Safe Signup Form

Description

Safe Signup Form is a Wordpress Plugin that will forward a form submission to an email address, while preventing most automated attacks.

To do this it leverages Elliot Back’s WP Hashcash — an elegant anti-spam engine that uses javascript to determine if the form is submitted by a robot or a Web browser.

An administration page provides three options for handling submissions identified as spam:

  1. Delete spam submissions.
  2. Flag spam submissions (and forward them anyway).
  3. Forward without flagging.

The basic plugin offers a simple name and email form, but the php can be easily modified to incorporate any number of fields.

You can download Safe Signup Form here.

Safe Signup Form uses XHTML compliant code and has been tested in Wordpress 2.7 through 2.9.1, MSIE 7 and 8, Firefox 3 and 4, and Safari 3.

Installation

  1. Upload ddf-signup.php to the wp-content/plugins directory of your Wordpress install.
  2. Activate the plugin through the Plugins menu in Wordpress.
  3. View the Secure Form - Signup page under Plugins to set options for presentation, spam handling, validation, and other options. The Secure Form - Signup page also provides statistics on the number of spam vs. total submissions.
  4. To add a form to a page either create a template with the php function: <?php ddfs(); ?> or enter the shortcode [ddfs] in any post or page content.

IMPORTANT: If you are using WP Super Cache, changes you make using the Secure Form - Signup page may not appear. If this happens, edit and republish the page that presents the form.

Frequently asked questions

Q. I can’t get the form to send me an email.

A. The form should pick up the default admin email associated with your install of Wordpress. To change it go to the Safe Signup Form page under Plugins in the Wordpress Admin tool (you may need to log in as “admin”). You can then change the “forwarding email” value.

Since the forwarding email is generated by a script it may be blocked by your email server or filtered as junk mail by your email program. Check any spam or junk mail folders at the local and server level.

Q. Can I automatically forward an email confirmation to the user?

A. Not yet. I did not include automatic email confirmation because of the security implications — it allows a form to become a conduit for spamming third party addresses. The HashCash technology stops most robotic spam attacks, but human spammers could take advantage. I may add email confirmation as a option to a future version.

Q. Can I add additional fields?

A. The only way to add fields is to directly edit the plug-in PHP. If you know HTML and a little PHP this isn’t too difficult.

There are three places in the code where a new form field is defined or processed. First, in the ddfs_install() function its validation rule should be entered in the $options['error-rules'] array. Second, also in the ddfs_install() function, its label, if any, should be entered in the $options['forward-labels'] array. Finally, in the ddfs_form_display() function, the form markup must be entered in the $form array where the key matches that entered in ddfs_install().

Q. How do I change the appearance of the labels, fields and messages?

A. You can create the formatting you want by editing the “Custom Styles” option at the bottom of the Secure Form – Signup page. The default CSS is:

div.ddf label { padding-right: 0.5em; }
p.intro { font-style: italic; }
p.error { color: #ff0000; }
p.success { font-weight: bold; }

To stack labels over the fields, change div.ddf label to:

div.ddf label { display: block; }

To align fields to the right of the labels, you can try something like:

div.ddf label { display: block; float: left; width: 12em; }

Experiment with CSS and you should be able to get the format you like.

Have a question? Please use the comment form and I will do my best to respond.

Changelog

1.1

  • Updated code to use localization (translation) functions for both admin and output.
  • Corrected the “Error-spam flag” and “Error-spam cancel” fields to allow HTML tags.
  • Added a “Compliant XHTML” admin option that places plugin javascript and CSS into the header of each page rather than into the body of the local page.
  • Corrected a bug with the form action value that caused problems with calling the plugin from a template outside of The Loop

Upgrade Notice 1.1

This upgrade corrects several minor bugs and provides an option for compliant XHTML output. Use it if you want to call the plugin from a template outside of The Loop, desire XHTML compliance, want to format error messages, or want to localize the plugin.

Test the form

You can try out the form below. This is a dummy version and does not email to a live account. Try it with and without javascript enabled on your browser to see the spam response.

Please provide the information requested below. We will use your email only to communicate with you. We will not share it with anyone else for any reason.

Donate

Safe Signup Form is free, but any small donation is appreciated.

Comments

Hi. Integrated your form but it doesn’t send e-mail. Not sure what to check…

Posted by by Gene on May 4, 2009 at 5:59 pm  

The form should pick up the default admin email associated with your install of Wordpress. If it doesn’t, or if you want to change it, go to the Safe Signup Form page under the Plugins option in the Wordpress Admin tool (you may need to log in as “admin” to see it). You can then change the “forwarding email” value.

There is the possibility that since the email is generated by a script that it is being blocked by your email server or filtered as junk mail by your email program.

Posted by by Henry on May 4, 2009 at 8:02 pm  

Hi Henry

I installed your form and like what I see so far, however, it doesn’t send an email confirmation to the new user. I tested it out and received an email (as the admin) announcing the new user, but the new user email did not receive the Confirmation email.

Any suggestions?
Thanks

Posted by by Matt on May 31, 2009 at 5:18 pm  

This is where the form is.

Posted by by Matt on May 31, 2009 at 5:20 pm  

I did not include automatic email confirmation because of the security implications — it allows a form to become a conduit for spamming third party addresses. The HashCash technology stops most robotic spam attacks, but human spammers could take advantage.

Still, the risk of this is probably pretty small. I will add auto confirmation as an option for the next version.

Posted by by Henry on June 1, 2009 at 10:27 am  

Hi Henry

We have uploaded the sign up plugin to our wordpress blog

On para 4 you said the following:

To add a form to a page either create a template with the php function: or enter the shortcode [ddfs] in any post or page content.

Could you please advice how can we create this template, what is the code and where to we add it?

Thanks so much for your assistance

Sharon Gilor

Thanks for

Posted by by Sharon on August 4, 2009 at 6:59 am  

Hi Sharon,

The easiest method for adding the form is to use the shortcode.

Simply create a new page or blog post through the Wordpress Admin interface. Then, in the Wordpress editor, add the shortcode [ddfs] wherever you want the form to appear. When you publish the page or post the shortcode is replaced by the full form.

For information on creating a custom template for a Wordpress Page, see this article in the Wordpress Codex. A discussion of Page Templates starts about halfway down.

If you place the Safe Signup Form php function in a template it appears any time you use that template to create a page.

To summarize — the shortcode is designed to be used within the Wordpress editor and can be added to any page or post. The php function is designed to be used within a custom template within your Wordpress theme.

Posted by by Henry on August 4, 2009 at 8:54 am  

Hi Henry

Thanks so much for your prompt and detailed response.

I will try it out and see how it works

Best Regards
Sharon

Posted by by Sharon on August 4, 2009 at 3:21 pm  

Great plugin, but it is wreaking havoc with W3C XHTML 1.0 Transitional validation. The validator doesn’t like the free-floating < and & in the php. I tried encoding those, but that broke the functionality. Any tips? I’m using the form for the email sign-up in the sidebar of this site: work in progress site

Posted by by Kelly on September 24, 2009 at 12:20 pm  

Hi Kelly,

Thanks for the comment. I do place Javascript calls in the HTML which won’t validate. There is a Wordpress method for loading Javascript code into a page header that gets around this (Elliot Back uses it for WP Hashcash). The problem is that this approach loads the Javascript into every page and/or post on the site. It also doesn’t initialize the Javascript functions until the page finishes loading.

I’m a believer in valid code, but weighing the costs and benefits I decided to group the form and the Javascript together — this makes the form more portable and more responsive. For better or worse, this technique is becoming more common on the Web with the spread of AJAX applications.

I will look at adding an option to use a valid approach in the next version.

Posted by by Henry on September 25, 2009 at 8:49 am  

How do I add additional fields?
I want to add a multi-line comment field. Can I do this?
Is there a way to have the data entry area of the fields line up?

Posted by by Martin on December 24, 2009 at 3:48 pm  

great plugin? one question: is it possible to format the plugin so the name of each text box appears above the box so the alignment of boxes are symmetrical?

Posted by by steven adjmi on December 27, 2009 at 10:42 am  

Hi Martin,

The only way to add fields is to directly edit the plug-in PHP. If you know HTML and a little PHP this isn't too difficult.

There are three places in the code where a new form field is defined or processed. If, for example, you want to add a form field named “ddfs-msg”, you would do the following:

After Line 75: Insert the name of the field and a flag for how it is validated — generally either 'r' for required or 'o' for optional. For example:

'ddfs-msg' => 'o'

After Line 81: Insert a label that identifies the field value in the forwarded email. For example:

'Message' => 'ddfs-msg'

After Line 420: Insert the HTML code for the field: For example:

'ddfs-msg' => '<p><label for=”ddfs-msg”>' . __('How can we help you?', 'ddfs') . '</label><textarea name=”ddfs-msg” id=”f-ddfs-msg” tabindex=”18″>' . htmlentities($_POST['ddfs-msg']) . '</textarea></p>'

(In each case, remember to add a comma to the line above so you don't break the array).

By repeating these steps you can add as many fields to the form as you want.

After editing the form, you need to upload it to your plugins folder. Rename the old one so you can recover it if necessary. Then you need to to deactivate and reactivate the plugin.

Posted by by Henry on December 28, 2009 at 10:59 am  

Hi Steven (and Martin)

You can create the formatting you want by editing the “Custom Styles” option at the bottom of the Secure Signup Form options page. The default CSS is:

div.ddf label { padding-right: 0.5em; }

To stack the labels over the form elements, change this to:

div.ddf label { display: block; }

To line up the fields to the right of the labels, you can try something like:

div.ddf label { display: block; float: left; width: 12em; }

Experiment with CSS and you should be able to get the format you like.

Posted by by Henry on December 28, 2009 at 11:15 am  

Just curious if you can help with the email notification. I have input my email address into the admin back end and I filled out the form 3 times but I am not receiving anything. I have check my inbox and junk mail. Just curious if there is a way to hard code the email into the php.

Thanks, great plug in.
Kevin

Posted by by Kevin Hester on January 10, 2010 at 6:03 pm  

Hi Kevin,

Since the forwarding email is generated by a script it may be getting screened out by your ISP before it gets to you. If your ISP has a webmail feature you could check there for a spam folder.

If you want to hardcode in an email address, a quick and dirty way is to directly assign the $mailto variable in the code. For example:

$mailto = “henry@henrywoodbury.com”;

After editing the plugin file, you need to upload it to your plugins folder. Rename the old one so you can recover it if necessary. Then you need to to deactivate and reactivate the plugin.

Posted by by Henry on January 10, 2010 at 8:33 pm  

I implemented the form and it worked brilliantly. However since then I have amended CSS and added new javascript files. Now it doesn’t seem to work. I’ve even tried to add it to one of the default templates and it still won’t work. I have reinstalled it also.

Sorry if this sounds like a moan as its an excellent little plugin.

Posted by by Rick on January 11, 2010 at 7:06 am  

Hi Rick,

The only thing I can think of is that your new CSS or Javascript has created a naming conflict. The Plugin reserves a Javascript function named ddfs_hc() and looks for unique element ids that start with f-ddfs-.

If you have a URL you can post I can take a quick look at the source.

Posted by by Henry on January 11, 2010 at 12:34 pm  

Hi Henry

Url is http://www.webmanchester.com/curious/

Thanks

Posted by by Rick on January 12, 2010 at 5:28 am  

Hi Rick,

Sorry, I couldn’t find anything. I tested this page with the js libraries you use and the form still worked. I also tested it on Wordpress 2.9.1 successfully. I didn’t see anything in the CSS or XHTML that would conflict with the form.

Posted by by Henry on January 12, 2010 at 3:01 pm  

Thanks for checking. It looks as though the code is not triggering the following:

Line 521: if (isset($_POST['ddfs-flag'])) {

Don’t know if that helps. Could it be anything to do with permalinks?

Posted by by Rick on January 12, 2010 at 5:30 pm  

Fixed it!

Changed Line 561:

$ddfs .= “\n”;

To:

$ddfs .= “\n”;

Posted by by Rick on January 13, 2010 at 6:30 am  

Last post seems to have stripped out code. Basically I deleted ” . get_permalink() . ” from line 561.

Sorry for clogging up the comments.

Posted by by Rick on January 13, 2010 at 6:31 am  

Not to worry. I appreciate the feedback. I found a thread on Wordpress that indicates that get_permalink() may not always be predictable, so I will follow this up.

Posted by by Henry on January 13, 2010 at 10:16 am  

Post a comment