Developer: XaniaCode — https://xaniacode.com
Version: 1.0.0
License: Commercial (14-day free trial included)
Requires: WordPress 5.6+ · PHP 8.2+ · Tested up to WP 6.9

What Is Contact Form Pro?

Contact Form Pro is a premium WordPress plugin developed by XaniaCode that delivers a complete, enterprise-grade contact form solution — built from the ground up with security, flexibility, and deliverability at its core. It combines a visual drag-and-drop form builder, a multi-driver email system, advanced anti-spam protection, and a full submission management interface, all in a single self-contained plugin that requires no external dependencies or third-party SaaS subscriptions to get started.

Unlike lightweight free alternatives, Contact Form Pro is engineered for production environments where email reliability, data integrity, and protection from spam and abuse are non-negotiable requirements.

Feature Overview

1. Drag & Drop Visual Form Builder

The form builder uses a three-panel layout: a field palette on the left, a live canvas in the center, and a contextual settings panel on the right. Fields are dragged from the palette onto the canvas and reordered freely via a sortable interface.

25+ supported field types across six categories:

• Basic fields: Text, Email, Phone, Number, Textarea, URL, Password
• Choice fields: Dropdown (select), Multi-select, Radio buttons, Checkboxes, Toggle
• Date & Time: Date picker, Time picker, Date-time picker, Month picker, Week picker
• Media & Special: File upload, Image upload, Signature capture (canvas-based), Color picker
• Advanced fields: Star rating, Slider, Range (dual-handle), Acceptance checkbox, Hidden field
• Layout elements: Section heading, Divider, Raw HTML block, Submit button

Each field supports: custom label, placeholder text, required/optional toggle, responsive width control (full / half / one-third column), custom CSS classes, and field-type-specific options (e.g., min/max/step for numbers, accepted file types for uploads, max-rating value for star fields).

2. Multi-Driver Email System

Contact Form Pro includes a fully integrated email delivery layer that supports five independent drivers, selectable from the Settings panel without touching any code:

SMTP Quick Presets ship for the most common providers: Gmail, Outlook, Yahoo, Office 365, Zoho Mail, and Mailhog (for local development).

All drivers support HTML emails, Reply-To headers, Cc recipients, and file attachments. Sensitive credentials (SMTP password, API keys) are stored encrypted on disk and never re-displayed in the admin UI — the interface uses a "leave blank to keep current" pattern for all secret fields.

A built-in Test Email button lets administrators verify their configuration instantly without submitting a live form.

3. File Upload System

File uploads are handled through a dedicated upload class with a multi-layered security pipeline that runs on every uploaded file:

1. Size validation — configurable per-site maximum (default 5 MB), enforced server-side
2. Extension whitelist — admin-configurable allowed extensions (default: jpg, jpeg, png, gif, pdf, doc, docx, xls, xlsx, zip)
3. MIME type verification — actual MIME type is read from the file content using PHP's finfo extension, not from the browser-supplied header
4. Field-level accept attribute enforcement — per-field accepted types are validated server-side (extension pattern, MIME wildcard, or exact MIME)
5. Image-type verification — image upload fields additionally verify the MIME starts with image/
6. PHP code injection scanning — first 512 bytes of every file are scanned for <?php or <?= patterns
7. Random filename assignment — saved files receive uniqid-based names, preventing filename-based attacks
8. Directory protection — the upload directory is automatically created with an .htaccess file using both Apache 2.4 (Require all denied) and 2.2 (Deny from all) syntax, a blank index.html, and a silent index.php to prevent directory listing

Multiple file uploads per field are supported, with a per-field multiple flag. Non-required upload errors are logged server-side but do not block submission; required upload errors immediately halt processing and return field-level error messages to the user.

4. Signature Capture

A canvas-based signature field with:

• Full touch support (mobile and tablet)
• HiDPI / Retina display rendering
• "Clear" button for re-signing
• Server-side blank canvas detection — a required signature field is rejected if the user has not actually drawn anything (detection based on PNG data size threshold)
• Signatures are saved as individual PNG files on disk rather than stored as inline base64 blobs in the database, keeping entry storage efficient

5. Enterprise-Grade Security Layer

Security is the most deeply engineered aspect of Contact Form Pro. Every submission passes through a sequential gate of checks:

CSRF Protection

Every form submission is validated against a WordPress nonce (wp_verify_nonce) before any processing occurs. All admin AJAX actions are also nonce-protected.

Honeypot Anti-Spam

A hidden text field is injected into every form. Its name is dynamically derived from wp_salt(), making it unpredictable to bots. Any submission that fills in the honeypot is silently rejected and logged.

Google reCAPTCHA v3

When enabled, the plugin performs full server-side reCAPTCHA verification including:

• Score threshold (≥ 0.5 required)
• Action verification — token must be for action submit, preventing token replay from other pages on the same site
• Hostname verification — the reCAPTCHA response hostname is compared against the site's own domain, blocking cross-site token misuse

Rate Limiting

Per-IP, per-form transient-based rate limiter. Configurable maximum submission count and time window (default: 5 submissions per 60 seconds). Rate-limited IPs are logged to the spam log.

IP Blocklist

Supports individual IP addresses and CIDR notation for both IPv4 and IPv6. The blocklist is managed from the admin settings panel. CIDR matching uses bit-mask arithmetic and correctly handles both address families.

Trusted Proxy / CDN Support

Client IP detection defaults. Proxy headers are only trusted when the request originates from an explicitly configured trusted proxy IP or CIDR range, preventing IP spoofing through header injection.

Credential Encryption

All sensitive settings (SMTP password, SendGrid API key, Mailgun API key, Amazon SES secret, reCAPTCHA secret) are encrypted at rest using AES-256-CBC with a key derived from WordPress's wp_salt(). If the OpenSSL extension is unavailable, the plugin falls back to base64 obfuscation and automatically upgrades stored values on the next save once OpenSSL becomes available.

Spam Logging

Every blocked submission — whether by rate limit, honeypot, reCAPTCHA failure, or IP blocklist — is recorded to a dedicated cfp_spam_log database table with the IP address, block reason, and timestamp.

Output & Injection Prevention

• All public output is escaped using esc_html(), esc_attr(), and wp_kses_post() as appropriate
• Admin JavaScript uses DOM manipulation (createElement / textContent) rather than innerHTML with untrusted data
• Exported CSV values are quoted per RFC 4180 with formula-trigger character neutralization to prevent CSV injection in spreadsheet applications
• The X-Content-Type-Options: nosniff header is sent on every form submission response

6. Server-Side Validation

All field types are validated server-side regardless of client-side state:

7. Submission Storage & Management

When submission storage is enabled, entries are saved to the cfp_entries database table with:

• Form ID, submission status (unread / read)
• All field values as JSON
• Submitter IP address, user agent, and referrer URL
• Timestamp

The admin Entries screen provides:

• Filtering by form
• Paginated table with per-entry actions
• Detail modal showing all field values in a readable layout
• Mark-as-read
• Delete individual entries
• CSV export with proper RFC 4180 quoting and formula-injection prevention

8. Auto-Responder

Each form can be individually configured with an automatic confirmation email sent to the person who submitted the form. The plugin automatically detects the first email-type field in the form as the reply address. Configurable per form:

• Auto-responder toggle (on/off)
• Custom subject line
• Custom body text

9. Shortcode Integration

Forms are embedded anywhere in WordPress using:

[contact_form_pro id="X"]

The shortcode is cache-friendly: configuration (AJAX URL, nonce, i18n strings, file size limits) is injected as an inline <script> block alongside the form HTML, ensuring correct operation with page caching and asset optimization plugins. CSS and JavaScript assets are enqueued only when the shortcode is actually rendered on a given page, with no global asset loading.

10. Email Templating

The notification email sent to the site administrator uses a formatted HTML template:

• Dark-header branding block with site name and URL
• Two-column field table (label / value) for every submitted field
• Footer row showing submitter IP, submission timestamp, and "Sent via Contact Form Pro"
• File and image fields display original filenames; signature fields display the saved PNG filename

Subject lines and other per-form text support template tags: {field_id}, {site_name}, {site_url}, {date}, {time}, {form_id}.

11. Admin Interface

Forms List Card-based overview showing all created forms. Each card displays the form name, total entry count (fetched in a single aggregated query), the embeddable shortcode with a one-click copy button, and quick-action links to Edit, View Entries, and Delete.

Form Builder Full three-panel interface:

• Left panel: field palette organized by category with drag handles
• Center panel: sortable canvas with live field previews
• Right panel: tabbed settings (General, Advanced, Style) with per-field configuration

Entries Dashboard Filterable, paginated table with submission counts, detail view modal, per-entry delete, and bulk CSV export.

Settings Panel Six-tab configuration interface:

• Email — mail driver selection, From name/email, admin recipient
• SMTP — host, port, encryption, auth credentials, quick presets
• Providers — SendGrid, Mailgun, and Amazon SES API credentials
• Uploads — max file size, allowed extensions
• Security — honeypot toggle, rate limiting thresholds, IP blocklist, trusted proxies
• reCAPTCHA — enable/disable, site key, secret key

12. Licensing System (XaniaCode License Manager v2.0)

Contact Form Pro ships with the XaniaCode License Manager, which provides:

• 14-day free trial with full feature access
• License activation and deactivation from the admin panel
• Periodic license verification (every 12 hours)
• Expiry warnings at 30, 7, and 3 days before expiry
• Automatic plugin update checks and one-click updates from the WordPress updates screen
• Secure API communication: license keys are sent via POST (never in URLs, server logs, or proxy caches); update downloads use HMAC-signed short-lived tokens

Advantages of Using Contact Form Pro

No Dependency on Third-Party Form Services

All form data, submissions, and configuration are stored locally in your WordPress database. There are no per-submission fees, no data leaving your server to a third-party SaaS platform, and no account to maintain with an external service.

Truly Flexible Email Delivery

Most contact form plugins rely exclusively on wp_mail, which is often blocked or marked as spam by receiving servers. Contact Form Pro lets you route email through whichever delivery infrastructure your business already uses — whether that is a dedicated SMTP account, SendGrid, Mailgun, or Amazon SES — without any additional plugin required.

Production-Ready Security Out of the Box

The layered security architecture (nonces + honeypot + reCAPTCHA v3 + rate limiting + IP blocklist + trusted proxy support + credential encryption + spam logging) is not an afterthought. It is built into the submission pipeline and is active from the first form submission. No security add-on or configuration wizard is needed to reach a secure baseline.

Accurate Spam Filtering Without False Positives

reCAPTCHA v3 operates invisibly — there are no CAPTCHAs for legitimate users to solve. The combination of honeypot (catches primitive bots), rate limiting (catches scripted flooding), and reCAPTCHA v3 with score + action + hostname verification (catches sophisticated bots) provides layered protection that minimises both spam and false positives.

Reliable File Handling

The multi-layer upload validation pipeline prevents the most common attack vectors (malicious file type disguised as an image, PHP webshell disguised as a document) without relying on browser-supplied metadata. Directory protection is applied automatically on activation.

Full Form Customisation Without Code

With 25+ field types, responsive column layouts, per-form themes (inherit / light / dark), and border style options, most design requirements can be met without writing any custom CSS or PHP.

Submission Audit Trail

The built-in entries storage and spam log give administrators a complete audit trail: who submitted what, when, from which IP, and whether any submissions were blocked — all accessible from the WordPress admin without a separate analytics tool.

Cache and Optimisation Plugin Compatible

Inline configuration injection means the form works correctly even when the page is served from a full-page cache. Assets are loaded conditionally per-page so the plugin does not degrade performance on pages that contain no forms.

Developer-Friendly Extension Point

The cfp_after_submission action hook fires after every successful submission, passing the entry ID, form ID, cleaned field data, and uploaded file metadata — giving developers a clean integration point for custom workflows (CRM sync, webhook calls, notification services) without modifying plugin files.

Requirements

Installation

1. Upload the contact-form-pro folder to /wp-content/plugins/
2. Activate the plugin via Plugins → Installed Plugins
3. Go to Contact Forms → Contact Form Pro to enter your license key or start the 14-day free trial
4. Configure email delivery in Contact Forms → Settings
5. Create your first form via Contact Forms → Add New
6. Embed the form with [contact_form_pro id="X"] in any post, page, or widget area.