Powerful forms for data collection and Wide API to merge automation using the best wokflows such as N8N, Zapier. Excellent tool for data collection. Recommended 100%. Furthermore, support is awesome.
Last updated on July 2, 2026 by Formidable Team
How to Secure Your WordPress Forms Against Spam and Attacks
One leaked contact form can hand an attacker your customers' names, emails, and payment details, and the cleanup costs you the trust you spent years earning. On a self-hosted WordPress site, preventing that is on you, and most of it comes down to a short list of habits you can finish this afternoon.
This guide shows you how to secure WordPress forms by fixing the biggest risks first, and what Formidable Forms handles for you out of the box.

Approximate read time: 9 minutes
Upgrade your WordPress site with powerful, flexible forms.
Is WordPress actually secure?
WordPress runs roughly 40% of the web, which is exactly why hackers like it. Find one vulnerability in a popular plugin and you've found it on thousands of sites at once. Security firm Sucuri has reported that WordPress sites make up the majority of their cleanup requests year after year.
This number is skewed, though, because Sucuri offers a free security plugin on WordPress and naturally sees more WordPress sites than any other platform. It doesn't mean WordPress is dangerous. What Sucuri did find is that most compromised sites weren't taken down by a flaw in WordPress core. They were taken down by simple mistakes and a lack of basic maintenance: an outdated plugin, a nulled theme, or a missing SSL (Secure Sockets Layer) certificate.
WordPress is built with strong security in mind, but your install is only as secure as the choices you make around it. The sections below cover the choices that matter most for forms.
From Idea to Reality in Minutes. Build Powerful Forms, Dashboards, Apps and More.
Formidable Forms makes advanced site building simple. Launch forms, directories, dashboards, and custom WordPress apps faster than ever before.
1. Switch to HTTPS (this is non-negotiable)
If your site still loads over http://, every form on it is sending data in plaintext. Email addresses, passwords, billing details, anything a visitor types into a field can be read by anyone sitting between their browser and your server.
Back in 2017, Chrome started showing a "Not Secure" warning on forms that weren't using HTTPS and an SSL certificate, and that warning now covers any page on a non-HTTPS site. Visitors notice, and they especially notice on a checkout or payment page. Switching to HTTPS is probably the single most important thing you can do to protect your form data.
WordPress is written to work with both HTTP and HTTPS, so making the switch isn't generally complicated. Every host, theme, and set of plugins is a little different, but the process is roughly the same across the board.
The easiest route for most people: many hosts now switch your site to HTTPS for you, and a free plugin like Really Simple SSL detects your certificate and moves the whole site over, redirects included, in a click or two. If that covers you, you can skip ahead to the next tip. If you'd rather do it yourself, or your host doesn't automate it, here's the manual process. It assumes you don't have extra modifications in your .htaccess, php.ini, or Nginx config file.
Doing it manually
Prefer to handle it yourself? The process is short:
- Get an SSL certificate. Most hosts offer one free, usually through Let's Encrypt, with a one-click option in their control panel under SSL/TLS or AutoSSL. You no longer need a dedicated IP address. If you can't find the option, your host's support can switch it on.
- Back up your site first, with a backup plugin or your host's one-click backup, so you can roll back if anything goes wrong.
- Update your URLs. In Settings โ General, change WordPress Address (URL) and Site Address (URL) from
httptohttps, then re-save your permalinks (Settings โ Permalinks โ Save Changes) to flush the rules. - Redirect everything to HTTPS. Add a 301 redirect from
http://tohttps://. Really Simple SSL does this for you, or you can add a rewrite rule to your.htaccessif you're comfortable editing config files.
If a page looks broken afterward, it's almost always mixed content. Search your theme and custom code for hard-coded http:// links, and clear any server or CDN (content delivery network) cache.
A note on Formidable Forms: you don't need to change anything in Formidable Forms' settings for your forms to work over HTTPS. As long as your WordPress site is properly switched over, data going to and from your forms will be secure. Keep in mind that HTTPS protects data in transit, not data at rest, so you still need the rest of this list.
A note on search rankings: when Google's tools re-crawl and reindex your new URLs, you may see a brief dip. Long term, the move toward an encrypted internet is well established, and getting HTTPS done is a one-time job you can check off and stop thinking about.
2. Keep WordPress, your theme, and every plugin updated
When a vulnerability is found in a version of WordPress or a plugin, it gets disclosed publicly so authors can patch it. The trouble is that the same disclosure works as a free attack guide for anyone targeting installs that haven't updated yet, and news like that travels fast. Sucuri found that over a third of cleanup requests came from sites running outdated software.
Even trusted plugins can have vulnerabilities, which is why staying current matters so much. Updates only take a couple of minutes, so don't put them off. A few specifics worth checking:
- WordPress core, both major and minor releases.
- Every active plugin, including ones you forgot you installed.
- Your theme, and any child theme you've customized.
While you're in there, delete any plugin or theme you're not actively using. Inactive code is still code sitting on your server.
3. Only install plugins from sources you trust
Following on from updates: when you download plugins and themes, they need to come from legitimate sources. The WordPress.org repository, reputable commercial plugin shops, and the developers' own sites are fine. Sites offering "nulled" copies of paid plugins are not.
A nulled plugin is a pirated copy, and the people distributing it aren't doing it out of kindness. They often hide a "back door" inside it: malicious code buried among the genuine code, usually in the PHP files on your server, that's very hard to spot. Once that plugin is active, the back door gives an attacker access to the files in your hosting account, which they can use to run malware against your site or post spam content.
The same goes for themes. If a premium theme is being given away somewhere that isn't the developer's site, assume it's been tampered with.
4. Stop spam before it stops you
Spam doesn't threaten your site the way malware does, but it's the problem most form owners actually deal with day to day. Left alone, spam submissions can slow your site down as it works through all that junk content, and sorting it out pulls your attention away from everything else, including security.
This is one reason more than 300,000 sites run their forms on Formidable Forms: the protection that takes other builders an add-on or two is built in. Honeypot fields, Akismet, and reCAPTCHA all ship with the plugin, so you can layer several defenses without bolting on extra tools. You get several layers of spam protection that are essentially invisible to real visitors, so they don't disrupt anyone's experience filling out your form. We'd always encourage you to turn on more than one. They work in tandem, and the overlap is what catches bots that have learned to slip past any single method.
Custom JavaScript token
Formidable Forms can add a custom JavaScript token to your forms that confirms a real browser submitted the form. Most spam bots don't run JavaScript the way a real browser does, so the token quietly weeds them out without the visitor ever knowing it's there.
Honeypot fields
A honeypot is a hidden field that real visitors never see and so never fill in, while bots fill in every field they find. Formidable Forms includes honeypot protection, and any submission that completes the hidden field gets flagged as spam.
reCAPTCHA
A CAPTCHA is a small test that's easy for a person to pass but hard for a bot, and reCAPTCHA is Google's version of it. Formidable Forms integrates with reCAPTCHA so you can require it on your forms, adding another check between the bots and your inbox.
Akismet
Akismet is the same spam-filtering service that screens comments on millions of WordPress sites. Formidable Forms integrates with it so your form submissions get checked against Akismet's database of known spam.
WordPress comment blocklist
Formidable Forms can also apply WordPress's disallowed comment keywords (the comment blocklist) to your form submissions, so words and patterns you've already flagged as spam in your comments get caught on your forms too.

How Formidable Forms handles security under the hood
A few of the things Formidable Forms does that you don't have to think about:
- Data sanitization. JavaScript and questionable HTML are stripped out before any submission is displayed, so a malicious user can't store a harmful script in a form entry and run it on whoever views that entry.
- Nonce verification. Before any back-end action runs, Formidable Forms verifies a nonce (a one-time security token) tied to the logged-in user, just to confirm the action was actually intentional.
- PCI DSS readiness for payments. If you collect payments through your forms, staying on top of Payment Card Industry Data Security Standards (PCI DSS) matters. Formidable Forms' payment integrations are built to meet current standards and to keep up as those standards change, with gateways like Stripe, PayPal, and Authorize.Net.
If you want to keep especially sensitive data off the page entirely, Formidable Forms also supports virtual fields. Calculated values, internal-only data, and anything you don't want a curious visitor finding in the page source can live server-side instead.
A short checklist before you close this tab
If you only do four things today, do these:
- Confirm every page on your site loads over HTTPS with a valid certificate.
- Update WordPress, your theme, and every plugin to the current version.
- Delete any plugin or theme you installed from somewhere other than WordPress.org or the developer's site.
- Turn on at least two spam protection methods on your forms.
That handles the most common ways forms get attacked. The more advanced measures help too, but none of them matter if the basics aren't in place first.
Four habits, none of them hard
Securing your forms comes down to four habits: encryption in transit, current software, clean install sources, and active spam protection. None of them are technically demanding. They just have to actually get done.
Formidable Forms handles the rest, the sanitization, the nonce checks, the PCI readiness for payments, and a spam stack you can switch on with a few clicks. If you want to take one of those ideas further, you can keep sensitive data off the page with virtual fields and tighten things up even more.

- Do I have to change anything in Formidable Forms to work over HTTPS?
-
No. Once WordPress itself is serving over HTTPS, your forms transmit securely without any changes to Formidable Forms' settings. HTTPS protects data while it's in transit between the visitor's browser and your server. It doesn't add any extra protection to data once it's stored.
- Will switching to HTTPS hurt my search rankings?
-
You may see a brief dip while Google re-crawls and reindexes the new URLs, since its Change of Address tool doesn't fully support the HTTP to HTTPS transition. Long term, the push toward an encrypted internet is well established. Set up 301 redirects from
http://tohttps://so visitors and search engines land on the secure version. - Is free SSL from Let's Encrypt as secure as a paid certificate?
-
The encryption is the same. A free Let's Encrypt certificate takes a bit more technical know-how to set up, while a certificate purchased through your host can often be installed for you. For most WordPress sites, either one secures your forms equally well.
- Which spam protection should I turn on?
-
We recommend turning on more than one. Formidable Forms offers a custom JavaScript token, honeypot protection, reCAPTCHA, Akismet integration, and the WordPress comment blocklist, all of which are essentially invisible to real visitors. Running several together is what catches the bots that have learned to defeat any single method.
- My site already got compromised. What now?
-
If you're not sure what you're doing, don't try to clean it yourself. Take the site offline, restore from a clean backup taken before the compromise, and change every password (WordPress admin, hosting, database, and FTP). If the cleanup is beyond you, a security service like Sucuri can handle professional incident response.
This article may contain affiliate links. Once in a while, we earn commissions from those links. But we only recommend products we like, with or without commissions.

