Description
Protect your WordPress site against comment spam, abusive registrations, and other unwanted submissions with Tornevall Networks DNSBL and FraudBL.
The plugin is built to give site owners a practical anti-abuse layer without turning everyday moderation into a maintenance project..
Report issues and feedback: GitHub issues
Plugin URL: WordPress.org plugin page
Documentation: DNSBL API documentation
Support and feedback
Bug reports and feedback can currently be submitted via GitHub issues.
Full Documentation: DNSBL API documentation
Translations can be contributed via translate.wordpress.org.
Screenshots

Try-tests and self-check: direct DNS lookups for a specific IP plus a self-check of the current server and visitor address.

At a glance and visitor statistics: resolver status, selected trigger flags, whitelist state, Turnstile/registration protection status, and recorded DNSBL activity.

Core DNS lookup settings: preferred resolver hosts, cache age, cleanup interval, and the active blacklist trigger-flag profile including FraudBL-related flags.

Protection behavior: comment hiding, redirect handling, safe IP whitelisting, blocked-visitor redirect URL, and admin notice styling.

Tools integration and development: diagnostics mode, frontend dry-run guidance, production/dev Tools mode selection, and token configuration.

Cloudflare Turnstile and registration protection: Turnstile settings for comments, the optional public delisting/removal flow, plus DNSBL/FraudBL and Turnstile protection for new WordPress account registrations.

Frontend dry run in action: admin-bar dry-run indicator, blocked-comments notice on the public site, and the floating dry-run status banner used for safe live testing.
Installation
- Upload the plugin archive to the
/wp-content/plugins/directory - Activate the plugin through the ‘Plugins’ menu in WordPress
- Configure the plugin via admin control panel
The installation creates a cache table in the WordPress database. This reduces repeated DNS lookups and helps avoid unnecessary load against blacklist services. Both blacklisted and non-listed lookups are cached. The default cache lifetime is 600 seconds and the cleanup interval is 300 seconds.
The plugin also supports a safe IP whitelist. Whitelisted IP addresses are still checked and can appear in statistics, but they are not blocked, redirected or marked as spam. When possible, the activating visitor IP is seeded into that whitelist automatically during first-time setup.
If the database schema becomes out of sync after an upgrade or a manual source-based install, deactivate and reactivate the plugin to recreate the required tables.
FAQ
- Can I get delisted?
Yes. If you are blacklisted in Tornevall DNSBL, you can use the removal page – otherwise, you can’t.
- Can I host a delisting page?
Yes. You can host the built-in form on any page with:
[dnsbl_removal_form]
But you need permissions for this, which can be gained by request via https://tools.tornevall.net/.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“Tornevall Networks DNSBL Implementation” is open source software. The following people have contributed to this plugin.
ContributorsTranslate “Tornevall Networks DNSBL Implementation” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
3.1.3
- Tested with WP7.
3.1.2
- Fixed the public removal-form Turnstile lifecycle so the widget waits for Cloudflare’s API before rendering, keeps the returned widget id, and uses that widget id for reset/response handling.
- Fixed stale or empty Turnstile response handling by clearing tokens on expiration, timeout or error and recovering the current widget response before submit when the hidden token field is empty.
- Released the Tools-backed site identity metadata and bumped the plugin release metadata to
3.1.2.
3.1.1
- Added an explicit admin checkbox for Turnstile on the public delisting/removal page.
- The public delist flow no longer inherits Turnstile automatically just because comment or registration Turnstile is configured.
- Site owners can now disable only the removal-page challenge when Cloudflare Turnstile has temporary problems, while keeping comment and registration protection enabled.
3.1.0
- Added the plugin-side DNSBL write integration (
add,delete,update,bulk) around one visible Write token field, bulk queueing, and optional dry-run acknowledgement through the Tools DNSBL endpoints. - Added the shortcode-based removal form (
[dnsbl_removal_form]) with AJAX backend proxy support, built-in main removal-page templating, and live delisting-page permission gating. - Added the Tools-backed checker/removal follow-up via
POST /api/dnsbl/check-ip, together with the checker-style public delist flow and dashboard/settings warnings when live delete / delist access is still missing. - Added advanced optional CIDR removal flow for permitted tokens, including safe
/24../32validation, plugin-local scan progress, a visible hit list of listed addresses, listed-hit-only delete targeting, sequential per-IP delete requests, and Cloudflare Turnstile verification for live removal-form submissions. - The plugin UI now uses one visible DNSBL / Tools API token field, and the Check token permissions tool now always asks Tools for a live answer and reports effective DNSBL access more clearly.
- Preferred resolver hosts now cover all four canonical DNSBL/FraudBL zones, and migrations merge any missing defaults into existing installs without removing custom hosts.
- Shortcode/custom removal pages now expose only the operations allowed by the current token, while the plugin-managed main removal page stays delete-focused.
- Token status panels, delisting-page controls, and checker submits now better reflect real delete capability, including explicit IP reposting when the checker has locked the field before submit.
- Checker follow-up failures now report clearer backend/API errors for remote
419cases, and write/check diagnostics now distinguish true invalid DNSBL tokens from wrong-token-type or inactive admin-key cases. - Checker-mode Turnstile stays hidden during pre-check/background steps, is enforced on actual write submissions, the Delist button now carries the in-flight submit state itself, and checker/delist requests now also show a dedicated busy spinner row.
- CIDR scanning now stays inside WordPress in small local batches so the resolver side is not flooded, while the final delete still goes through the DNSBL write endpoint after the block scan has found at least one listed address and only for the IPs the local scan actually marked as listed, one IP at a time.
- If the user clicks Check if listed while a valid CIDR is still entered in the first checker IP field, the plugin now opens Advanced automatically, moves the CIDR there, and keeps that Advanced CIDR value as the authoritative range for the later scan/delete flow instead of requiring a separate single-IP anchor.
- The admin UI now also shows a dismissible reminder that links directly to the WordPress.org review form for quick feedback.