Contact Form Security

You should use a nonce to protect yourself from CSRF attacks.

Even though you’re not sending anything to the database, I’d suggest using some of the built in data validation functions (there is even a is_email function for you to use!) to strip out any HTML from your email. esc_html( striptags( $your_email_content ) ), for instance.

You could also throttle contact form submissions from a single IP to prevent someone from submitting the same thing many times. I don’t know of any contact form plugins that do that, but the WordPress comment system show you an error page if you submit too many comments within a certain period of time.

Related Posts:

  1. How to sanitize select box values in post meta?
  2. What is the safe way to print tracking code / pixel code before tag or tag
  3. Worthwhile to restrict direct access of theme files?
  4. Should `get_template_directory_uri()` be escaped?
  5. What is the difference between esc_html and wp_filter_nohtml_kses?
  6. Can I create customizer setting that can handle plugin shortcode?
  7. Is it good to rename theme folder downloaded from WordPress.org?
  8. When to use esc_url, esc_html, esc_attr, and friends?
  9. Worthwhile to restrict direct access of theme files?
  10. Where i should not use if (!defined(‘ABSPATH’)) { exit; }?
  11. What is the difference between strip_tags and wp_filter_nohtml_kses?
  12. Whats the safest way to output custom JavaScript and Css code entered by the admin in the Theme Settings?
  13. Is it safe to enqueue a font style without putting http or https?
  14. Using esc_url with a hard coded url
  15. Underscore Based Theme File Permissions in Git
  16. correct tags for validating input types
  17. How to escape html generate by a loop
  18. How to escape multiple attribute at once in WordPress?
  19. How to allow certain PHP functions when using sanitize_callback in the word press customizer
  20. Do I need to escape get_the_post_thumbnail function?
  21. My contact form – I’ve changed the source code but the changes are not being applied
  22. Strict Folder and File Permissions for WordPress Themes Folder
  23. hide theme files for admin beneath root
  24. Data Validation & Sanitization for Big HTML Blocks
  25. Trouble creating custom sanitization function when uploading video files
  26. How to use esc_attr__() function properly to translate a variable that contains string?
  27. Should we escape the values of constants?
  28. Change admin bar to default:off
  29. Template for individual post designs
  30. The seventh parameter passed to add_submenu_page()
  31. What would happen if the admin installs a plugin when the plugin is included in the theme?
  32. How do I get my child-theme to work with my theme’s includes folder?
  33. wp_insert_post breaks rewrite rules
  34. Where can I find a good reviewed collection of Twenty Ten child themes?
  35. Template Hierarchy for get_header()
  36. How to add (css) classes to only one wp_nav_menu()?
  37. Remove frameborder attribute from iframes
  38. How to add suggest plugin to theme?
  39. how do I get a sidebar’s id or number for use with is_active_sidebar()
  40. Looking for the code in twentyten that allows users to select images for the header/banner
  41. Relative Time On Posts
  42. Prevent update check for specific theme
  43. How to determine which custom header image is being shown
  44. using wordpress without javascript
  45. Theme Check: Could not find post_class
  46. Override theme programmatically
  47. Set a static front-page as a landing page programmatically
  48. can’t understand _e function well
  49. WP 3.1 upgrade breaks AutoFocus+ theme
  50. Comment entry screen shows even though “Allow Comments” is unchecked
  51. How can I display/hide certain content based on a Theme Option field?
  52. Custom WordPress Theme – Search not working on posts
  53. How can I make that when I clic on one of the menu items, that page shows only posts with the same category?
  54. How to make theme elements customizable in wordpress?
  55. Where to hook settings api init
  56. How to obtain a reference to the_excerpt() from custom loop
  57. defining a folder location in order to recall it
  58. JavaScript stops working on selectively refreshed sections one inside the other
  59. Is wp_kses the right approach in sanitizing this string?
  60. Why doesn’t my css work when I check my theme on mobile devices? [closed]
  61. Remove settings if theme is deleted?
  62. Common single page template options
  63. Custom Blocks as part of a theme
  64. How to set up diffrent mobile theme for single site in WordPress?
  65. Enqueued JavaScript is not working
  66. Derive child theme from separate theme
  67. How to Download Minimum Requirement of WordPress (Not Themes )
  68. How to code custom special page
  69. Displaying the right content on a page url
  70. Is it possible to set a variable for get_post_meta?
  71. Custom admin logo not showing after wordpress 4.5 upgrade
  72. Unable to change the priority with ‘remove_action’ and ‘add_action’ in child theme
  73. Translate a child theme with pure PHP and gettext
  74. Remove h1 from 2015 theme
  75. Only the latest post shows up on post page?
  76. WordPress pulling in random page themes
  77. Trouble in enquing all js files under certain directory
  78. Can’t change theme name
  79. Stop WordPress from showing images on non post pages
  80. enqueuing external and internal js and css in wordpress did not work with owl.js animate.css
  81. Next and previous post link shows error in first and last post
  82. Problem with pagination link (error 404)
  83. WordPress wp_get_current_user returning blank values until refresh
  84. use a single nonce in three different nonce field
  85. Whether an tag is required in header?
  86. Theme is Enqueueing Everything in Footer
  87. Local theme changes upload on server but theme changes not showing
  88. Media & Plugin screens stall
  89. wp_kses allow checkbox class and checked
  90. Is wp_mail plugin territory?
  91. HTML TO WP Theme : Submenu goes down wp_nav_menu
  92. Understanding WordPress theme files and underscores
  93. New theme HTML5 Support for Search in WordPress 4.4
  94. How do I remove p tag *insertions*? Disabling `wpautop` removes manual tags
  95. Create a variable with string, array or multiple values
  96. What hook to use for loading a custom class extension during Theme initialization?
  97. Use external fonts in WordPress stylesheet
  98. Custom link color or stylesheets
  99. What is the advantage of using home.php over index.php for the front page
  100. What is the point of using archive.php instead of index.php?