Hi @satollo – Thank you for raising the ticket.
The plugin uses wp_create_nonce() function that technically can produce a user-independent token, but it also uses a tick mechanism that can break a page cache. Because the WP’s built-in nonces are rather weak, I have made the plugin use a proper CSPRNG to generate a random key, which will be validated at a later point.
As of now, I suppose the WP-nonce + random setup will be not compatible with caching plugins. We can make it use the random key based protection alone, which will not provide protection against replay attacks, but compatibility with the caching plugins.
What is your take on this? I’m sure a caching plugin is important, and there would be a cost of the lack of replay attack protection if we were to make the comment forms cache-able. Either way, we will have a much better protection against the bare WordPress setup, where it happily accepts _all_ form submissions regardless of token.
