How to Set Up Contact Form 7 in WordPress Securely [Beginner’s Guide 2025]

You are probably here to learn how to set up the Contact Form 7 form on WordPress, right?

A contact form is one of the most essential tools on your site, as it allows potential customers to reach you. With over 10 million active installs, Contact Form 7 is the most widely used WordPress contact form plugin.

In this guide, we’ll walk you through the step-by-step process of installing the Contact Form 7 plugin and creating your very first form. We will show you how to quickly set up the basic fields, such as name and email, and ensure the messages go to the right place.

It’s a simple process that will have your form ready in just a few minutes.

The CF7 plugin is fantastic for creating forms, but it is not known for its security features. Leaving your contact form unprotected means you will soon be dealing with annoying spam messages from automated bots.

Fortunately, there is an easy way to add strong security to your new form and keep your inbox clean, which we will discuss later in this article.

What is Contact Form 7?

Contact Form 7, also known as CF7, is the most popular free contact form plugin for WordPress. With over 10 million active installs and 4 out of 5-star ratings, CF7 is a widely used contact form plugin. It is known for its reliability, simplicity, and flexibility. Its main purpose is to help you build contact forms without writing any complex code.

The plugin lets you create contact forms with all the fields you need, such as name, email, subject, and message. After you build the contact form in WordPress, it generates a shortcode for each form that you can copy and paste into any page or post to display your form. 

The best thing about CF7 is its simple design. This allows almost anyone to set up Contact Form 7 quickly. The tool focuses on the basics and does those well. You can even extend its functionality with free or paid add-ons, such as the one we will discuss later in this article.

Here is how the standard form looks.

The back-end looks something like this:

How to Create Your First Form Using Contact Form 7 in 2 Easy Steps

To create a form using Contact Form 7, you need to install and activate the plugin. The process is pretty straightforward. Just follow the steps below:

Step 1: Install and Activate the Contact Form 7 Plugin

To set up Contact Form 7, you must first install it on your WordPress site. This is a very simple process that only takes a minute. 

1. Log in to your WordPress Dashboard (the main control area for your website).
2. Look in the left-hand menu, click ‘Plugins’, then select ‘Add Plugin’.

3. In the search box on the right, type “Contact Form 7”.

4. Find the correct plugin—it appears as the first one, as you can see in the image, created by Rock Lobster Inc.
5. Click the ‘Install Now’ button.
6. Once the button changes, click ‘Activate’.

You will now see a new menu item on the left side of your dashboard labeled ‘Contact’. This is where you will manage and create a contact form in WordPress going forward.

Step 2: Create a Contact Form

Once the plugin is installed, you are ready to create a contact form in WordPress. CF7 gives you a basic form to start with, but it is easy to customize.

1. From your WordPress Dashboard, click on the ‘Contact’ menu item.

2. You will see a list of forms. A default form named “Contact form 1” is already created by default. You can edit it easily by clicking Edit.

3. You can change the form’s name at the top. Change it to something clear, like “Main Contact Form.”

4. The main tab, labeled “Form,” shows the structure of your form. You can use the buttons above the box (more on these shortly) to add new fields or delete ones you don’t need. For now, the form includes common fields such as Name, Email, Subject, and Message.

5. Click the blue ‘Save’ button on the right side of the screen when you are happy with the form fields.

You have now completed the second step to set up Contact Form 7 and have a working form structure!

Understanding Contact Form 7 Beyond Basics

Let’s learn a little more about the plugin.

Tags in Contact Form 7

When you create a form, you use “tags” to add different input types. These tags are like placeholders for the information you want to collect. Here are the main fields you can add to your Contact Form 7 form:

• Text: Used for basic, short answers, like a person’s name or a product title.
• Email: Ensures the information entered is a valid email address format.
• Tel (Telephone): Designed specifically for collecting phone numbers.
• URL (Uniform Resource Locator): For inputting website addresses.
• Number: Forces the user to enter only numeric input, useful for age or quantity.
• Date: Lets users pick a date from a small calendar pop-up.
• Text area: Used for longer messages, comments, or detailed inquiries.
• Drop-down menu: Provides a list of choices where the user can pick only one option.
• Checkboxes: A list of options where the user can select multiple choices.
• Radio buttons: A list where the user can pick only one option from the set.
• Acceptance: A required checkbox that users must tick to agree to terms or conditions before submitting the form.
• Quiz: A simple question-and-answer test that helps stop basic spam bots.
• File: Allows users to upload a file, such as a resume or an image.
• Submit: The button a user clicks to send the completed form.

How to Set Up the Email Settings in Contact Form 7

The Mail tab is where you specify where Contact Form 7 (CF7) sends form submissions. This area controls the email template WordPress uses to send the user’s message to you when they click “submit.” It is essential to check these settings to ensure you receive your new leads.

You will see several fields that control the email:

• To: This is the email address that will receive the message. By default, it uses the site admin’s email address.
• From: This sets the name and email address that the message appears to come from. It often uses your site’s name to help prevent the email from being marked as spam.
• Subject: This is the title of the email in your inbox. It is helpful to include the user’s subject tag here so you know the message is about instantly.

The Message Body is the most important part. Here, you use mail-tags (like [your-name] or [your-message]) to insert the actual content the user submitted.

Finally, the Mail (2) option at the bottom is for setting up a second, extra email. This is commonly used as an autoresponder. An autoresponder sends an immediate thank-you email back to the person who filled out the form.

How to Edit Messages in Contact Form 7 

Next, there is a Message tab.

The Messages tab lets you fully customize all the feedback your form gives to users. These are the important messages people see right after they submit a form, or if something goes wrong with their entry. Customizing these responses makes your website look more professional and helpful.

The messages are divided into different groups for clarity. This includes positive messages like “Sender’s message was sent successfully.” It also covers various security and failure messages. For example, if a submission is “referred to as spam,” the user will see a custom message you set here.

You can also write custom messages for validation errors. These appear if a user misses a required field or enters information in the wrong format (like a date, email, or phone number). You can edit every single message to give clear instructions and helpful, polite warnings to your users.

How to Enhance Contact Form 7 Functionality with Custom Code

The Additional Settings tab is usually blank, as shown in the image, but it is a powerful tool for advanced users. This area lets you add custom code snippets to modify how your form works. These special commands control things beyond what is available in the basic form settings.

For example, a common use is adding code to redirect the user to a custom “Thank You” page after they submit the form. It can also be used to add commands for tracking your form submissions with external marketing tools.

If you are not familiar with custom code or programming, it’s better to leave this tab completely blank.

Once you are done with the necessary settings, save the form using the Save button on the right-hand side.

How to Add the Form to any Page or Post in WordPress

After creating the form, you can post it on any post or page you want. We have two ways to do so: Either use a Gutenberg block or paste a shortcode wherever you want.

For a shortcode, go back to where you created a form—specifically, the Contacts tab and the Contact Forms subtab. You will find the shortcode at the top of the form, underneath the name. It is highlighted in blue.

Copy this shortcode and paste it on any post or page.

And it should work.

Alternatively, you can use the plugin’s Gutenberg block.

Select the block, then choose the Form you want to add to the post/page. Since we have only created one, we can see only one in the list.

You have successfully set up and published your contact form. It is now live on your website and ready to collect messages from your visitors. However, once a form is live, it instantly becomes a target for automated spam bots. Before you start collecting real leads, you need to take one final, crucial step: securing it from the junk traffic.

Why is Security Paramount For Contact Forms?

You might think spam is just annoying, but ignoring it has real costs for your business. When you leave a form unprotected, automated programs called “bots” flood your inbox. Dealing with this junk takes time away from real work and actual customers.

Here is the real loss of the insecure WordPress form.

• Wasted Time: You or your team spend hours sorting through fake submissions to find legitimate ones. This waste of time is a direct cost to your business. A clean inbox lets your team focus on leads that truly matter.
• Lost Opportunities: Genuine customer questions can easily get buried under hundreds of spam messages. If a potential client waits too long for a reply, you could lose a sale or a valuable partnership.
• Security Risks: Some spam messages contain malware or phishing links. Clicking one of these can put your entire website and business data at risk. Your form is an entry point, and you must keep it secure.
• Skewed Data: If your system is full of bot entries, your reports and marketing data become inaccurate. You might think you have many leads, but most are fake, leading you to make bad business decisions.

Experts agree that keeping your spam submission rate below 5% is the goal to maintain clean data and a productive team. Protecting your contact form is a crucial step to ensure your website operates safely and efficiently.

How to Secure a Contact Form 7 in 2 Easy Steps

Now that you know what Contact Form 7 (CF7) is and why form security is so important, it’s time to start building! We will begin by installing a plugin that enables adding two additional security measures that are sure to keep the spam away! 

Step 1: Install Anti-Spam Plugin

Now that the form is done, let’s secure it to keep the bots away!

We will do so using CF7 Apps, which has a suite of CF7 extensions, including spam protection for Contact Form 7. To learn more about the plugin, check out its official website.

Let’s start by installing the plugin; the process is identical to installing Contact Form 7 in the previous step.

1. Navigate to your WordPress admin dashboard and then go to Plugins.
2. Click Add Plugin and install the CR7 Apps by searching for the name in the search plugins bar.

3. Once installed, you will see an additional subtab in the Contact tab named CF7 Apps.

4. Navigate to CF7 Apps and enable Spam Protection Apps; Honeypot and hCaptcha.

Step 2: Configure Spam Protection Apps

Now is the time to protect the form from the bots. 

After both apps are enabled, go back to all forms and edit the form using the Edit button that appears when you hover over it, or create an entirely new form.

This time, you will see two additional placeholders, named after the security features.

Clicking the Honeypot opens a pop-up with the necessary settings to enable the Honeypot feature.

Set the values with the necessary information. You usually do not need to fill out all the input boxes. Here’s what to put in each:

• Field type: Select Honeypot. This tells the form builder which field type to generate.
• Field name: Create a unique name (e.g., honeypot-383 or my-hidden-field). It just needs to be unique for that form so the system can track it. 
• ID attribute: Leave Blank (or enter a unique ID if needed). This is used for advanced styling or scripting. For a hidden field, you generally do not need it.
• Class attribute: Leave Blank (or enter a class name if needed). Similar to the previous one, this one is also used for advanced styling, and you do not need it for a hidden field.
• Wrapper ID: Used to target the entire container around the field for advanced styling. Leave this one blank as well.
• Placeholder: This is the text that appears in the field to show what to type.
• Use Standard Autocomplete Value: Keep this one unchecked. Autocomplete suggests values for fields. Since this field must remain empty to pass the spam check, you should leave this unchecked.
• Enable time check: You can also set a time in seconds; entries that take less than or equal to 4 seconds would be considered bots because bots fill out the form faster than humans.

After the settings are done, finish configuration using the Insert Tag button.

This would add code to the form, creating a new, confidential input field that traps bots by being visible to them but not to humans. 

Here’s how the front end looks. You can see it while inspecting the code, but a general user wouldn’t be able to. Bots, however, are a different story. They will see and fill it out, helping you tell the actual responses apart.

For ultimate bot protection, you can also enable hCaptcha. Some even call it a more secure version of Google’s reCAPTCHA. However, neither is logically “better” than the other, and it comes down to personal choice and requirements.

For that, you should go to the hCaptcha’s website and register your websites. Afterward, it will assign you a unique site and a secret key, which you must add to the respective input boxes in the plugin’s settings.

Once done, navigate to the form again and click the hCaptcha tag while placing the insertion point where you want it to plant.

Similar to the Honeypot, you will see a pop-up with additional settings, including:

• Field type: Select hCaptcha. This tells the form builder to use the hCaptcha security challenge.
• Field name: Use the default unique name (e.g., cf7apps_hcaptcha-144). It just needs to be unique for that form so the system can track it.
• Error message: Enter a custom message (e.g., “Please complete the security check.”) This is the message that displays if the user fails to solve the puzzle or if the check expires.
• Language: Choose Default or a specific language (e.g., English, Spanish). This controls the language shown in the hCaptcha puzzle box.
• Size: Select Normal or Compact. It refers to the physical size of the hCaptcha box that appears on your form. Normal is the standard size.
• Custom CSS: Leave Blank for Cascading Style Sheets. It is the code used for advanced visual styling. You only need to add a class here if you have custom styling rules for the hCaptcha box.
• Theme: Choose from Light or Dark as your preferred theme.

Once done, click the insert tag.

And there you go!

Troubleshooting: Why Are Contact Form 7 Emails Not Sending?

This is the most common problem people have after setting up a contact form. When you use Contact Form 7 (CF7), the messages rely on the default email system built into your WordPress website. This basic system is often weak and is not designed to send reliable emails. Because of this, many popular email services like Gmail or Outlook see these form emails as fake or spam, and they simply throw them away.

The solution to this delivery problem is using a dedicated email sender. You need an SMTP (which is short for Simple Mail Transfer Protocol) plugin, such as Post SMTP. This type of plugin takes your form submissions and sends them through a reliable, external email service. It completely bypasses the unreliable WordPress default system.

Using an SMTP plugin ensures that your important leads and customer messages land safely in your inbox every single time. It is a necessary step for any website that relies on form submissions for its business.

Keep the Spam Away From Your Form with CF7 Apps!

Spam is an annoying problem, but you do not have to live with it. By using smart anti-spam tools like the Honeypot and hCaptcha, you can save time and keep your inbox clean.

The Honeypot works silently in the background. It catches bots without bothering real people. If you need a stronger defense, adding hCaptcha gives you an extra layer of protection using a quick image puzzle. Setting up these features with CF7 Apps is quick and easy; all it takes is a few clicks!

Take control of your inbox and focus on real leads. Download CF7 Apps now to activate Honeypot and hCaptcha on your Contact Form 7 forms!

Frequently Asked Questions