✉️ Contact Form Pro — Server Requirements, Installation, Usage, Troubleshooting & FAQ

📌 Overview

Contact Form Pro is a drag-and-drop WordPress form builder designed for production use. It includes a visual form builder, multiple email delivery options, file uploads, submission storage, export tools, auto-responder support, shortcode embedding, and layered anti-spam and validation controls.

This guide is written for site owners, hosting teams, implementers, and support staff who need a practical deployment and operations reference for real websites.

✅ Server Requirements

Minimum supported environment

  • WordPress 5.6 or newer
  • PHP 8.2 or newer
  • WordPress tested up to 6.9
  • OpenSSL recommended for secure secret storage
  • A working outbound mail path or an external mail provider, depending on your chosen email driver

Recommended production environment

For reliable operation in production, the recommended baseline is:

  • WordPress 6.x
  • PHP 8.2 or 8.3
  • HTTPS enabled site-wide
  • OpenSSL enabled
  • PHP finfo available for file-type validation
  • Outbound HTTPS allowed for external API-based mail providers and reCAPTCHA if those features are used
  • Writable WordPress uploads directory
  • Stable cron and caching configuration
  • Proper DNS/mail alignment for the sender domain when using SMTP or API-based mail delivery

Web server support

Contact Form Pro works on standard Apache and Nginx-based WordPress hosting.

Important operational note:

  • On Apache, the plugin creates protective files in its upload directory automatically.
  • On Nginx, direct access to the Contact Form Pro upload directory should also be denied at server level. The product documentation explicitly calls this out.

PHP and hosting considerations

The plugin uses:

  • AJAX-based form submission
  • database tables for entries and spam logs
  • WordPress uploads storage for uploaded files and signatures
  • external HTTP requests when using API-based mail providers or reCAPTCHA
  • conditional frontend asset loading when forms are rendered via shortcode

Disk, permissions, and storage expectations

Plan for:

  • database growth if submission storage is enabled
  • uploads storage growth if forms accept files or signatures
  • standard WordPress permissions for wp-content/uploads
  • enough temporary upload capacity for PHP to handle user file submissions

Recommended security posture

For safe deployment:

  • run the site over HTTPS
  • keep WordPress, PHP, and the theme stack current
  • choose a real transactional mail route for production
  • review upload limits before launch
  • validate behavior behind CDN or reverse proxy setups
  • verify that uploads are not directly browsable on Nginx deployments

🧰 What the Plugin Provides Out of the Box

Contact Form Pro includes:

  • 25+ field types across basic, choice, date/time, media, advanced, and layout categories
  • five email delivery modes: WordPress default, SMTP, SendGrid, Mailgun, and Amazon SES
  • server-side validation across all field types
  • entry storage and CSV export
  • auto-responder support
  • shortcode embedding
  • cache-friendly inline configuration
  • layered anti-spam and submission protection
  • a tabbed admin settings interface for email, SMTP, providers, uploads, security, and reCAPTCHA

🚀 Installation

1. Upload the plugin

Upload the contact-form-pro folder into:

/wp-content/plugins/

Then activate it from the WordPress admin area. The plugin creates its required tables and default settings on activation. The product documentation also states that it applies defaults on first run and sets up what it needs automatically.

2. Confirm the plugin menu is available

After activation, confirm the admin menu appears under:

  • Contact Forms
  • All Forms
  • Add New
  • Entries
  • Settings

3. Configure email delivery first

Before building live forms, go to the plugin settings and configure the mail driver that matches your environment:

  • WordPress default for simple/basic environments
  • SMTP for mailbox-based delivery
  • SendGrid, Mailgun, or Amazon SES for higher reliability and scale

4. Review upload settings

Set:

  • maximum file size
  • allowed extensions
  • whether submissions should be stored
  • whether data should be kept on uninstall

5. Review anti-spam and protection settings

Check:

  • honeypot
  • submission rate limits
  • blocked IP list
  • reCAPTCHA configuration if needed

6. Create a form

Go to:

Contact Forms → Add New

Use the builder to drag fields onto the canvas, configure field behavior, then save the form.

7. Embed the form

Insert the shortcode into a page, post, widget, or supported content area:

[contact_form_pro id="X"]

The shortcode is an official integration method, and frontend assets only load where the form is rendered.

🌐 Nginx Configuration Note

If the site runs on Nginx, add a deny rule for the Contact Form Pro upload directory, as noted in the product documentation:

location ~* /uploads/cfp-uploads/ {
    deny all;
}

This is an operational hardening step and should be part of production rollout.

🧱 First-Time Configuration Checklist

After installation, use this sequence:

Email

  • choose the mail driver
  • set From Name
  • set From Email
  • set the default recipient
  • send a test email before publishing any form

SMTP

If using SMTP:

  • enter host
  • enter port
  • select encryption
  • decide whether authentication is required
  • enter username and password
  • optionally use one of the provided presets for common providers

Providers

If using SendGrid, Mailgun, or SES:

  • fill in provider credentials
  • confirm outbound HTTPS works from the server
  • verify sender identity/domain configuration on the provider side

Uploads

  • set a realistic maximum file size
  • define the allowed extension list
  • decide whether submissions should be stored in the database
  • decide whether plugin data should be retained on uninstall

Security

  • keep basic anti-spam enabled
  • use rate limiting on public forms
  • maintain the IP block list only if you have a real need
  • enable reCAPTCHA for forms exposed to the public internet

reCAPTCHA

  • enable only after both keys are available
  • test from the live domain, not just from admin screens
  • verify form submission still works with caching enabled

🛠️ Using Contact Form Pro

1. Building forms

The builder uses a three-area workflow:

  • field library
  • live form canvas
  • field settings panel

Typical build flow:

  1. Add a title for the form.
  2. Drag the needed fields into the canvas.
  3. Reorder the fields.
  4. Configure labels, placeholders, required state, width, and field-specific options.
  5. Save the form.
  6. Copy the shortcode and place it into the target page.

2. Configuring per-form behavior

Per-form settings can include:

  • recipient email
  • email subject
  • success message
  • form theme
  • border style
  • auto-responder toggle
  • auto-responder subject
  • auto-responder message

3. Embedding forms

You can embed forms in:

  • pages
  • posts
  • widget-ready content areas
  • block-editor content regions that accept shortcodes

4. Managing entries

If submission storage is enabled, entries are available from the Entries screen, where administrators can:

  • filter by form
  • review individual submissions
  • mark entries as read
  • delete entries
  • export CSV data

5. Email notifications and auto-responders

The plugin can:

  • send notification emails to the site recipient
  • set reply-to using the submitter’s email field
  • send an automatic confirmation email to the submitter when enabled
  • use template tags in subjects and related text fields

Common template tags include:

  • {site_name}
  • {site_url}
  • {date}
  • {time}
  • {form_id}
  • field-based placeholders where appropriate

6. File uploads and signatures

The plugin supports:

  • file uploads
  • image uploads
  • multiple files per field where allowed
  • signature capture saved as files rather than bloating the database

Operationally, this means you should monitor both:

  • database size
  • uploads directory growth

🧪 Recommended Deployment Workflow

Local or staging

Before going live:

  • install and activate the plugin
  • build a test form
  • test plain text fields
  • test file uploads
  • test signature capture if used
  • test mail delivery with your chosen driver
  • verify success and failure messages
  • verify entry storage
  • export a CSV once
  • check the page with caching enabled

Pre-production checks

Before launch:

  • verify mail delivery from the production domain
  • confirm the From address is appropriate for your mail route
  • confirm uploads are denied from direct access on Nginx
  • confirm PHP upload limits are not lower than the plugin’s configured limit
  • confirm reCAPTCHA works on the real hostname
  • confirm reverse proxy/CDN traffic reports correct client IPs

Production operations

After launch:

  • periodically send a test email after infrastructure changes
  • review entries after major theme or cache changes
  • review spam behavior on public forms
  • adjust upload policy conservatively
  • keep form fields minimal for better completion rates and lower abuse surface

🔍 Troubleshooting

Form does not appear on the page

Possible causes:

  • wrong shortcode ID
  • form was deleted
  • form was not saved properly
  • shortcode pasted into a location that does not execute shortcodes
  • severe cache or optimization issue

What to check:

  • confirm the form exists in All Forms
  • recopy the shortcode
  • use a plain test page
  • disable aggressive HTML/JS optimization temporarily
  • inspect whether the page actually outputs the form markup

Form is visible but does not submit

Possible causes:

  • JavaScript conflict
  • AJAX request blocked by security software, caching layer, or proxy
  • nonce expired because the page was cached too aggressively for too long
  • reCAPTCHA not completing correctly
  • browser console errors

What to check:

  • browser console and network tab
  • whether the AJAX call returns a response
  • whether the page is serving stale cached markup
  • whether the form works in a private/incognito window
  • whether the issue happens on all forms or one specific form

“Security check failed. Please refresh the page.”

This usually points to:

  • stale cached page content
  • expired nonce
  • aggressive cache lifetime
  • page optimization plugin serving outdated form markup

What to do:

  • clear site/page cache
  • clear CDN cache
  • reload the page and test again
  • exclude the form page from unusually long full-page caching if needed

Form submits but no email arrives

Possible causes:

  • wp_mail is not reliable in the hosting environment
  • SMTP or API credentials are incomplete
  • sender domain is not aligned with the chosen provider
  • provider-side restrictions or verification steps are incomplete
  • recipient mailbox filtering

What to do:

  • use the built-in test email feature first
  • switch from WordPress default mail to SMTP or a provider API for production
  • confirm the From address is acceptable for the route you chose
  • test with a different recipient mailbox
  • inspect mail provider logs if available
  • confirm outbound HTTPS is allowed for API-based drivers

Test email fails

What to verify:

  • chosen mail driver
  • host/port/encryption combination for SMTP
  • username/password correctness
  • provider API key/domain/region values
  • outbound network access
  • TLS/certificate handling on the host

Operational advice:

  • start with the test email before publishing forms
  • if SMTP fails repeatedly, switch temporarily to a known-good provider path to isolate the issue

File uploads fail

Most common causes:

  • PHP upload limit is lower than the plugin limit
  • web server or PHP temp directory issue
  • file type not allowed
  • file size too large
  • uploads directory not writable

What to check:

  • upload_max_filesize
  • post_max_size
  • max_file_uploads
  • temp directory availability
  • WordPress uploads permissions
  • plugin allowed extension list
  • whether the field itself restricts accepted formats

Important operational note from the package scan:

  • the plugin setting is not the only limit; PHP/server limits can block uploads first
  • some safe file types exist in code-level MIME support, but the default admin allowlist is narrower, so extra extensions may need to be explicitly enabled in plugin settings

Image upload accepts the wrong file type or rejects a valid one

What to check:

  • file extension policy
  • field-level accepted formats
  • actual MIME/content type of the file
  • image export format from the user’s device or editor

Practical fix:

  • test with a simple, standard JPG or PNG first
  • then expand policy only if there is a real business need

Signature field does not save correctly

Possible causes:

  • JavaScript error on the page
  • canvas interaction blocked by another script
  • caching/minification conflict
  • filesystem permissions issue for saved files

What to do:

  • test on a plain page with minimal theme/plugin interference
  • test from both desktop and mobile
  • confirm the uploads path is writable
  • confirm the cfp-uploads directory is properly protected at server level

reCAPTCHA verification fails

Possible causes:

  • incorrect keys
  • keys created for the wrong domain
  • hostname mismatch
  • outbound request blocked
  • client-side token not being generated
  • cached/stale page resources

What to do:

  • confirm keys belong to the correct site
  • confirm HTTPS and hostname consistency
  • clear cache/CDN
  • test on the live domain
  • temporarily disable reCAPTCHA to confirm the rest of the form works

Users are being rate-limited too aggressively

Possible causes:

  • too many legitimate submissions in a short period
  • multiple users behind one shared IP
  • proxy/CDN environment reporting IPs incorrectly

What to do:

  • review rate settings conservatively
  • validate client IP handling in proxied environments
  • test from different networks if needed

IP-based controls behave incorrectly behind Cloudflare or another proxy

This is an important deployment concern.

The product documentation says trusted proxy/CDN handling exists. However, in the scanned v1.0.0 package, the operational setting for trusted proxies is not clearly exposed in the current admin settings screen, even though the code expects such logic. That means proxy/CDN environments should be tested carefully before relying on IP-sensitive behavior in production.

Practical advice:

  • validate real client IP behavior early in staging
  • verify rate limiting and blocking behavior from external networks
  • do not assume reverse-proxy handling is correct until tested end-to-end

Entries are not being stored

Possible causes:

  • submission storage disabled in plugin settings
  • database write issue
  • form not actually reaching successful completion
  • email failure causing the submission flow to stop before success is confirmed

What to do:

  • confirm “Store Submissions” is enabled
  • check whether successful submissions also show a success message
  • verify database user permissions
  • test with a very simple form and reliable mail route

CSV export is empty or incomplete

Possible causes:

  • no stored entries
  • filtering by the wrong form
  • data storage disabled before the test period
  • export performed on a form with no successful submissions

What to do:

  • confirm entries exist in the Entries screen
  • remove the form filter and retry
  • create a fresh test entry and export again

Styling looks broken on the frontend

Possible causes:

  • theme CSS overrides
  • optimization plugins changing asset behavior
  • inherited theme mode not matching the active design system
  • custom CSS targeting generic form elements too aggressively

What to do:

  • test with the form theme switched
  • compare on a plain template
  • inspect CSS conflicts in browser dev tools
  • add targeted CSS classes via field settings where needed

The form works on one page but not another

Possible causes:

  • shortcode copied with the wrong ID
  • page builder conflict
  • different cache/optimization path
  • template-specific script loading issue

What to do:

  • copy the exact same shortcode to a plain page
  • compare both pages with optimization disabled temporarily
  • inspect frontend source and network requests on both pages

Plugin removal and data retention

Operationally, the plugin can preserve or remove data on uninstall depending on settings. If your organization needs retention, backups, or compliance-safe cleanup, decide this before uninstalling the plugin on production systems. The product documentation notes that uninstall behavior is configurable.

🧠 Best Practices

Build forms conservatively

  • only add fields you actually need
  • avoid large upload allowances unless required
  • keep public forms simple
  • use clear labels and confirmation messages

Choose the right mail path

  • use WordPress default mail only for basic or temporary use
  • use SMTP or API-based mail drivers in production where deliverability matters

Validate the whole journey

Always test:

  • frontend submission
  • mail delivery
  • entry storage
  • file upload
  • CSV export
  • auto-responder
  • cache behavior

Treat uploads as an operational responsibility

  • keep allowed extensions narrow
  • keep file size limits reasonable
  • ensure the uploads path is writable but not publicly browsable
  • monitor storage growth

Validate proxied environments early

If the site is behind:

  • Cloudflare
  • reverse proxy
  • load balancer
  • managed edge security

then verify IP-sensitive behavior before go-live.

📝 FAQ

Does Contact Form Pro require an external SaaS account to build forms?

No. Core form creation, storage, and management are local to WordPress. External services only come into play when you choose provider-based mail delivery or reCAPTCHA.

Can I use it without coding?

Yes. The builder, settings, entries, and shortcode workflow are designed for admin-side use without code changes.

Can I embed forms anywhere?

It supports shortcode-based embedding in standard WordPress content areas that process shortcodes.

Does it support file uploads?

Yes. It supports file and image uploads, with server-side validation and upload policy controls.

Can users sign forms?

Yes. It includes a touch-capable signature field that stores signature output as files rather than bloating the database.

Does it store submissions?

Yes, when submission storage is enabled. Entries can then be reviewed and exported from the admin area.

Can I export submissions?

Yes. CSV export is available from the entries interface.

Does it work with cached pages?

Yes, it is designed to be cache-friendly, but aggressive caching can still interfere with live AJAX/nonced forms if configured poorly.

Can I customize the look?

Yes. Per-form theme and border-style settings are available, and field-level CSS classes can support additional site styling.

Can developers extend it?

Yes. The package includes a post-submission action hook intended for integrations and custom workflows.

What is the safest launch approach?

Use staging first, configure mail before publishing, keep upload policy conservative, test behind your real proxy/CDN setup, and validate one full submission path end-to-end.

🔎 Deep Package Review Notes for Administrators

These are practical findings from the uploaded v1.0.0 package review:

  • The plugin creates custom database tables for entries and spam logging during activation.
  • Frontend CSS and JS are registered globally but are intended to load only where shortcode rendering occurs.
  • The admin settings screen exposes email, SMTP, provider, upload, security, and reCAPTCHA sections.
  • SMTP presets are included for Gmail, Outlook, Yahoo, Office 365, Zoho, and Mailhog.
  • The default upload extension allowlist is narrower than the broader internal safe MIME support, so some acceptable formats may still require explicit admin enabling.
  • On proxied environments, trusted-proxy handling should be tested carefully because the code references it, but the current settings UI in the scanned package does not visibly expose a dedicated trusted-proxy field.
  • If signatures are used, keep web-server directory protection in place exactly as you would for normal file uploads.

✅ Recommended One-Page Go-Live Checklist

  • Plugin activated successfully
  • Settings saved successfully
  • Mail driver selected
  • Test email delivered
  • Upload policy reviewed
  • Submission storage decision made
  • Security settings reviewed
  • reCAPTCHA tested on live hostname if enabled
  • Form created and saved
  • Shortcode embedded
  • Frontend form tested
  • Entry stored correctly
  • CSV export tested
  • Nginx rule added if applicable
  • Cache/CDN behavior verified
  • Proxy/IP behavior verified if applicable