I have several websites running Contact Form 7. I have them built into the landing pages I use with Adwords.
I received an email from Google saying that my site had been hacked. I was through my landing page.
The coincidence is, that several of my websites have now been hacked and each time, google has let me know that its come from the landing pages, which all have your contact form in.
I've looked online for answers, trying to piece together how this may have happened and I came across a comment from you (Takayuki Miyoshi) on a forum, that said that the .htaccess file should only contain the words Deny from all.
When I looked through my multisite blogs, I found that within each wpcf7_captcha folder, there was a .htaccess file that had deny and allow for certain files.
When I deleted the lines other than deny to all, the websites seemed to be cleared of infection.
What should be in the .htaccess file? and do you know of any other infections that have happened through your contact form?
Does having a captcha code help prevent malware infections?