Trustie includes multiple layers of protection to keep your reviews genuine and your forms safe from abuse.
Built-in Rate Limiting
Every public form endpoint has a per-IP rate limit that blocks rapid-fire submissions. These ship on by default with no configuration needed.
| Action | Limit |
|---|---|
| Review submissions | 5 per minute |
| Widget review submissions | 5 per minute |
| Testimonial submissions | 5 per minute |
| Q&A questions | 5 per minute |
| Q&A answers | 5 per minute |
| Helpful / unhelpful votes | 20 per minute |
| Photo uploads | 10 per minute |
These limits prevent automated scripts from hammering your site. If someone exceeds the limit, the submission is blocked and they see a “Too many submissions, please try again shortly” style message until the window resets.
The limits apply per IP address, so a flood of submissions from a single source gets cut off quickly while genuine customers across the internet are unaffected.
One Review Per Product
A customer can only leave one review per product. If they try to submit a second review for the same product (matched by email address), Trustie blocks the submission and tells them they’ve already reviewed that product. This applies to both logged-in customers and guests.
Nonce Protection
All form submissions use WordPress nonces (number-used-once tokens). This means:
- Forms can only be submitted from your actual website
- Each form token expires after a set time
- Cross-site request forgery (CSRF) attacks are blocked
- Bots that try to POST directly to your endpoints without loading the page first will be rejected
This is always active — you don’t need to configure anything.
—
Additional Spam Protection: CleanTalk
While Trustie’s built-in rate limiting stops automated abuse and submission flooding, it can’t evaluate whether a review’s content is spam. For that, we recommend CleanTalk.
Why CleanTalk?
CleanTalk is an anti-spam service that checks the actual content of submissions:
- No CAPTCHA needed — Customers don’t have to solve puzzles or check boxes
- Invisible protection — Works silently in the background
- Checks content — Catches spam text, known spam emails, and spam IPs that rate limiting alone can’t detect
- WordPress native — Integrates with WordPress comment and form systems
- Affordable — Around $12/year for a single site
How It Works With Trustie
CleanTalk hooks into WordPress at the comment/form level. Since Trustie’s product reviews use the WordPress comment system, CleanTalk automatically checks:
- Is the reviewer’s email on known spam lists?
- Does the review content look like spam?
- Is the IP address associated with spam activity?
If CleanTalk flags a submission, it’s blocked before it ever reaches Trustie’s review queue.
Setting Up CleanTalk
- Sign up at cleantalk.org
- Install the Anti-Spam by CleanTalk plugin from Plugins > Add New
- Enter your CleanTalk API key in the plugin settings
- That’s it — it starts protecting immediately
Alternatives
If you prefer a different approach:
- Akismet — WordPress’s built-in anti-spam. Works with comments (and therefore product reviews). Free for personal sites, paid for commercial.
- hCaptcha or reCAPTCHA — Adds a challenge to forms. More intrusive for customers but effective against bots. Requires a compatible form plugin or custom integration.
—
What’s Protected
Here’s a summary of every public-facing form and what protects it:
| Form | Rate Limiting | Nonces | CleanTalk Compatible |
|---|---|---|---|
| Product review form | Yes | Yes | Yes (via WP comments) |
| Testimonial submission | Yes | Yes | Partial (custom AJAX) |
| Q&A questions | Yes | Yes | Partial (custom AJAX) |
| Q&A answers | Yes | Yes | Partial (custom AJAX) |
| Helpful/unhelpful votes | Yes | Yes | N/A |
| Photo uploads | Yes | Yes | N/A |
| Widget review form | Yes | Yes | Yes (via WP comments) |
“Partial” means CleanTalk may check the IP/email but won’t evaluate the form content unless the plugin specifically integrates with CleanTalk’s API.
—
Best Practices
Trustie’s protection works best as part of a layered setup. Each layer catches a different kind of abuse:
- Edge protection (Cloudflare or similar) — Stops bots, scraping, and DDoS traffic before it ever reaches your site. If you’re running a public-facing store and don’t have a WAF or CDN with bot protection in front of WordPress, that’s the highest-value addition you can make. Trustie’s per-IP rate limits help, but they fire after a request has already reached your server.
- Content-based anti-spam (CleanTalk or Akismet) — Evaluates the actual text and reputation of submissions. Trustie’s rate limiting can’t tell a genuine 5-star from a spam 5-star with a link in it; CleanTalk can.
- Trustie’s built-in rate limiting — Backstop for the above. Stops rapid-fire automated submissions from any source that slipped past edge protection.
- Review your moderation queue — Even with all three layers, check pending reviews periodically. The auto-approve threshold and Require Moderation controls live in Settings > Moderation.
- Watch your debug log — Trustie logs blocked submissions. Repeated rate-limit hits from a particular IP are a sign of automated abuse worth investigating at the firewall or WAF level.