WP Contact Form Security

There are a couple of aspects to the security of my Contact Kenny page.

WP Contact Form Security

  1. Protecting my visitors: I need to make sure the data my visitors enter on my contact form is safe and not intercepted in transit. Just as important – or perhaps even more important – my visitors must have confidence that their data is safe and will not be intercepted in transit.
  2. Protecting me: I really effing hate contact form spam. Actually, I really effing hate all spam, but I’ve kinda gotten used to a certain amount of email and certain other spam being inevitable. But not contact form spam. I want exactly zero contact form spam.

#1 is pretty straightforward. SSL solves the problem. And SSL is now free and relatively easy provided that my hosting provider offers Let’s Encrypt. If my hosting provider does not offer Let’s Encrypt – time to switch hosting providers. Which I did. Sorry LunarPages. You were otherwise a solid host – which is why I stayed with you for roughly a decade and a half – but Let’s Encrypt became essential.

#2 is a little trickier. Most WP contact form plugins support recaptcha and/or a honeypot. Or I could use a CloudFlare page rule to turn on ‘Browser Integrity Check’ and set the security level to ‘I’m Under Attack’. Any one of these measures will stop the vast majority of spam bots – but a few extra-smart bots will still slip through. Any two of these measures, working together, will stop all bots. ‘All’ is probably an exaggeration, but I have never seen a bot slip through when I use two separate bot stoppers.

Update: Drat, I spoke too soon. It doesn’t happen much, but maybe once every couple of days a spam bot will slip through both my CloudFlare page rule and honeypot to kindly inform me about sexy singles in my area.

Honeypot

I was using both a recaptcha and a honeypot, but a plugin update at some point broke my recaptcha. So, I switched to a CloudFlare page rule paired with a honeypot. This method has the huge advantage of blocking the vast majority of bots at the reverse proxy level – keeping them completely off my site. It has the huge disadvantage of using up one of my three precious page rules.

To free up a page rule for contact form bot-blocking, I reluctantly gave up my ‘Cache Everything’ page rule. My sites are still speedy since I use a quality host and the excellent LiteSpeed cache. Also CloudFlare by default still globally caches images, CSS, and JavaScript – just not html. Site speed decreased by only about 2% in North America, but about 10% in Europe and Asia. For me, that’s a small price to pay for my obsessive hatred of spam bots.

Caching Plugin

LiteSpeed cache logoI chose my web host carefully. My sites are hosted on a LiteSpeed web server, so I am able to use the remarkable free LiteSpeed Cache (LSC) plugin. LSC provides much more than just lightning-fast server-side caching. In also includes a suite of optimization tools such as: Database optimization; Image optimization – which seems to be equal to or better than the paid/premium versions of competing plugins; Connection to CloudFlare so I can put CF in development mode or purge the CF cache; and Miscellaneous settings like ‘Remove query strings from static resources’.

Using my two favorite website speed checkers, WebPageTest.org and GiftOfSpeed.com

  1. LSC Off | CF in Development Mode (baseline site)
  2. LSC On | CF in Development Mode (significant speed increase over baseline)
  3. LSC Off | CF Caching On (a significant speed increase over LSC)
  4. LSC On | CF Caching On (no significant speed change over CF alone)

A few observations:

  • On my relatively static sites like this one, I use a CloudFlare page rule for blazing site speed. On these sites I am not able to squeeze out any more speed by using a caching plugin – even an exceptional one like LSC. So why run LSC on these sites? Because of the other optimization features that LSC offers, and because it boosts site speed when CF is in development mode or doesn’t have a page cached for some reason.
  • On sites with dynamic content, I use CF with default cache settings. On those sites, I do get a nice increase in speed by using LSC in addition to CF.
  • Kinda funny how my Compress Images grade on WebPageTest jumped between A and B even though all tests used the same images. I guess my images must be borderline A- / B+.
  • Strait A’s on the final test. Yea me!

Many LSC features only work on sites hosted on LiteSpeed web server. For sites hosted on Apache, I like Comet Cache for its plug-and-play simplicity as well as performance. The very popular W3 Total Cache (W3TC) is another excellent choice.