Secure Your Contact Form 7 Form

As mentioned in our PHP contact form article, contact forms with a plugin are usually more secure than basic PHP code. To improve on that security in WordPress, we cover how to better secure emails sent using Contact Form 7.

Set Character Limits

Input fields should have character limits to fight cross-site scripting and other hack attempts.

  • Text sections use maxlength:##
    e.g. [text* your-message maxlength:50].
  • Number sections use max:##
    e.g. [number* your-number max:99].
  • File upload sections use limit:##mb, limit:##kb, or limit:## (bytes) and restrict file types with filetypes:##|##
    e.g. [file your-file filetypes:pdf|txt limit:5mb].
  • Set anti-spam plugin Akismet to scan fields for spam by checking the box in a form-tag generator.
    Enable Akismet in input field


Contact Form 7 forms can use Really Simple CAPTCHA for validation.

  1. Install the Really Simple CAPTCHA plugin.
  2. In the Mail tab of your contact form, add the following to include the CAPTCHA-Challenge and CAPTCHA-Response respectively:
    Input this code: [captchac captcha-1] [captchar captcha-1 4/4]

    In this case, “4/4” restricts the text field size and max length respectively.

Use the Same Domain in From Field

If the email account in the From field doesn’t match the website domain, email providers will see this and may mark it as spam. You can check this on the Mail tab.

Reply-To Address

You may want email conversations continued through an email account other than what’s specified in the From field. If so, change the Reply-To email in the Additional Headers section to the other email account. Alternatively, you can add a CC line – i.e. “CC:“. This may be preferable over creating an email filter or forwarder in cPanel.

Edit Comment Blacklist

Along with using a anti-spam plugin such as Akismet, you can edit the comment blacklist section in the WordPress dashboard that Contact Form 7 will use to moderate sent email.

  1. On the left, select Discussion under Settings.
  2. Specify comments and IP addresses to blacklist in the Comment Blacklist text box.
    Edit comment blacklist

Improve Email authentication

Enabling DKIM, DMARC, SPF, and PTR records help ensure your emails aren’t marked as spam. For more info on how to do this in cPanel, please see our email authentication guide.

For more information on securing your WordPress website, check out our recommended security plugins and backup solutions. You can also consider creating an account with Sucuri for enhanced security for your account.

Was this article helpful? Let us know!