WordPress Security
WordPress Security for SaaS Landing Pages: Protecting Lead Data
Secure your WordPress SaaS landing pages with strategies to protect lead data, form submissions, and integration endpoints.
S
Sarah Chen
8 min read
1,808 views
SaaS landing pages collect valuable lead data and often integrate with multiple external services. Protecting this data and these connections requires specific security measures.
SaaS Landing Page Security Concerns
Landing pages face unique challenges:
- High-value lead data collection
- Multiple third-party integrations
- API key exposure risks
- Form spam and abuse
- Competitor scraping
Secure Form Handling
Protect lead capture forms:
function process_lead_form($form_data) {
// Verify nonce
if (!wp_verify_nonce($form_data['nonce'], 'lead_capture')) {
return new WP_Error('invalid_nonce', 'Security verification failed');
}
// Honeypot check
if (!empty($form_data['website_url'])) {
log_spam_attempt($_SERVER['REMOTE_ADDR'], 'honeypot');
return new WP_Error('spam', 'Submission rejected');
}
// Rate limit
$ip = $_SERVER['REMOTE_ADDR'];
$rate_key = 'lead_form_' . md5($ip);
$recent = get_transient($rate_key) ?: 0;
if ($recent > 3) {
return new WP_Error('rate_limit', 'Please wait before submitting again');
}
set_transient($rate_key, $recent + 1, HOUR_IN_SECONDS);
// Validate email
$email = sanitize_email($form_data['email']);
if (!is_email($email)) {
return new WP_Error('invalid_email', 'Please enter a valid email');
}
// Check for disposable email
if (is_disposable_email($email)) {
return new WP_Error('disposable_email', 'Please use a business email');
}
// Sanitize other fields
$lead = array(
'email' => $email,
'name' => sanitize_text_field($form_data['name'] ?? ''),
'company' => sanitize_text_field($form_data['company'] ?? ''),
'phone' => preg_replace('/[^0-9+()-]/', '', $form_data['phone'] ?? ''),
'source' => sanitize_text_field($form_data['source'] ?? 'landing_page'),
'ip_address' => $ip,
'created_at' => current_time('mysql'),
);
return save_lead($lead);
}API Key Protection
Secure third-party API credentials:
// Store API keys securely in wp-config.php
// define('MAILCHIMP_API_KEY', 'your-api-key');
// define('HUBSPOT_API_KEY', 'your-api-key');
function get_api_key($service) {
$keys = array(
'mailchimp' => defined('MAILCHIMP_API_KEY') ? MAILCHIMP_API_KEY : '',
'hubspot' => defined('HUBSPOT_API_KEY') ? HUBSPOT_API_KEY : '',
'salesforce' => defined('SALESFORCE_API_KEY') ? SALESFORCE_API_KEY : '',
);
return $keys[$service] ?? '';
}
// Never expose keys in JavaScript
function enqueue_lead_scripts() {
wp_localize_script('lead-form', 'leadFormConfig', array(
'ajaxUrl' => admin_url('admin-ajax.php'),
'nonce' => wp_create_nonce('lead_capture'),
// Do NOT include API keys here
));
}Integration Security
Secure connections to CRM and marketing tools:
function send_lead_to_crm($lead) {
$api_key = get_api_key('hubspot');
if (empty($api_key)) {
log_integration_error('hubspot', 'API key not configured');
return false;
}
$response = wp_remote_post('https://api.hubapi.com/contacts/v1/contact', array(
'headers' => array(
'Authorization' => 'Bearer ' . $api_key,
'Content-Type' => 'application/json',
),
'body' => json_encode(array(
'properties' => array(
array('property' => 'email', 'value' => $lead['email']),
array('property' => 'firstname', 'value' => $lead['name']),
array('property' => 'company', 'value' => $lead['company']),
),
)),
'timeout' => 15,
));
if (is_wp_error($response)) {
log_integration_error('hubspot', $response->get_error_message());
return false;
}
$code = wp_remote_retrieve_response_code($response);
if ($code >= 400) {
log_integration_error('hubspot', 'API error: ' . $code);
return false;
}
return true;
}Webhook Security
Secure incoming webhooks from integrations:
function handle_stripe_webhook() {
$payload = file_get_contents('php://input');
$sig_header = $_SERVER['HTTP_STRIPE_SIGNATURE'] ?? '';
$webhook_secret = get_api_key('stripe_webhook');
try {
$event = \Stripe\Webhook::constructEvent(
$payload, $sig_header, $webhook_secret
);
} catch (\UnexpectedValueException $e) {
http_response_code(400);
exit('Invalid payload');
} catch (\Stripe\Exception\SignatureVerificationException $e) {
http_response_code(400);
exit('Invalid signature');
}
// Log webhook receipt
log_webhook('stripe', $event->type, $event->id);
// Process event
switch ($event->type) {
case 'customer.subscription.created':
handle_new_subscription($event->data->object);
break;
case 'invoice.payment_succeeded':
handle_payment_success($event->data->object);
break;
}
http_response_code(200);
exit();
}A/B Testing Security
Secure landing page variants:
function get_page_variant($page_id) {
$variants = get_post_meta($page_id, '_ab_variants', true) ?: array();
if (empty($variants)) {
return null;
}
// Use session-based assignment for consistency
$session_key = 'ab_' . $page_id;
if (isset($_SESSION[$session_key])) {
return $_SESSION[$session_key];
}
// Random assignment
$variant = $variants[array_rand($variants)];
$_SESSION[$session_key] = $variant;
// Log assignment
log_ab_assignment($page_id, $variant, $_SERVER['REMOTE_ADDR']);
return $variant;
}
// Protect variant data from manipulation
function track_conversion($variant_id) {
// Verify the user was actually assigned this variant
$session_key = 'ab_' . get_variant_page($variant_id);
if (!isset($_SESSION[$session_key]) || $_SESSION[$session_key] !== $variant_id) {
return false; // Prevent fake conversions
}
increment_variant_conversions($variant_id);
return true;
}Pricing Page Protection
Prevent pricing manipulation:
function verify_pricing_selection($plan_id, $submitted_price) {
$plan = get_pricing_plan($plan_id);
if (!$plan) {
return new WP_Error('invalid_plan', 'Selected plan not found');
}
// Always use server-side price
if (abs($plan['price'] - $submitted_price) > 0.01) {
log_security_event(array(
'type' => 'price_manipulation',
'plan_id' => $plan_id,
'submitted' => $submitted_price,
'actual' => $plan['price'],
'ip' => $_SERVER['REMOTE_ADDR'],
));
// Use correct price regardless
}
return $plan['price'];
}Demo Request Security
Protect demo scheduling endpoints:
function schedule_demo($request_data) {
// Validate business email
$email = sanitize_email($request_data['email']);
$domain = substr(strrchr($email, '@'), 1);
$personal_domains = array('gmail.com', 'yahoo.com', 'hotmail.com', 'outlook.com');
if (in_array(strtolower($domain), $personal_domains)) {
return new WP_Error('business_email_required', 'Please use a business email');
}
// Verify company exists (optional)
if (!empty($request_data['company'])) {
$company = sanitize_text_field($request_data['company']);
// Basic validation - could integrate with Clearbit or similar
if (strlen($company) < 2) {
return new WP_Error('invalid_company', 'Please enter your company name');
}
}
// Create demo request
$demo = array(
'email' => $email,
'name' => sanitize_text_field($request_data['name']),
'company' => $company ?? '',
'preferred_time' => sanitize_text_field($request_data['time']),
'status' => 'pending',
'created_at' => current_time('mysql'),
);
$demo_id = save_demo_request($demo);
// Send to calendar integration
send_to_calendly($demo);
return array('success' => true, 'demo_id' => $demo_id);
}Conclusion
SaaS landing page security requires protecting lead data, securing API integrations, validating form submissions, and preventing pricing manipulation. Regular security audits help identify vulnerabilities before they impact lead generation.
S
Written by Sarah Chen
WP Folder Shield Team
