be Smart.
be Secure.
Phone: 800-441-6612

Embedding SecureForms into WordPress using an iframe

WordPress is an incredibly popular Web site management and blogging platform.  Customers inquire of LuxSci frequently about the best way to add forms to their WordPress pages and posts.  Not just any forms — complex forms that can be HIPAA-compliant and which can submit data securely through SecureForm.

There are numerous options here.  The two most popular are GravityForms and embedding forms with an iframe.  GravityForms is popular and very cool, but not free.  Also as GravityForms is complex and really wants to manage all of your form data itself (insecurely), integration with SecureForm is limited:

  • Multiple forms on the same page can be tricky
  • Ink Signatures can not be captured
  • File uploads can not be captured

Another alternative, which is free as it is included with your SecureForm service, is to:

  1. Build your form with SecureForm FormBuilder
  2. Embed this form into your WordPress page or post using an iframe

What is an “iframe?”  it is a tool that allows you embed one Web page within another Web page.  When you build a form with FormBuilder — that form is automatically saved and hosted securely for you and you are provided with the Web site address (URL) for that form.  All you need to do is to “insert” that hosted form into your WordPress page/post and you are all set.  All FormBuilder features are then also supported: Ink Signatures, file uploads, geolocation, etc.

Embedding a form into WordPress using an iframe

Here is your step-by-step guide to embedding your FormBuilder form into WordPress.  This requires some knowledge of HTML, as you need to edit the source view of your post or page.

  1. Log into LuxSci and proceed to your SecureForm management area.
  2. Click on the title of the form that you have built in FormBuilder and which to embed in WordPress.
  3. See the “Form Address” provided for you on the Overview tab that you are taken to.  Save that Web site address, we will refer to it as “FORMBUILDER_ADDRESS” in the following steps.  I.e. it could look similar to “” (not a real address, by the way).
  4. Go into your WordPress administrative interface
  5. Find and edit the page or post in which you want to embed the form
  6. At the top of the editor toolbar (where you can change “boldness” and such) there are two tabs — “Visual” and “Text”.  Visual is the “What You See is What You Get” interface to editing.  “Text” allows you to edit the source code for your page/post and add or edit things that are not available through the tool bar.  Click on “Text”.
  7. Scroll through the source of your page/post and find the place where you would like your form inserted.
  8. Enter the following code:

<iframe src="FORMBUILDER_ADDRESS" width="100%" height="400"></iframe>

That is it — once you save your page/post, your form should how up inside of it.

You might want to tweak one thing however.  You have to specify how tall your form is (i.e. the height) in pixels.  In the example, above, we state that it should be 400 pixels tall.  If your form is shorter — there will be extra blank space after  the form; if the form is longer, then part of the form will be cutoff and your users will need to scroll the form — and, depending on their browser, the fact that the frame is there and scrollable might not be obvious at all.  The simplest way to handle this is to pick a height that will work in general for your form and/or have your form on a page/post by itself or at the end of other content.

What is the solution for that?  With some JavaScript trickery, one can have the iframe auto-resize, but this is complex to implement cross-domain.  For those with some JavaScript wizardry — refer to this post on StackOverflow.

What about security?

The source of your iframe is Web address that starts with https:// … so the loading of that form will be secure.  If you are using LuxSci SecureForm for HIPAA-complaint data collection, then the processing of all data submitted by end users from their browsers will also be secured.

If your WordPress site itself does not store, transmit, or collect sensitive data (e.g. ePHI or PII), then your site may not technically need to be secured or hosted at a provider that assists with securing your Web site.

However, if your Web site is not being delivered over a secure channel (i.e., if its address does not start with https://), then a “man in the middle” between your  server and the end user can alter your page’s content without anyone being the wiser.  In particular, that person can change the source address of the iframe to load any form he/she wants — thus misdirecting any collected data.  This is entirely possible.  Furthermore, WordPress itself has a history of security issues — especially related to third party plugins. (See WordPress and ePHI — is that a good idea?).

So, what we would recommend here is:

  1. Have your WordPress site protected with a TLS certificate (so your address starts with https://).  This is good to do beyond security, anyway, as it can improve your rankings in Google search.
  2. Only use WordPress plugins that are very popular, well vetted, and being updated by the developers.
  3. Keep WordPress and your plugins up to date.
  4. Consider using a dedicated server for hosting your WordPress site … so you would not suffer collateral damage from the security issues of other customers sharing you server.

Contact LuxSci for assistance with dedicated WordPress hosting or SecureForm.

Comments are closed.

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries