UPDATE: I released an even-simpler contact form plugin in October, 2013: http://www.mbijon.com/ever-simpler-wordpress-contact-forms/. It uses a 3rd-party mailer-service (Sendsquare) to convert mailto: links into editable forms.
One question that comes up regularly in talking to WordPress builders is what plugin to use for contact forms. While there are dozens of ways to build contact forms: self-coding, Plugins, 3rd-party services … The comment form question is hard because form plugins are hard to build.
It’s not the frontend form part that’s difficult either. Most comment form plugins have several times more code devoted to anti-spam and XSRF-filtering than to the form-processing part of things. Spammers and site crackers change tactics constantly, so the best contact form plugin that-also-blocks-spam-and-site-hacks changes constantly too.
…as of late-2013 here are my preferences for WordPress contact / form-builder plugins. If you’re reading this in 2014 or later, it’s time to evaluate other options again:
- mailto: — As Aaron mentioned on a friend’s Facebook page: “Just do <a href=”mailto:firstname.lastname@example.org”> and call it good. It’s cross-browser, fully standards compliant, and is not vulnerable to sql injections!”
br />(As @ceeweb pointed out, there is no anti-spam here. Only what your mail client offers … but I don’t think that’s all that bad. Since it gets to filter on real sender email/IP’s instead of just your server’s info this is often better anti-spam than what’s in plugins. Though as Cee also pionted out, then the spammers also have your email address.)
- Gravity Forms — This is the best form-builder plugin available at the moment, and since it’s commercial and well-supported it’ should keep up with spammers and site-hackers very well. The downside is the cost, since many WordPress projects don’t budget for buying 3rd-party tools/support. I still think it’s worth using even as a PHP-heavy developer, the speed & flexibilty of this plugin should save you time & prevent client headaches.
- Wufoo’s Shortcode plugin — It’s simple and inserts a form that’s run from Wufoo’s servers. Wufoo it top-notch in UX and anti-spam/security. Their downside vs. Gravity Forms is they can be slower to customize and the shortcode placement isn’t as intuitive as other plugins here.
- Slim Jetpack — The stripped-down version of Jetpack without the .com connections and no auto-activation. The form-builder tool is incredibly simple and it has Akismet-level spam prevention (ie: not 100%). This is a great, free option right now.
Cee pointed out that Jetpack and child plugins like this leave the destination email in the the HTML in plaintext, again, allowing harvesting.
- Fast Secure Contact Form — Another free option, this one excels at anti-spam. It has a good (not quite great) form-builder and easily-styled CSS tags, but the anti-spam options are excellent and nearly bulletproof. The downside to this being a free plugin is the ads (not smappy ones though) for mailing services on the admin page and the occasional unreadable captcha.