XQ Secure Form


XQ Secure Form is a plugin that enables your WordPress Form data to be encrypted at the time of submission, before it even leaves your customer’s browser and delivered securely to you in a manner you choose.

The default delivery method is by email, but we provide the option to deliver other formats via the XQ API. When the data is delivered by email, you will receive a link to decrypted the message. Alternatively you can also use any of our email clients to achieve the same goal directly without having to go to the portal. See the XQ Message email clients for more information:

The installation process is a simple wizard, which culminates in a <script type="application/javascript"> . . . </script> snippet being injected into the footer section of your WordPress site. It contains our Javascript API as well as an API key, specifically generated for your XQ user account.

The Javascript API will utilize that key in order to take care of client side encryption as well as to communicate with XQ Message. Each time one of your site’s forms is submitted, it is encrypted for you using a new quantum encryption key. Only the recipients you specify as authorized users can retrieve the key from us and thus, unlock the message. At this point there isn’t anything you have to do.

All non-commercial users get 1000 free submissions per month. If you love Secure Forms and are going over that limit, we’d love to talk to you! Please drop us a line.

XQ Message has a versatile toolkit of applications and services all centered around Zero Trust. Please visit our site to gain more insight into the comprehensive range of capabilities offered by XQ Message.


  • Authentication Screen
  • Validation Screen
  • Installation Confirmation Screen
  • Our Email Clients Available for download


First, follow the usual steps:

  1. Open WordPress admin, go to Plugins, click Add New
  2. Enter “xq secure form” in search and hit Enter
  3. Plugin will show up as the first on the list, click “Install Now”
  4. Activate & open plugin’s settings page located under the Settings menu

Or if needed, upload manually;

  1. Download the latest stable version from from downloads.wordpress.org/plugin/xq-secure-form.latest-stable.zip
  2. Unzip it and upload to /wp-content/plugins/
  3. Open WordPress admin – Plugins and click “Activate” next to “XQ Secure Form”
  4. Open plugin’s admin page located under the Settings menu and you will see the initial authentication screen

    We will now walk you through the screens you will encounter when you install XQ Secure Form software.

    Screen 1: Authentication

    • Enter your email address in order to register with XQ Message

    Screen 2: Validation

    • Enter the 6 digit PIN number that was sent to your email account.
    • Let XQ send me Emails This checked by default.
      This means that the underlying form action attribute is pointing to an endpoint on our system so that we can handle the email delivery of your forms to the email address you used to sign up. But don’t worry, they are encrypted! Only you and any recipients you specified can decrypt them.
      The XQ Plugin supports html form assembly via the CoBlocks form builder that comes with your WordPress default installation. You can also create your forms by hand.
    • You may not want the encrypted data to flow through our system and instead would prefer to handle the data flow yourself. In that case please uncheck this item and take a look at any of our APIs of the ecosystem built around Zero Trust that is available to you when using the XQ Message API.
      Once you choose to go your own route you also will have to write your own mapper function in order to format the data according to your needs. More on this below.
    • Enter the email addresses of the people you want to be authorized to decrypt your form data.
    • Enter the URL of a “thank you” or “goodbye” page to which you would like to redirect users after succesful form submission.

    Screen 3: Confirmation
    This page confirms that your API key was generated successfully so that your website can
    now communicate with XQ Message.

    Screen 4: Clients
    This screen concludes the installation process and contains useful Links to XQ Message
    email clients which can be used to make decrypting the forms content simpler.


What do I need to do to use XQ Secure Form straight out of the box?

If you only require that we email the encrypted form data to the authorized recipients, you don’t need to do anything other than go through the settings once.

What do I do if I want to handle the SecureForms data myself?

In case you want to take full control of your data flow you can utilize our extensive API’s. Using those, it is quite easy to handle encryption and/or decryption of your forms data. You could for instance, give access to new recipients, revoke access to existing ones, or set time constraints on the accessibility of the data. (For more information on how to handle the data yourself, please see here.)

On The Client

First off, when going through the process of generating a plugin designed to communicate with your own endpoint make sure the following is true:

  • Let XQ send me Emails is Unchecked
  • You selected one of the available output formats, i.e. either Text, Json, XML or CSV.

Upon submitting your secure form the plugin gets to work.

1) It will collect all form elements under the <form> tag, extract their names and values and create the payload,
a string of key value pairs.

2) A quantum key is generated and in order to encrypt that payload.

3) The key will be uploaded to our servers and token is generated.
The token will be neccessary later to download the encryption key.

4) The payload to be posted to the endpoint,
which you specified <form action="your-enpoint"> using the format:

"payload": {"token": <the-token>","data": "<the-encrypted-data>"}

On The Server

1 Authorization
Before you can communicate with XQ you need to validate your identity using the email with which you registered at XQ Message during the plugin intallation process.

call Authorize() with <your-email>

2 Validation
An email containing a validation PIN will be sent to that account. Send that PIN back to us using the CodeValidator class.

call CodeValidator() with <pin-sent-to-your-email-account>

3 Decryption
Just pass payload, i.e the encrypted data and the token to the Decrypt( ) function and you are done.

“Why pass the token?” you may ask. This is needed to find your particular encyption key on our servers. Remember that this very token was returned on the client during the form submission process after successful upload of the encryption key to the server.

call Decrypt() with <token> and <data>

How do I find out more detail about the APIs ?

To learn more about the full power of our any of our APIs by clicking here


There are no reviews for this plugin.

Contributors & Developers

“XQ Secure Form” is open source software. The following people have contributed to this plugin.


Translate “XQ Secure Form” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.



  • Initial Release


  • Change Delivery Format if default action is disabled
  • Store Plugin Settings in WordPress database


  • Redirect to login screen if key expired


  • url changes


  • format text with html
  • basic support for ActiveDEMANT form html builder
  • improved support for CoBlocks form html builder


  • added action parameter back


  • support for multiple API Keys per dashboard user


  • Bug fix: changing website name from Word Press Admin did not properly delete the key under the old name.