Do you want to create a secure form in WordPress?
Forms allow users to submit information on your website. However, they can also be used by hackers to steal information, attack websites, and install malicious code.
In this article, we will show you how to create a secure contact form in WordPress. Weβll explain how to ensure secure WordPress form submissions on your site.
Here is a summary of what weβll cover in this article.
- What you need to secure WordPress forms
- Creating a secure contact form in WordPress
- Securing WordPress contact form email notifications
- Securing WordPress forms against spam and DDoS attacks
- Restricting WordPress form access (password protected, members only, and more)
- Keeping your WordPress site secure
What You Need to Secure WordPress Forms?
To make your WordPress contact form secure, you need two things.
- A secure WordPress contact form plugin
- A secure WordPress hosting environment
Letβs start with the form plugin.
1. Choosing a Secure Contact Form Plugin
A secure contact form plugin allows you to save form entries securely on your website. It also allows you to use secure email methods to deliver your form notifications.
We recommend usingΒ WPForms, which is theΒ best WordPress contact form pluginΒ on the market.
It comes with a tons of powerful features to secure WordPress forms and protect your website from spam, hacking, and data theft.
There is also a free version available calledΒ WPForms Lite. It is equally secure but has limited features.
2. Choosing a Secure Hosting Platform
Choosing the right WordPress hosting is crucial for the security of your website and your contact forms.
We recommend usingΒ Bluehost. They are one of the largest hosting companies in the world and officially recommended WordPress hosting provider.
More importantly, they are offering pluginthemehub users free domain and SSL certificate (youβll need it for better WordPress form security).
You can also use otherΒ popular WordPress hosting companiesΒ likeΒ SiteGround,Β WP Engine,Β HostGator, etc because they all offer free SSL.
What is SSL? And why do you need it to secure WordPress forms?
SSL stands for Secure Sockets Layer. It switches your WordPress site from HTTP to HTTPs (secure HTTP). Youβll notice a padlock icon next to your website indicating that it is using SSL protocol to transfer data.
SSL protects your information by encrypting the data transfer between a userβs browser and the website. This adds WordPress form encryption support which makes it harder for hackers to steal data.
For more details, see our article onΒ how to get a free SSL certificateΒ for your website.
That being said, now letβs take a look at how to create a secure contact form in WordPress.
Creating a Secure Contact Form in WordPress
Creating a secure WordPress contact form is easy if you already checked the above-mentioned requirements. See our tutorial on how toΒ quickly add a contact form in WordPressΒ if you havenβt already done so.
Next, is to add more security layers to your WordPress contact form. This helps you keep form data safe and also helps you reduce spam and improve your website performance.
The following are some of the most common ways someone can steal information or abuse your WordPress forms.
First, they can sniff the information as it is submitted by a form. You can address this by using a secure WordPress hosting platform and enabling SSL encryption on your website.
The next part is when your WordPress form sends notification emails.Β Business emailΒ services are not part of WordPress, and if you are not properly sending those emails, then they can be insecure.
Lastly, your WordPress forms can be abused to send spam messages and DDoS attacks. If you are using a custom WordPress login form, then hackers can use brute force attacks to login to your WordPress site.
Now letβs address each one of them to make your WordPress forms more secure.
Securing WordPress Contact Form Email Notifications
As we mentioned earlier, insecure emails can be spied upon and are unsafe. There are two ways you can handle form notification emails.
1. Donβt send form data via email notifications
The first thing you would want to consider is not sending form data via emails.
For instance, when someone submits your contact form, you only get an email alert that someone has submitted form and not the form data itself.
WPForms comes with a built-in entry management system that stores your form data in your WordPress database. You can simply go toΒ WPForms Β» EntriesΒ page to view all form submissions.
Note:Β Youβll need to upgrade to the paid version of WPForms for entry management features.
2. Send secure WordPress form notification emails
For some users, sending form notification emails is necessary for their business.
For instance, if you have anΒ online order form, aΒ donations form, or a payment form, then you may need to send email notifications to your users.
For this, you need to set up a proper SMTP service to securely send emails.
SMTP stands for Secure Mail Transfer Protocol. It is the industry standard to securely send emails on the internet.
We recommend usingΒ G SuiteΒ which allows you to create a professional business email address. Powered by Google, it allows you to use the familiar Gmail interface to send and receive emails.
However, if youβll be sending a lot of emails, then we recommend usingΒ Sendinblue, Amazon SES, or any of the reliableΒ SMTP service providers.
Next, you need to connect your email service to WordPress so that all your WordPress form notifications are sent using your secure email connection.
To do that, you need to install and activate theΒ WP Mail SMTPΒ plugin. It works with any SMTP email service and allows you to easily send WordPress emails securely.
For detailed instructions, see our guide onΒ how to set up WP Mail SMTPΒ in WordPress.
Securing WordPress Forms Against Spam and DDoS Attacks
Your website forms are publicly accessible. This means anyone can access and fill them. Weβll cover restricting form access to specific users in the next step, but for this step we will address public forms.
When your form is accessible by anyone on the internet, it can become a target for spammers and hackers. While spammers try to use your form for fraudulent activities, hackers may try to use it to gain access to your website or even bring it down.
Luckily, WPForms comes with several spam-prevention features. It also automatically enables honeypot anti-spam technique on all forms.
Honeypot basically obscures form fields from automated spambots. However, it is not the most effective way to protect online forms.
If you suspect that your forms are abused or under attack, then you can deploy the following spam protection tools.
1. Enable Google reCAPTCHA in Your Forms
WPForms comes with Google reCAPTCHA support. Simply go toΒ WPForms Β» SettingsΒ page and click on the reCAPTCHA tab.
Google offers three types of reCAPTCHA tools. We recommend using checkbox reCAPTCHA v2 because it is more user-friendly.
Youβll need site key and secret key to enable reCAPTCHA on your site. Simply go to theΒ reCAPTCHA websiteΒ and click on the βAdmin Consoleβ button at the top.
Next, you can go ahead and your website details. Provide a label for your site and then choose reCAPTCHA v2 with βI am not a robotβ checkbox.
Click on the Submit button to continue and youβll see the API keys.
Go ahead and copy these keys and paste them in WPForms settings page. Donβt forget to click on the βSave Settingsβ button to store your changes.
You can now edit your form and add the reCAPTCHA field to your form.
Youβll see a notification that reCAPTCHA is now enabled for your form. You can go ahead and save your form.
If you havenβt already added form to your website, then you can simply edit the post or page where you want to display the form and add the WPForms block to the content area.
Simply select your form in the drop down menu and WPForms will load a preview of your form. You can now save your post or page and visit it in a new browser tab to see your form with the reCAPTCHA field in action.
2. Enable Custom Captcha for Your WordPress Forms
If you donβt want to use Google reCAPTCHA, then you can use your own math quiz or questions with WPForms Custom Captcha addon.
Note: Youβll need pro version of the plugin to access custom captcha addon.
Simply head over toΒ WPForms Β» AddonsΒ page to install and activate the Custom Captcha addon.
After that, you can edit your contact form and add the Captcha field to your form.
By default, it adds a random math question. You can change that to add your own custom captcha by changing the captcha type to text.
You can now save your form, and it to a post or page using the WPForms block.
You can now visit your post or page to see the custom captcha in action.
Restricting WordPress Forms Access to Certain Users
Another way to protect your WordPress forms is to restrict access to logged-in members, or through a unique form password.
WPForms comes with aΒ Form Locker addonΒ that lets you enable various form permissions and access control rules.
With form locker you can:
- Password Protect FormsΒ β this requires users to enter a password to submit the form. This added protection helps decrease the number of unwanted form submission.
- Close Form Submissions After Specific Date / TimeΒ β this is great for any kind of application forms or other time-sensitive forms.
- Limit the number of total submissionsΒ β this is great for contests or giveaways. Once the max number of entries are in, the WPForms will automatically close the form.
- Limit one entry per personΒ β if you want to avoid duplicate submissions, then you will love this option. This is very useful for scholarship applications, giveaways, etc.
- Restrict Forms to Members OnlyΒ β you can restrict your forms to logged-in users of your WordPress site. This is great for membership sites or businesses who want to restrict support to paid customers only.
You can access the Form Locker settings inside the Form Builder Settings panel:
For a detailed step by step tutorial, please see our guide onΒ how to password protect WordPress forms.
Keeping Your WordPress Site Secure
The security of your WordPress forms depends on the security of your entire WordPress website. With some simple steps, you can strengthen your WordPress website security.
We recommend usingΒ Sucuri, as theΒ best WordPress security pluginΒ on the market. It comes with a website firewall that blocks any suspicious activity even before it reaches your website.
For more practical tips, see ourΒ complete WordPress security guideΒ for beginners.
We hope this article helped you create a secure contact form in WordPress. You may also want to see our guide onΒ how to create an email newsletterΒ and our list ofΒ must have WordPress plugins.
If you liked this article, then please subscribe to ourΒ YouTube ChannelΒ for WordPress video tutorials. You can also find us onΒ TwitterΒ andΒ Facebook.