WP Contact Form Security

There are a couple of aspects to the security of my Contact Kenny page.

WP Contact Form Security

  1. Protecting my visitors: I need to make sure the data my visitors enter on my contact form is safe and not intercepted in transit. Just as important – or perhaps even more important – my visitors must have confidence that their data is safe and will not be intercepted in transit.
  2. Protecting me: I really effing hate contact form spam. Actually, I really effing hate all spam, but I’ve kinda gotten used to a certain amount of email and certain other spam being inevitable. But not contact form spam. I want exactly zero contact form spam.

#1 is pretty straightforward. SSL solves the problem. And SSL is now free and relatively easy provided that my hosting provider offers Let’s Encrypt. If my hosting provider does not offer Let’s Encrypt – time to switch hosting providers. Which I did. Sorry LunarPages. You were otherwise a solid host – which is why I stayed with you for roughly a decade and a half – but Let’s Encrypt became essential.

#2 is a little trickier. Most WP contact form plugins support recaptcha and/or a honeypot. Or I could use a Cloudflare page rule to turn on ‘Browser Integrity Check’ and set the security level to ‘I’m Under Attack’. Any one of these measures will stop the vast majority of spam bots – but a few extra-smart bots will still slip through. Any two of these measures, working together, will stop all bots. ‘All’ is probably an exaggeration, but I have never seen a bot slip through when I use two separate bot stoppers.

Update: Drat, I spoke too soon. It doesn’t happen much, but maybe once every couple of days a spam bot will slip through both my Cloudflare page rule and honeypot to kindly inform me about sexy singles in my area.


I was using both a recaptcha and a honeypot, but a plugin update at some point broke my recaptcha. So, I switched to a Cloudflare page rule paired with a honeypot. This method has the huge advantage of blocking the vast majority of bots at the reverse proxy level – keeping them completely off my site. It has the huge disadvantage of using up one of my three precious page rules.

To free up a page rule for contact form bot-blocking, I reluctantly gave up my ‘Cache Everything’ page rule. My sites are still speedy since I use a quality host and the excellent LiteSpeed cache. Also Cloudflare by default still globally caches images, CSS, and JavaScript – just not html. Site speed decreased by only about 2% in North America, but about 10% in Europe and Asia. For me, that’s a small price to pay for my obsessive hatred of spam bots.

WPPOV supports freedom from Net Neutrality and the GDPR. The Internet of the people, by the people, for the people, shall not perish from the Earth.