Error: Invalid HTTP_REFERER domain

Posted by on Jan 2, 2011 in Troubleshooting

Why do I get this error when posting the form? “Invalid HTTP_REFERER domain. See FAQ. The domain name posted from does not match the allowed domain names of this form:”

One of the security features of this form is a measure to block automated spam bots and hackers posting from off-site forms. How this works is that when the form is posted, the form code checks if the domain name of the HTTP_REFERER matches the actual domain name of the web site(ie: By checking the referrer domain name and making this comparison, the form process can find out where the request (link that was clicked) came from. If the request did not originate from your web site, then it is most likely a spammer or hack attempt and will be blocked showing the message “Invalid HTTP_REFERER domain”.

But why do I get this error when I test the form on my own site?
One possible problem is when you have more than one domain name for your website. In that case, you can do this: Turn off the referrer check. uncheck this setting: “Enable Form Post security by requiring domain name match for …” You will find this setting on the contact form settings/form editor page. Since there are other multiple security checks like CAPTCHA and Akismet, your form can have this feature disabled and still have security protection.

One other possible problem is a misconfiguration of your WordPress settings. Check the WP settings in Admin – Settings – General
Make sure these two setting use the same domain name(ie:
WordPress address (URL)
Blog address (URL)
If for some technical reason you must have these two settings on different domain names, then you can turn off the referrer check as explained in the paragraph above this one.

Discuss this issue in the WordPress plugins forum

Do you need help?

Send us a Donation:

Donate to Mike Challis