1. Home
  2. CP Staff
  3. Options and Features
  4. Contact Form Security

Contact Form Security

CP Staff includes several layers of protection to prevent spam and abuse of the contact form system. All security settings are in Staff > Settings > Advanced.

CAPTCHA Protection

CP Staff supports Google reCAPTCHA v3 for invisible spam protection:

  1. Check Enable captcha on message form
  2. Enter your Recaptcha site key
  3. Enter your Recaptcha secret key

Getting reCAPTCHA Keys

  1. Go to the Google reCAPTCHA admin console
  2. Register a new site and select reCAPTCHA v3
  3. Add your website domain
  4. Copy the Site Key and Secret Key into the CP Staff settings

reCAPTCHA v3 runs invisibly in the background — visitors never see a challenge. Submissions are scored from 0.0 (likely bot) to 1.0 (likely human). CP Staff requires a score above 0.5 and verifies the action name matches contact_staff.

Email Throttling

Rate limiting prevents the same visitor from flooding staff inboxes:

  1. Check Enable staff contact form throttling
  2. Select the Max submissions per day (2 to 10, default: 3)

Throttling tracks submissions by both IP address and email address. If either exceeds the daily limit, further submissions are blocked until the next day.

Domain Blocking

The Prevent staff from sending emails setting (enabled by default) blocks submissions from email addresses containing your site’s domain. This prevents staff members from accidentally emailing themselves or colleagues through the public form.

For example, if your site is firstchurch.org, any submission from an @firstchurch.org email address is rejected.

WordPress Nonce Verification

Every form submission includes a WordPress nonce token that validates the request originated from your site. This prevents cross-site request forgery (CSRF) attacks.

Security Validation Order

When a form is submitted, CP Staff runs these checks in sequence:

  1. WordPress nonce verification and recipient email validation
  2. Sender name is not empty
  3. Sender email format validation
  4. Rate limit check (IP and email address)
  5. Subject is not empty
  6. Message is not empty
  7. Domain block check
  8. reCAPTCHA score verification (if enabled)

If any check fails, the submission is rejected with an error message displayed in the form.

For contact form setup, see Setup. For troubleshooting, see Troubleshooting.

Was this article helpful?
Yes No

Related Articles

Need Support?

Can't find the answer you're looking for?
Contact Support
Scroll to Top