplicate log lines are collapsed with an occurrence count, the domain-limit case shows a clear error, and the guided-fix modal is easier to follow.
ChangedSupport page rebuilt — cleaner rows, a direct email address, an expected response time, and a live-chat note.
ChangedRenamed the “Bots Mitigated” metric to “Bots Detected” for accuracy.
Misc
AddedSite-wide live chat for support (Crisp).
FixedStability: using the browser’s built-in “translate this page” no longer crashes the app — a React removeChild conflict, now patched.
ChangedListing copy: removed emoji bullets and tightened the tagline to reflect actual scope (forms plus opt-in admin-ajax / REST API guard). No behaviour change.
ChangedAll front-end and admin scripts/styles are now registered and enqueued via wp_enqueue_script / wp_enqueue_style with configuration passed through wp_localize_script; no inline script/style is printed in the normal page pipeline.
FixedFixed the Terms of Service link in the readme.
AddedThe verified-session layer: after a passing scan the browser is trusted via a signed cookie with no further edge calls, protecting AJAX/REST globally.
AddedA rate-limited grace window for non-auth APIs during SDK bootstrap.
Breakingserver: fail-closed contract. action is strictly ALLOW | CHALLENGE | BLOCK and every failure path now returns BLOCK, with new error and blocked fields. The old BLOCK_CRYPTO_FAIL / BLOCK_API_FAIL strings are gone — matching them let forged tokens through. Migration: replace `if (action === 'BLOCK')` with `if (action !== 'ALLOW')` (or `if (blocked)`).
Securityserver: verifyRemote now validates the response shape and times out after 5s (timeoutMs); verifyLocal / verifyRemote treat null or undefined input as BLOCK. Added base64url token support, maxTokenAgeSeconds and clockSkewSeconds.
Breakingtypes: stopped augmenting the global Window (moved into client). Added TrustSigAction, TrustSigErrorCode and TrustSigGlobal; Record<string, any> → Record<string, unknown>.
Addedclient: scriptTimeoutMs (default 10s) so SDK script injection aborts instead of hanging forever. The window.TrustSig declaration now lives here.
Changedreact: the provider no longer recreates the client when customData changes — updates flow through setCustomData with deterministic change detection.
Frontend SDK
AddedWordPress: site auto-provisioning plus secure verify and key generation.
FixedWordPress: standardised host extraction, relaxed domain validation with port handling, and fixed iframe host mapping.
Dashboard
FixedBot percentage is now rounded in the dashboard stats.
Frontend SDK
FixedDomain handling: a root domain and its www are treated as one — no false rejects.
AddedDiagnostics: client-side troubleshoot logging for domain errors, so clients can see why a domain was rejected.
