Welcome to Dagon Design. In addition to free scripts, WordPress plugins, and articles, we offer a variety of services including custom theme design, plugin creation, and PHP scripting. Contact me for more information.

Version 5.81   Updated Monday, June 4th, 2018 at 12:12pm

Secure Form Mailer Plugin For WordPress

This is the WordPress plugin version of my secure PHP form mailer script. This plugin has a wide range of features including: Support for multiple instances, an easy to use dynamic form generation system (any number of fields, in any order), multiple recipients, multiple file attachments, optional auto reply feature, an image verification system, numerous security features (including protection against email header injection), a message template system, multiple languages, and too many other things to list. This plugin was designed to be easy to use, while still being extremely flexible. If you just want a simple contact form, you can set one up with just a few clicks. For those of you who need something a bit more advanced, you can completely customize the plugin to fit your needs – whether it is 5 fields or 500. A non-WordPress version is also available. reCAPTCHA v2 support has also been added, as well as support for storing the data in a delimited file.

You can see a very basic implementation of the WordPress plugin version of this script on this site’s contact page.

Notice: non-WordPress Users

Information on the PHP version of this script


As of the latest release, this script contains language files for:

English, Belarussian, Brazilian Portuguese, Catalan, Czech, Danish, Dutch, Estonian, Finnish, French, German, Greek, Italian, Japanese, Norwegian Bokmaal, Polish, Portuguese, Romanian, Russian, Slovak, Slovene, Spanish, Swedish, Turkish, Vietnamese

If you would like to submit a language file please contact me.

WordPress vs PHP Versions

To make things easier to find, the two versions of this script share much of the same documentation. While the basic features are the same, there are several differences, so be sure to reference the proper page.

Table of Contents

Due to the size of this page, I have split everything up into sections:


  If you have found this page useful, please consider donating. Thanks!


Since both the WordPress and non-WordPress versions of this script are updated together, the changelog below reflects both versions.

  • 06-04-18 – v5.81 reCAPTCHA v2 support!
  • 07-05-09 – v5.8 Added Estonian language. Added code to check for duplicate field names. Can now use commas in checkbox descs. Fixed garbled auto-reply messages. Adjusted the displaying of uploaded file names in the email message. mb_encode_mimeheader error in WP fixed. Other adjustments to email headers. Added ‘id’ declaration to select boxes. Fixed incorrect example code in the instructions. Other minor changes.
  • 02-22-09 – v5.7 Fixed issues regarding the saving of attached files, data selection values not being recorded, and various minor fixes. Inline styles have been removed from the two field items that contained them. Tested and works in WordPress 2.7.1
  • 10-19-08 – v5.6 Added javascript date chooser field. Added html code field. Adjustments for better character set support. Fixed bug with spaces in selrecip. Commas can now be used in check boxes, radio buttons, and select boxes (see field info below). Timestamp option added for saving to data file. New email validation code (from http://code.google.com/p/php-email-address-validation/). WP Specific updates: Instances listed on main settings page – with descriptions of each instance (more info below). Updated display of options pages. Better support for multiple forms on one page. New language added: Vietnamese
  • 09-18-08 – v5.51 Captcha now displays properly in Safari and Chrome. All of the auto-reply issues should now be resolved. Few changes to headers for compatibility. The path for language files should now be auto-detected properly in all cases
  • 08-24-08 – v5.5 Fixed various undefined index errors, code changes to improve xhtml validity, attachments can now be saved to the server (not just emailed), improved email header handling for language support, can now show url (of form) in message, fixed issue with required select boxes, added Belarussian, Czech, and Japanese languages, clickable labels for radio and checkbox items, and various other fixes.
  • 05-13-08 – v5.41 Added support for saving form data to a delimited file. Fixed a few issues including the loading of reCAPTCHA files, and attachment support.
  • 11-25-07 – v5.4 Added support for ReCaptcha, manual form code entry, 5 new languages (Catalan, Danish, Polish, Romanian, and Turkisk), several html and css tweaks, and other misc. updates.
  • 07-27-07 – v5.33 Few minor bugs fixed. Finnish language file added.
  • 07-08-07 – v5.32 Error messages affecting form alignment issue resolved. Italian and Slovak language files added.
  • 06-18-07 – v5.3 ‘undefined index’ errors fixed, image verification adjustments, p tags removed from fieldsets, changes to help html validity, various other fixes.
  • 05-09-07 – v5.25 ‘Thank you’ message now allows for form field inputs as well.
  • 05-08-07 – v5.24 Auto-reply message now allows for form field inputs. Language selection issue resolved. str_replace errors (on certain servers) fixed. Norwegian BokmÃ¥l language file added.
  • 05-01-07 Not a version update. Greek and Swedish language files added.
  • 04-18-07 – v5.23 Renamed email verification function (to fix conflicts with other scripts). The GD check is now disabled if you are not using image verification. Added two new language files – Portuguese and Russian.
  • 04-18-07 Not a version update. Brazilian Portuguese language file has been added.
  • 04-03-07 – v5.22 Email generation code has been modified to try to work with more servers. French language file has also been updated.
  • 03-28-07 – v5.21 Highly recommended update – Fixed an issue with the verification code not being handled properly. Nothing else has been changed.
  • 03-25-07 – v5.2 Email generation improved – should work better in more email clients. Many issues with message generation and field types have been fixed. Better support added for field requirement options. CSS for various fields updated. Issue with submit button fixed. Dutch and French language files added. Checkbox and drop-down issues resolved. Email verification method improved. Undefined index errors fixed, and much more. Be sure to read the updated instructions for the field types.
  • 03-13-07 – v5.1 Lots of updates: Slash escaping has been improved, p tags are now added around form elements, each form instance can have its own language setting, the language selection issue has been fixed, improved foreign character support in messages, check box handling improved, and a new optional auto reply feature has been added.
  • 02-06-07 – v5.0 This is a major update from version 4, and because of this, I have completely re-written this page, and removed the old changelog to save space.


  • 1) Download and uncompress dd-formmailer-wp.zip
  • 2) Upload the entire dd-formmailer directory to your WordPress plugins directory
  • 3) Activate the plugin
  • 4) Configure your options (explained below)
  • 5) Add the form to your page (explained below)

Quick and Basic Configuration

While this plugin is highly configurable, some of you may just want to get up and running quickly with a simple (and secure) contact form. If so, these are the minimum configuration changes you must make:

Create a new WordPress page, and type in the trigger text:

<!-- ddfm1 -->

Important: Make sure you add this using the html/code editor in WordPress, not the visual editor. In new versions of WordPress, just click the ‘html’ button above the edit box. If you use the visual editor it will not work, as the actual code you entered will be seen on the page, instead of being processed by the script.

Under Options -> DDFM1, fill in the following options:

Instance Description – This is a brief description of what you are using the instance for. All instances, and their descriptions, are listed on the main (DDFM-Main) options page, so you can easily keep track of them.

Contact page – Enter the full URL of your newly created contact page.

Recipients – Enter your email address.

Click Update options and you are finished! If you would like to learn more about the other features of this plugin, please continue reading.

Initial Configuration

After activating the plugin, you will have a new options page in the admin panel – DDFM-Main. These are the settings that apply to all instances of the plugin:

Instances – The number of contact forms this plugin will generate. If you just need a single contact form, leave this set to 1.

Current Instances – This is a list of the instances you currently have activated. It also displays the description for each instance. You can easily navigate to a particular instance from this page.

Image Verification Method – There are three choices for image verification. It can be disabled, you can use the script’s built-in system (a simple captcha – requires GD support on the server), or you can use the reCAPTCHA system (requires signing up for a free account)

Basic Method Options – If using the basic image verification method, you can choose the text and background color for the image (3 or 6 digit hex codes). By default, the script will try and choose the best file format for the verification image, but if it gives you any problems, you can manually specify the format to see what works best for your server.

reCAPTCHA Method Options – If using the reCAPTCHA image verification method, you must enter the public and private keys given to you at the reCAPTCHA website. These are used to generate the verification form.

A ‘Load Default Options’ button is available if you wish to reset the settings on this page.

Each instance you create will have its own options page – DDFM1, DDFM2, etc. This is where you configure the settings for each individual form. These settings are listed below.

Form Configuration

These are the settings found on the options page for each instance:

Language – The language you want to use. To create a new language, simply duplicate the existing English.php file (in the plugins lang subdirectory), give it a new name, and edit it for your language. It will then automatically appear in this list (after reloading the page).

Contact page – This is the full URL of the page the form is actually going to be displayed on.

Recipients – If sending to a single recipient, all you have to do is enter the email address. This plugin supports multiple recipients, including CC and BCC, and even a drop-down box for recipient selection. Information on these configurations can be found further down on this page.

Form Structure – This is where you define the fields that will be used on this form. There are a lot of options available for this, and they will be explained further down as well.

Manual Form Code – This is a very advanced option that has its own section on this page.

Sender name, Sender email, and Email subject – These options help generate the email headers. If you enter a field name, it will be replaced by user input from that field. For example, if you have a form field called fm_name and you use that as the Sender name option, the visitor’s name will be used as the From field in the email. You can also combine them. If you have a field called fm_firstname and fm_lastname you could enter ‘fm_lastname, fm_firstname’ – For the Sender email option, just use your email field.

The Email subject option works the same way. For example, you could enter ‘Contact: fm_subject’ and it will use the subject that the visitor entered, with the ‘Contact:’ prefix.

Message Structure – This feature is optional. If left blank, the script will generate the email message itself, which will include all the data the visitor submits. If you choose to use this option, it will act as the message template. Simply enter your custom text, including your field names. When the message is generated, the field names will be replaced by the user input from those fields. Note: Since the script will just do a search and replace for field names, be sure they are unique enough. Example: A check for fm_message2 would also get triggered by fm_message when the script adds in the input.

Auto Reply – This is an optional feature that allows you to automatically send a pre-defined message back to those who contact you. More information on this is below.

Success Message – This is the text that is shown after the email has been sent. You can also use field names in this, and the user input from those fields will be used to generate the message.

Save attachments – If enabled, attached files will be saved to a directory on the server instead of attached to the email.

Save attachment path – Where files will be saved, if ‘save attachments’ is enabled. This is the full path on the server, with a trailing slash. Directory must have write permissions. Example: /home/user/public_html/uploads/

Show required – If enabled, required fields will be marked with an asterisk.

Show URL – If enabled, the URL the script is running from will be added to the message

Show IP and Hostname – If enabled, the visitor’s IP and hostname are added to the message.

Wrap messages – This option wraps message lines to 70 characters to comply with RFC specifications.

Max upload size – This allows you to set the maximum file size (in bytes) for attachment uploads. This option only applies if the setting is lower than the value already set in your php.ini file.

Save Data to File – When enabled, the form input will be saved to a delimited file.

Still Send Email – When using the delimited file feature, this option determines whether or not the script still sends the email.

Data Path – The path to the file the data will be written to – relative to the script’s directory. Be sure to give this file write access.

Delimiter – Fields will be separated by this character. If this character is found in the actual data, it will be removed for simplicity.

Newlines – Newlines in input, such as text areas, will be replaced by this, to keep the data on a single line in the file.

Timestamp – Adds the date/time to the beginning of each line in your data file. This uses the PHP date format. Leave blank to disable.

The option page for each inststance also has a ‘Load Default Options’ button.

Other Configuration Options

With the exception of the text defined in the options pages, all text visible to the visitor is contained within the language file.

Visual changes to the form can be made in the included CSS file. The class names used in the examples below already exist within the CSS.


To show the form on your page, simply add the trigger text (followed by the instance number) to your page, just like you would any text:

Script by Dagon Design

For those of you who want to display the form directly from a template file, you can use the following code:

generate_data(); ?>

(where ‘1’ is the instance number)

Advanced Recipient Options

As mentioned above, if you want to send the messages to a single recipient, just enter the email address in the recipients field. To send to multiple recipients, separate the addresses with a | (pipe) character, and use one of the following prefixes for each: to= cc= bcc=



You can have as many of each type (to, cc, bcc) as you like, and they can be in any order, although the first one in the list is the always the primary recipient, and must use to=

For those of you who want to let the vistor choose the recipient from a drop-down box, first you must enter selrecip in the recipients field. Then you must add a new line in the form structure box. Example:


The type must be selrecip, but you can use whatever you like as the CSS class, and label. The first item in the data parameter is the default (unselected) option. After that are the names and email addresses. You can add in as many as you like – just keep them in the proper order (name,email,name,email,etc..). Only the names are visible within the HTML for privacy reasons.

The ‘(select)’ item is the default selection, which the user must change to submit the form. You can change the ‘(select)’ text if you choose.

Advanced Form Structure

This plugin uses a dynamic form generation system, which means that by simply adding a new line to the form structure, you will have a new field in your form. You can have as many fields as you like, and in any order. The only field type that you must absolutely have is the verify field if you are using the image verification option. All of the fields are explained below, with examples. Separate each field type with a single newline in the form structure option. (Some of the examples below are bit long, so they are wrapped to the next line – be sure that the only newlines are after each field type when adding them to your form structure.)

These are the different parameters that apply to most of the field types (Special exceptions and parameters unique to a particular field are listed under each field type):

  • type – This tells the plugin what type of field you are adding.
  • class – The CSS class used to style the field. The classes used in the examples below already exist in the CSS file.
  • label – Text that is shown next to the field.
  • fieldname – The name of the form field (must be unique).
  • max – Maximum number of characters allowed.
  • req – (OPTIONAL) If you want to require a field, set this to true. If not, do not add it.
  • default – (OPTIONAL) This allows you to specify the default value of a field.


This is a standard text input field.


The text field type has a special parameter – ver – which can be used to verify the input. You can choose email (which checks that the input is a proper email address) or url (which checks that the input is not only a proper URL, but that it actually exists). If you do not want to use either validation option, do not add this parameter.


default=Enter your age! 


This is a javascript pop-up date chooser.


This field type generates a text box with a calendar icon next to it. The user can enter a date manually, or click on the icon to see a small calendar that they can choose a date from.

To change this image, just replace calendar.gif in the script directory. Either give your file the same name, or search and replace the name in the script file.


type=date|class=fmdate|label=Event Date|fieldname=fm_date|req=true 


This field type lets you insert html, or other code, anywhere in your form.






This is a standard password field. It is exactly like a text field, except it shows asterisks when the user types.


The password field type also has a special parameter – confirm – which if set to true, it duplicates the password field, so that the visitor has to confirm their input. If you do not want to use this, do not add the confirm parameter.



type=password|class=fmtext|label=Secret Word|fieldname=fm_secret|max=100


This is a standard text area, for multiple lines of text.


The textarea field type has a special parameter – rows which defines the number of rows in the field (required for valid html).




rows=10|req=true|default=Type here!


This is exactly the same as the standard textarea, except that it’s wider, and the label is above it instead of to the side.




* Note that the normal textarea, and wide textarea fields use a different CSS class for formatting.


This field is required if you are using the basic verification method. It does not apply if you are using the reCAPTCHA method. It is used for placement of the verification image (and associated text box) in the form.





These are not standard form fields, but simply a way you can add text to your form. The full block is as wide as a wide textarea, while the half block is aligned with other standard fields. You can use basic HTML in your text if you like.



type=fullblock|class=fmfullblock|text=This could be some sort of 
introduction message.

type=halfblock|class=fmhalfblock|text=This could be used to explain a field 
in greater depth.


These do just what the name implies – they open and close a fieldset in your form so you can help group fields together. It also allows you to specify a legend for the fieldset (required for valid HTML).



type=openfieldset|legend=Your Information

(other field would go between these)



The checkbox field can be used to generate a single checkbox, or a group of them. The usage is a bit different than the other fields.


As you can see, the checkbox data is a comma separated list of four items per checkbox:

  • fieldname – A unique fieldname for each checkbox in the form.
  • text – The text shown to the right of each checkbox.
  • checkedtrue or false. This allows you to make checkboxes checked by default.
  • requiredtrue or false. If true, it means that the user must check the box to send the message. Mainly useful for ‘check here to agree’ type situations.

*NOTE* Because this field type uses commas to separate data, if you would like a comma to be displayed in your data, simply use two. It will be replaced later in the code.


type=checkbox|class=fmcheck|label=I Agree|data=fm_agree,I agree to the 



This field generates a group of radio buttons. Radio buttons are similar to checkboxes, except that they are treated as a group, and only one option may be selected.


The req and default items are optional. req, if set to true, makes the field required. default can be set to the option number you want to be selected by default (starting at 1).

*NOTE* Because this field type uses commas to separate data, if you would like a comma to be displayed in your data, simply use two. It will be replaced later in the code.





The select field generates either a standard drop-down box, or a multi-select box, depending on the multi option. Option groups are supported as well.


The multi and req options are optional.

If the field is required, the first option you have in the data paramater will be the default, which tells the user they need to select one of the options. If they do not change the default option, and it is required, they will receive an error.

The data field is just a list of the options, separated by a comma. To define the start of an option group, just prefix the group name with a # as shown below.

*NOTE* Because this field type uses commas to separate data, if you would like a comma to be displayed in your data, simply use two. It will be replaced later in the code.




The file field generates a file upload box. As with all other fields, you can add as many of these as you like, as this script supports not only attachments, but multiple attachments. The only thing to keep in mind is that you may need to find out the limit your server has set for file upload sizes.


The allowed field is optional, and lets you define a (comma separated) list of file extensions that are allowed to be uploaded. Otherwise, all file types will be allowed.




Manual Form Code

This feature allows you to manually specify the code used to generate your form. By default, this script uses the form structure information to dynamically generate the form. While this makes it easier for most people, since they do not have to write any code, it can limit those who need a bit more flexibility in their form structure.

Important Notice: Because this method means you will be writing the form code yourself, and it will not be generated by the script, there is no way for it to automatically insert the PHP code needed to put the user’s input back into the form when there is a validation error. It is just not possible for this to be done automatically due to the nature of the option. The only way this can be accomplished is if you know enough about PHP to insert the code manually yourself. In other words, this is a very advanced option – only for those who are very familiar with HTML forms and PHP.

  • 1) Customize your form using the ‘Form Structure’ option as you would normally – this is required even when using the manual code entry, as it allows for processing of the form.
  • 2) Be sure you have all your options exactly as you want them, and view your newly created form page.
  • 3) View the source of the page, so you can copy the generated html. The code you need is between the following lines:
  • 4) You can now customize this form code however you like, as long as the core elements of the form and fields are still in place.
  • 5) Enter your new code into the ‘Manual Form Code’ field in the options and save.
  • 6) If everything worked properly, your page will now use the custom form code. Once again, the standard form structure option is still required, as it is still for processing of the form.

You can also adjust the included CSS file to better fit your needs, or completely clear it out and manually create an entire new CSS structure for your task. Keep in mind that if you change any field items (or any options which affect the form code generation), you will have to repeat this process.

To disable the manual form code feature, just clear out the option for it.

Auto Reply Feature

The options page for each instance includes fields to define an auto reply message. This is a pre-defined message that is sent back to the visitor.

To use this option, simply enter the name, email address, subject line, and message for your auto response. To disable this feature, just leave the message field blank.

You can also use field names in the auto reply message, and the user input from those fields will be used to generate the message.

Saving Data to a File

This option allows you to save the form input in a delimited file. Please see above for a full explanation of the options.

With the WordPress version of this script, the path to the data file is relative to the root directory of your WordPress installation. Be sure to give this file write access.

Other modifications

Passing values to the form

To allow values to be passed directly to the form, all you have to do is change all references of $_POST to $_REQUEST (The REQUEST superglobal contains the values of both POST and GET items)

Modifying the script to use HII for image verification

Miro has posted instructions for users wanting to use HII: Read the comment. Notice: Modifications listed in the comments may not apply for new versions of the script.

Using SELRECIP and BCC together

The easiest way to do this, is to find the following line in the script:

$send_status = mail($send_to, $email_subject, $msg, $headers);

If you are using SELRECIP, the message will be sent to whoever the visitor chooses. If you would also like the message to go to someone else, no matter who is chosen, just duplicate that line like so, adding in the address of the secondary recipient:

$send_status = mail("user2@domain.com", $email_subject, $msg, $headers);


Fields not working properly/Form is not displaying properly

As stated above, each field item needs to be on a single line in your form structure. Many of the examples above are long, so they do not show up on a single line. Be sure to remove any linebreaks when adding them to your form. One form field statement per line.

Verification image not showing up

The first thing to do is check to make sure your paths are set correctly in the options.

This plugin automatically chooses the best file type to generate the verification image. If your verification image is not displaying, the problem could be that your server will not properly generate that type of file. You can manually set this using the ‘Force image type’ option under the DDFM-Main options page. It allows you to manually specify jpeg, gif, or png.

Try all the options to see which works best for you.

Problems sending email

The most common question I receive is ‘Why am I not receiving email from the script?’

There are many reasons this can happen. The first thing to do is make sure you have access to the PHP mail function on your web server, and that there are no restrictions in place that might prevent certain features of this script from working. If you are not sure, please ask your host for information. Unfortunately, I am not able to spend the time troubleshooting general server issues for everyone.

Also try having the script send the messages to another email address (on another domain), just to be sure the problem is not with your email account.

If you believe you can use the PHP mail function and have already tried a different email address, create a small PHP file with the following contents (be sure to use your own email address):

<?php mail('you@domain.com', 'test subject', 'test message'); ?>

Open the file in your browser and then check your mail. If you did not receive the message, something is not set properly on your server, and the trouble is not with this script. Even if other mail scripts work for you, that does not mean this one will, as there are several methods to send mail in PHP.

If you do receive the message, it most likely means that your server is configured to not allow the use of the fourth parameter (extra headers) in the mail() function. To work around this, replace this line:

$send_status = mail($send_to, $email_subject, $msg, $headers);

With this:

$send_status = mail($send_to, $email_subject, $msg);

The only downside is that certain features (such as some header information, and the ability to send to multiple recipients) will be disabled. You may be able to contact your host and have them change this though. Many hosts add in this restriction for security reasons, to protect against unsafe scripts.

Lastly, some servers require an extra parameter for the mail function that specifies who the message is from. In many cases, this must be an email address on the server itself. Example:

$send_status = mail($send_to, $email_subject, $msg, $headers, '-f user@domain.com');

‘Headers already sent’ error

Another common question is the ‘headers already sent’ error message. Without getting into the details, this generally happens when something is output to the browser before a call to set_cookie, header, or a number of other PHP functions. Be sure there is no extra whitespace at the top of your file.

For WordPress users, it is also always a good idea to disable your other plugins temporarily to make sure that nothing is conflicting.

Mail headers showing up in message body / attachments not working

This issue can be caused if your server does not like the return/newline character set being used to end lines of the email headers. If you are experiencing this problem, try changing this line:

if (!defined('PHP_EOL')) define ('PHP_EOL', strtoupper(substr(PHP_OS,0,3) == 'WIN') ? "\r\n" : "\n");

To this:

if (!defined('PHP_EOL')) define ('PHP_EOL', strtoupper(substr(PHP_OS,0,3) == 'WIN') ? "\n" : "\n");

If you require special SMTP settings for mail to be sent

If you have to manually specify the SMTP settings, you can do so with the following code. This is only recommended for advanced users.

ini_set('sendmail_from', $sender_email);
$send_status = mail($send_to, $email_subject, $msg, $headers);

(Just search for the reference to the mail() function to see where to add it)


Please be sure to read the entire article before asking a question. I spend a lot of time on the scripts and plugins available on this site, and it can be hard to keep up with all the requests. If you need modifications or a custom version, please contact me. Thanks for reading!