WPForms Blog

WordPress Tutorials, Tips, and Resources to Help Grow Your Business

Are WordPress Forms Secure? The #1 Thing You Need to Watch Out For

Last updated on Apr 5, 2017 by Shahzad Saeed

Have you ever wondered whether your WordPress forms are secure? Security is a big concern that stops your visitors from submitting contact forms. In this post, we’ll show you the #1 thing you need to watch out for when it comes to securing your WordPress forms.

How Secure Are WordPress Forms?

Generally, WordPress forms are safer than putting your email out in public because using a contact form saves you from spam. By using a WordPress form plugin on your site, you’ll even get an extra layer of form spam protection because we use the honeypot method to prevent spam submissions without bothering your real users.

However, if you’re collecting sensitive data on your WordPress site, like login details or credit card information, the #1 thing you need to do ensure your form’s security is to add SSL to your site.

What Is SSL?

SSL is an industry standard security measure that creates an encrypted link between each visitor’s browser and your website.

To install SSL on your site, you’ll need a unique SSL certificate that’s certified by a third party authority. (We’ll talk about how you can get an SSL certificate below.)

After you install the SSL certificate on your site, a small green padlock icon will appear in the address bar. In addition, your website address will begin with HTTPS instead of just HTTP. This tells your visitors that they are on a secure page.

secure connection visual cues

These visual cues might seem small, but many of your website visitors are looking for them.

According to GlobalSign, 77% of your website visitors are concerned about their data being intercepted or misused online. So if you want to entice website visitors to submit your contact forms, you’ll need to foster trust by installing SSL on your site.

form security stats

Do You Need HTTPS and SSL on Your Site?

Not every website needs to install an SSL certificate.

But if you have an ecommerce site or a community-powered site, you probably want to add SSL to your site. Here’s why.

If You Process Payments

If you’re selling products or accepting donations on your site, it’s better to have an SSL certificate to make sure that the information you collect from your customers is protected.

In fact, if you’re using our Stripe addon to process payments, Stripe requires you to have an SSL certificate on your site.

If You Have a Membership Site

If you’re running a membership site in which users will need to register an account, you should consider creating a WordPress secure login form by adding SSL.

If your site should get hacked, your members’ login information could be compromised. To add insult to injury, if any of your members use the same username and password on other sites, those accounts will be compromised as well.

Aside from the security SSL certification offers, it can now help you to rank better in Google search results.

Google wants to ensure that the websites people they send searchers to are secure. So they announced that they have started using SSL as a ranking signal in their search results.

That means if you add an SSL certificate on your site, chances are your site will get a higher position in search results than your competitors who didn’t install SSL.

How to Purchase an SSL Certificate

If you’re looking to purchase an SSL certificate, you can easily get it from many web hosting providers such as SiteGround. SiteGround actually offers a one year free SSL certificate with their “Grow Big” plan.

Besides SiteGround, you can also purchase SSL certificates from GoDaddy or Bluehost for around $50-$200.

Alternatively, you can contact your existing hosting provider and ask whether they sell SSL certificates.

Installing Your New SSL Certificate

After purchasing your SSL certificate, you’ll need to install it on your site. There are a few different ways to do this.

If you purchased your certificate from your web hosting company, you can ask them to install it on your site for you. Some hosts also offer a built-in integration so that you can easily install your SSL certificate from your hosting dashboard. You can see more details in this tutorial on setting up SSL with Let’s Encrypt.

If you’d like to install it yourself, or you bought your certificate from a third party, you can either install it using a WordPress plugin or manually by changing some of your site settings. Here’s how.

Installing SSL on Your Site Using a Plugin

If your host won’t install your certificate for you, or if you’d rather do it yourself, the easiest way to install SSL on a WordPress site is by using a plugin.

We recommend Really Simple SSL, one of the best rated WordPress SSL plugins in the official WordPress plugin directory.

All you need to do to set this up is to purchase the SSL certificate and install the Really Simple SSL plugin. It will automatically detect your settings and configure your website to run over HTTPS. For more details, you can see our step by step guide on how to install a WordPress plugin.

Installing SSL on Your WordPress Site Manually

Maybe you’d rather install your SSL certificate without having to use a plugin. If so, it’s not too hard. We’ll walk you through the process.

Note: It’s a good idea to create a backup of your WordPress site before making any big changes. We recommend using BackupBuddy.

If you’re just starting a new website, setting up SSL is easy. All you need to do is to update your site URL to use HTTPS instead of HTTP.

You can do this by navigating to Settings » General.

Then, you’ll need to update the WordPress Address and Site Address as shown in the screenshot below to use HTTPS (note the “S” on the end), replacing example.com with your domain name. Do keep in mind that you’ll need to have an SSL certificate purchased or this won’t do anything.

ssl update urls for more secure contact forms

That’s it!

But what if you’re adding SSL to an existing website?

In that case, you’ll need to automatically redirect visitors to the secure version (HTTPS) to make sure their information is protected.

For the redirection, all you need to do is to tweak your .htaccess file.

Your .htaccess file will be found in the root directory where WordPress is installed. In case you can’t find it, you’ll need to make sure the file is not hidden.

Simply copy the following code snippet and paste it into your .htaccess file.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
</IfModule>

Please note that you’ll need to replace example.com with your domain name in the above code before saving the .htaccess file.

For more details, you can see WPBeginner’s tutorial on adding SSL and HTTPS in WordPress.

We hope this article helped you to create secure forms on WordPress by adding SSL to your site. For even more secure forms, you can check out our post with clever web hacks to detect spammers and gather more info from your forms. To make sure your entire site is secure, check out this ultimate guide to WordPress security.

So what are you waiting for? Get started with the most powerful WordPress forms plugin today.

If you like this article, then please follow us on Facebook and Twitter for more free WordPress tutorials.

Comments

  1. Thanks for reading this article – I hope you found it helpful.

    I wanted to let you know about our new WordPress survey plugin that allows you to build interactive polls and surveys within minutes. You also get best-in-class reporting, so you can make data-driven decisions.

    You can get it 100% free when you purchase WPForms Pro plan.

    Get Started with WPForms Today and see why over 1 million websites choose WPForms as their preferred online form builder.

    Syed Balkhi
    CEO of WPForms

    1. Hi Hermann,

      I’m sorry to hear your SSL isn’t working. SSL configuration is generally handled by your site’s hosting provider, so the best next step is to get in touch with them to find out if any configuration steps might have been missed.

      I hope that your site’s host can help you get this up and running!

  2. My client has sensitive medical data they wish to collect in a form. My ISP at iPage.com offers free SSL. Is it worth buying the regular SSL certificate?

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our privacy policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.