=== useHUMA — Invisible Bot Protection (No CAPTCHA) ===
Contributors: usehuma
Tags: spam, bot protection, captcha alternative, anti-spam, comments
Requires at least: 5.8
Tested up to: 6.9
Requires PHP: 7.4
Stable tag: 1.0.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Stop comment spam, fake registrations and form bots with invisible behavioral verification — no puzzles, no checkboxes, zero PII.

== Description ==

CAPTCHAs interrupt every visitor to catch a few bots — and modern bots solve them anyway. useHUMA takes the opposite approach: it observes *how* a visitor behaves (mouse rhythm, typing cadence, scroll patterns, touch physics) and scores the probability that a real human is present. Real visitors feel nothing. Bots get blocked.

**What it protects:**

* **Comments** — spam comments are rejected before they reach your moderation queue
* **User registration** — fake account signups are stopped at the door
* **Contact Form 7** — form spam is invalidated on submission (if CF7 is installed)

**Why site owners choose it:**

* **Invisible** — no checkbox, no image puzzles, no friction for real visitors
* **Privacy-first** — zero PII: no keystroke contents, no names, no fingerprinting databases; only statistical aggregates of interaction patterns
* **Fail-open by design** — if the verification service is ever unreachable, your forms keep working
* **One setting** — paste your API key and you're protected

You'll need a free useHUMA API key from [humaverify.com](https://humaverify.com/signup?utm_source=wordpress). The free trial includes full API access.

== External services ==

This plugin connects to the useHUMA API (https://humaverify.com) to score form submissions. On each protected submission, the plugin sends: anonymous behavioral statistics collected on the page (timing variance of mouse/keyboard/scroll/touch interactions — never the contents of what was typed) and a user identifier (the submitter's email address when the form provides one, otherwise a generic label). No other personal data is transmitted, and useHUMA stores only statistical aggregates (no PII).

This service is provided by useHUMA: [terms of service](https://humaverify.com/terms), [privacy policy](https://humaverify.com/privacy).

== Installation ==

1. Install and activate the plugin.
2. Get a free API key at [humaverify.com/signup](https://humaverify.com/signup?utm_source=wordpress).
3. Go to **Settings → useHUMA**, paste your API key, and choose what to protect.
4. Done — protection is invisible from this point on.

== Frequently Asked Questions ==

= Will my visitors see a CAPTCHA or checkbox? =

No. Verification is completely invisible. Visitors just use your site normally; the behavioral score happens in the background.

= What data is collected? =

Only statistical aggregates of interaction timing (e.g. "how much did typing rhythm vary"), never the contents of what a visitor types, and never biometric identifiers. See the External services section for the full list.

= What happens if the useHUMA API is down? =

The plugin fails open: submissions are allowed through. An outage will never lock real users out of your forms.

= What is strict mode? =

By default, submissions without behavioral signals (e.g. from visitors with JavaScript disabled) are allowed. Strict mode rejects them — which blocks direct-POST bots completely, at the cost of also blocking no-JavaScript visitors.

= Does it work with caching plugins? =

Yes. The collector runs client-side after page load, so full-page caching doesn't affect it.

== Changelog ==

= 1.0.0 =
* Initial release: comment, registration and Contact Form 7 protection, settings page, bundled behavioral collector.
