WordPress Security
WordPress Security for Real Estate and Property Websites
Protect your real estate WordPress site with lead form security, IDX integration protection, and property listing safeguards.
S
Sarah Chen
8 min read
2,207 views
Introduction
Real estate websites handle valuable lead information, property data, and often integrate with MLS systems. These sites are attractive targets for lead theft, data scraping, and competitive intelligence gathering.
Real Estate Site Security Challenges
Property websites face specific threats:
- Lead theft - Competitors scraping contact information
- IDX vulnerabilities - MLS integration security issues
- Property data scraping - Automated listing collection
- Fake inquiries - Bot-generated leads wasting agent time
- Map API abuse - Excessive API calls driving up costs
- Agent impersonation - Fake profiles for fraud
Protecting Lead Capture Forms
Secure your valuable lead generation forms:
Anti-Scraping Lead Protection
// Protect lead data from scraping
function secure_lead_submission() {
// Verify honeypot
if (!empty($_POST['website_field'])) {
error_log('Bot lead submission blocked: ' . $_SERVER['REMOTE_ADDR']);
wp_die('Submission failed.');
}
// Rate limit per IP
$ip = $_SERVER['REMOTE_ADDR'];
$key = 'lead_rate_' . md5($ip);
$submissions = get_transient($key) ?: 0;
if ($submissions >= 5) {
wp_die('Too many submissions. Please try again later.');
}
set_transient($key, $submissions + 1, HOUR_IN_SECONDS);
// Validate phone number format
$phone = sanitize_text_field($_POST['phone'] ?? '');
if (!preg_match('/^[ds-+()]{10,20}$/', $phone)) {
return new WP_Error('invalid_phone', 'Please enter a valid phone number.');
}
// Check email domain
$email = sanitize_email($_POST['email'] ?? '');
$blocked_domains = array('tempmail.com', 'throwaway.email', 'mailinator.com');
$domain = substr($email, strpos($email, '@') + 1);
if (in_array($domain, $blocked_domains)) {
return new WP_Error('blocked_email', 'Please use a valid email address.');
}
return true;
}
add_action('wpfs_before_lead_save', 'secure_lead_submission');IDX/MLS Integration Security
Protect MLS data connections:
Secure API Credentials
// Store IDX credentials securely
function get_idx_credentials() {
// Never store in database - use wp-config.php constants
if (!defined('IDX_API_KEY') || !defined('IDX_API_SECRET')) {
error_log('IDX credentials not configured');
return false;
}
return array(
'key' => IDX_API_KEY,
'secret' => IDX_API_SECRET,
);
}
// Validate IDX webhook requests
function validate_idx_webhook($request) {
$signature = $request->get_header('X-IDX-Signature');
$payload = $request->get_body();
$expected = hash_hmac('sha256', $payload, IDX_WEBHOOK_SECRET);
if (!hash_equals($expected, $signature)) {
error_log('Invalid IDX webhook signature');
return new WP_Error('invalid_signature', 'Unauthorized', array('status' => 401));
}
return true;
}Property Listing Protection
Prevent automated listing scraping:
// Rate limit property API requests
add_action('rest_api_init', function() {
register_rest_route('properties/v1', '/listings', array(
'methods' => 'GET',
'callback' => 'get_property_listings',
'permission_callback' => function($request) {
// Check rate limit
$ip = $_SERVER['REMOTE_ADDR'];
$key = 'property_api_' . md5($ip);
$requests = get_transient($key) ?: 0;
if ($requests >= 100) {
return new WP_Error('rate_limited', 'Too many requests', array('status' => 429));
}
set_transient($key, $requests + 1, HOUR_IN_SECONDS);
return true;
},
));
});
// Add CAPTCHA for saved searches
function require_captcha_for_saved_search() {
if (!verify_recaptcha($_POST['g-recaptcha-response'] ?? '')) {
wp_die('Security verification failed.');
}
}
add_action('wpfs_before_save_search', 'require_captcha_for_saved_search');Agent Profile Security
Protect agent accounts from impersonation:
// Verify agent identity on registration
function verify_agent_registration($user_id) {
// Require license number verification
$license = get_user_meta($user_id, 'real_estate_license', true);
if (empty($license)) {
// Set as pending verification
update_user_meta($user_id, '_agent_verified', false);
return;
}
// Validate license format (varies by region)
if (!preg_match('/^[A-Z]{2}d{6,10}$/', $license)) {
update_user_meta($user_id, '_agent_verified', false);
return;
}
update_user_meta($user_id, '_agent_verified', 'pending_review');
// Notify admin for manual verification
wp_mail(
get_option('admin_email'),
'New agent requires verification',
"Agent registration requires license verification: {$license}"
);
}
add_action('user_register', 'verify_agent_registration');
// Block unverified agents from publishing
add_filter('user_has_cap', function($caps, $cap, $args) {
if (in_array('publish_properties', $cap)) {
$user_id = $args[1] ?? get_current_user_id();
$verified = get_user_meta($user_id, '_agent_verified', true);
if ($verified !== true) {
$caps['publish_properties'] = false;
}
}
return $caps;
}, 10, 3);Map and Location Security
- Restrict Google Maps API key to your domain
- Implement server-side geocoding caching
- Rate limit location searches
- Never expose exact addresses until user authenticated
Client Portal Security
// Secure client document access
function can_access_property_documents($user_id, $property_id) {
// Check if user is assigned to this property
$assigned_clients = get_post_meta($property_id, '_assigned_clients', true) ?: array();
return in_array($user_id, $assigned_clients);
}
// Log document access
function log_document_access($document_id, $user_id) {
global $wpdb;
$wpdb->insert($wpdb->prefix . 'document_access_log', array(
'document_id' => $document_id,
'user_id' => $user_id,
'ip_address' => $_SERVER['REMOTE_ADDR'],
'accessed_at' => current_time('mysql'),
));
}Conclusion
Real estate websites must protect valuable lead data, secure MLS integrations, and prevent listing scraping. Proper form security, API protection, and agent verification keep your real estate business safe.
S
Written by Sarah Chen
WP Folder Shield Team
