Every form submission is protected from Cross-Site Request Forgery (CSRF) by a security check. This error means that the security check has failed. The security check relies on the proper functioning of cookies in the browser and the plugin session system.
Solution #0 – enable “Support page caching”
Go to Forms → Settings → Tweaks & Troubleshooting and enable the option Support page caching then save the settings. Flush/empty any caching plugins you have on the site and test the form in two separate browsers to see if the issue is resolved.
Solution #1 – test with other plugins deactivated
Follow these steps to find out if the problem is caused by another plugin or the WordPress theme.
Solution #2 – deactivate extensions
If you are using a browser extension, add-on or app that could be blocking cookies in the browser, try temporarily deactivating it and test the form submission again.
Solution #3 – disable CSRF protection
You can disable the security check at Forms → Settings → Tweaks & Troubleshooting, turn off the option CSRF protection and save the settings. It is not an essential security feature – your site will not be at risk if you turn off this option.
Note that this solution will just prevent the error message from being displayed and allow the form to submit normally, it will not fix the underlying cause of the problem. You may still have issues with the File Upload field and the CAPTCHA field, which both also rely on the proper functioning of cookies in the browser and the plugin session system.
Solution #4 – ensure that the site URL is consistent
There can be problems with cookies if your site is able to be served from both HTTP and HTTPS, and/or both www and non-www subdomains. Choose one main version of the site URL and 301 redirect all other URLs to the main URL.
For example, if you are able to access your site from the four URLs below without the browser redirecting to one of them:
https://www.example.com http://www.example.com https://example.com http://example.com
Choose one of them and make sure this is the URL in the WordPress → Settings → General page, as the Site Address (URL) (and WordPress Address (URL) if WordPress is installed there).
Then ensure that the other URLs redirect to the main URL with a 301 redirect. To do this, you can add the redirect code to the .htaccess file in the WordPress root folder, above the comment # BEGIN WordPress. For the main URL you have chosen, expand the relevant section below for the redirect code you can add to the .htaccess file.
https://www.example.com
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule (.*) https://www.example.com/$1 [R=301,L]
</IfModule>- Replace
https://www.example.comwith the main URL
http://www.example.com
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} on [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule (.*) http://www.example.com/$1 [R=301,L]
</IfModule>- Replace
http://www.example.comwith the main URL
https://example.com
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteRule (.*) https://example.com/$1 [R=301,L]
</IfModule>- Replace
https://example.comwith the main URL
http://example.com
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} on [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteRule (.*) http://example.com/$1 [R=301,L]
</IfModule>- Replace
http://example.comwith the main URL
Note: this code only applies to the Apache web server.
Solution #5 – check for 404 Not Found errors
In rare cases if you have an image or other file on the page that refers to a file that doesn’t exist on the server, it causes the entire WordPress environment to be loaded to process the 404 error, which can cause the Quform session system to malfunction due to a race condition. To check and fix this, open the browser console and refresh the page, any 404 errors should be logged to the console. Find the part of the page that is causing this 404 error and fix the path to be correct or remove it.