Protecting a WordPress Contact Form with reCAPTCHA

 Wordpress  Comments Off on Protecting a WordPress Contact Form with reCAPTCHA
Jun 112019
 

Having a contact form is one of the most important pages a web site can have. It enables you to receive communication for your audience or customers without having to provide a specific email address. Publishing an email address on your site while simple to implement and low-tech makes it easy for the email address to be harvested by site scraping tools used by spammers. A web based contact form solves this but it too can be exploited by automated bots or malicious visitors unless you implement an interactive mechanism like reCAPTCHA to validate form submissions. In this walk-through I will demonstrate how to setup a WordPress contact form using the free plugin Contact Form by WPForms and Google reCAPTCHA which is free too.

image

 

Setting up Google reCAPTCHA

Before setting up Contact Form by WPForms you should first configure a free reCAPTCHA account at Google reCAPTCHA. Click the Admin console button on the welcome page. After you login to your Google account you will be prompted to register the site where you plan to utilize reCAPTCHA.  Enter a name your site, select which version of reCAPTCHA you want to use, enter your domain name, accept the Terms of Service, and then click Submit.  ReCAPTCHA v2 will display series of pictures for validation to anyone attempting to submit your contact form. ReCAPTCHA v3 does not present any pictures during the validation process.

image

 

Once you have registered your domain name in the reCAPTCHA system you will be able to copy the reCAPTCHA site key and secret key. These keys will need to entered into the WPForms plugin settings from the WordPress admin Dashboard. Copy them into the Windows clipboard or Notepad to keep them handy.

image

 

Configuring Contact Form by WPForms with reCAPTCHA

Before you can configure a WordPress contact form you need to ensure your site’s SMTP settings are properly configured. Using  the free plugin WP Mail SMTP by WPforms makes it incredibly easy to configure WordPress SMTP settings.  This walk-through assumes you already have your SMTP settings configured.

image

 

Both Contact Form by WPForms and WP Mail SMTP by WPforms can be installed from your WordPress admin Dashboard. Simply search for them them in the WordPress Plugin Directory and then click Install Now for each. After they have been installed click the Activate button on the plugin properties.

image

 

After you activate Contact Form by WPForms click on the plugin settings menu. Do this before you configure your first form.  From there you will see another menu item for reCAPTCHA. Click on it.

image

 

Now you can cut and paste the reCAPTCHA keys you saved earlier. Match the Type of reCAPTCHA you originally configured and then click Save.

image

 

Create a new contact form

After closing the reCAPTCHA settings, click on the WPForms menu. You should see something like the image below. Click Add New.

 

image

 

On the form’s Setup screen click Create Simple Contact Form.

image

 

On the next screen you will manage the various properties of the new contact form. Click the Settings menu. At the bottom of the General settings you will see the option to Enable Google Checkbox v2 reCAPTCHA. Click the checkbox next to it and then save the form. The contact form is ready for action. Simply embed the form’s shortcode in a WordPress page start using it.

image

 

Testing the contact form with reCAPTCHA

When you browse your site’s new contact page you will be required to prove you’re not a robot by clicking the reCAPTCHA checkbox before you can submit the form.

image

 

If there is any question about your authenticity you will be prompted to manually select a series of photos before continuing. If the validation isn’t completed properly the form will not be submitted.

image

Once the reCAPTCHA process is satisfied that you’re a real person the contact form will be allowed to be submitted.

 

In Summary

Having a contact form on your web site is great way to receive communication from your audience or customers however you have to make sure it’s not misused by automated bots or malicious visitors. The free WordPress plugin Contact Form by WPForms makes it easy to protect your contact form using Google reCAPTCHA to ensure only real people are using it. Thanks for reading!

Avatar

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

IIS 8.5 SNI – Fixing SSL_ERROR_BAD_CERT_DOMAIN

 IIS, Windows Server 2012  Comments Off on IIS 8.5 SNI – Fixing SSL_ERROR_BAD_CERT_DOMAIN
Jun 022019
 

As you probably know SSL certificates use the https protocol to encrypt communication between your web browser and the web server hosting the web site you’re visiting. You can always tell when your session has been encrypted because your browser will display a lock icon near the address of the site in the browser’s location bar. If your web site doesn’t already have an SSL certificate you really need to get one. Certain web browsers have already started identifying sites without SSL as “not secure” even if there’s no ecommerce function or data transfer and Google also announced they would lower a site’s search rankings if it didn’t feature SSL again regardless of the site’s function.

So as every good sys admin should do I have deployed SSL certificates for all my sites. Recently I installed a new SSL certificate for my blog but upon testing it afterwards to ensure everything was working properly I was presented with the unsettling error message below indicating Warning: Potential Security Risk Ahead. Clearly something was amiss.

image

 

SSL_ERROR_BAD_CERT_DOMAIN

When viewing the advanced details of the error displayed below I saw the error code SSL_ERROR_BAD_CERT_DOMAIN. Naturally I was surprised to see this error because I  knew my certificate had just been issued and wasn’t expired or using an old hashing algorithm etc. Upon closer inspection I could see the error was indicating the certificate was only valid for a different domain name which was not the domain of my site. This was a little confusing because I had just installed the new certificate and knew with complete certainty that it was registered in the name of my domain not the domain identified in the error message. The other domain name in question was also hosted on my server so this was a good clue to check site bindings.

 

Managing IIS Server Certificates

The next step was to double check the installed certificates. Using IIS Manager you can easily find and manage all of the certificates installed on the server.  This is handy when you need to quickly identify expiration dates for example but to see how the certificates are assigned you will need to check the individual site bindings.

image

One other way to see all the SSL certificate bindings is to run the following command:

This will output advanced details about all of the certificates installed on the server including the hostname:port and certificate store where the certificate is located.

image

 

IIS Server Name Indication (SNI)

The server hosting my site uses Windows Server 2012 R2 with IIS 8.5 which has a powerful feature for hosting SSL certificates called Server Name Indication (SNI). SNI allows multiple SSL certificates using different domain names to leverage a single dedicated IP address. Before IIS 8 this could only be accomplished with a wild card certificate.  So after reviewing the SSL_ERROR_BAD_CERT_DOMAIN error message I knew the issue had to be related to an incorrect IIS site binding related to SNI config.  As you can see in the picture below the SNI feature needs to be enabled by checking the box Require Server Name Indication. My site was sharing the same IP address as another site featuring a different SSL certificate and in my haste to install the new certificate I had not checked the Require Server Name Indication box. Once I did that and saved the settings my site was operational again without the security warning.

image

 

In Summary

Starting with IIS 8 scaling SSL certificates has never been easier thanks to Server Name Indication (SNI).  The caveat with this increased scalability is that you have to ensure your site https bindings are always set properly by checking the Require Server Name Indication box on the https binding. If not set properly your site visitors will be greeted by the Potential Security Risk warning related to the SSL_ERROR_BAD_CERT_DOMAIN error. Thanks for reading!

Avatar

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website