A small custom form can be appropriate when requirements are simple. Verify intent with a nonce, include a honeypot, sanitize inputs, and validate email.nn## Escape at outputnnStored data is not automatically safe. Escape values for the HTML context where they appear.nn## Treat delivery separatelynnSuccessful wp_mail calls do not guarantee inbox delivery. Configure authenticated transactional email for production sites.
Secure WordPress Contact Forms Without a Plugin
A compact pattern for nonce checks, sanitization, validation, and safe redirects.