You are here: Sysadmins of the North » Web applications » WordPress » How to clean up Contact Form 7 temporary captcha files on IIS web servers

How to clean up Contact Form 7 temporary captcha files on IIS web servers

Contact Form 7 (CF7) is a WordPress plugin that provides a simple but flexible contact form. On IIS, Contact Form 7 captcha has one HUGE disadvantage: temporary captcha files placed in wp-content/uploads/wpcf7_captcha, are not automatically removed. The files are made read only. Here is how to remove Contact Form 7 temporary captcha files on IIS

In a short amount of time, the number of temporary captcha files created in wp-content/uploads/wpcf7_captcha by Contact Form 7, increases to enormous numbers. Slowing down your WordPress website.

Why Contact Form 7 temporary captcha files aren’t cleaned up

The reason for Contact Form 7’s temporary captcha files not being deleted is that all files are made read only, using the PHP function chmod().

The default folder in which these files are saved is wp-content/uploads/wpcf7_captcha. In a short amount of time this folder will be filled up with tens of thousands files…

Too many files for PHP and WordPress to process, so that your WordPress site becomes slow.

I’ve already described how to set or remove the read only attribute assigned to files. In this post we’ll take it one step further to semi-automatically delete Contact Form 7’s temporary captcha files.

Contact Form 7 can manage multiple contact forms, plus you can customize the form and the mail contents flexibly with simple markup. The form supports Ajax-powered submitting, CAPTCHA, Akismet spam filtering and so on.

Delete Contact Form 7’s temporary captcha files

There are two ways to delete Contact Form 7’s temporary captcha files.

#1: The first method involves editing a Contact Form 7 file called file.php, that is located in the /modules folder. Going through the file.php source there are two chmod() calls:

line 175 – 176:

// Make sure the uploaded file is only readable for the owner process
@chmod( $new_file, 0400 );Code language: PHP (php)

line 297:

@chmod( $dir, 0733 );Code language: PHP (php)

The actual cleaning up and deleting of those temporary files happens in the function wpcf7_cleanup_upload_files, starting at line 316. We look further to lines 331 – 333:

$stat = stat( $dir . $file );
if ( $stat['mtime'] + 60 < time() ) // 60 secs
    @unlink( $dir . $file );Code language: PHP (php)

On Windows Server IIS it’s required to make the files normally accessible before deleting them with unlink(). So we need to add an extra chmod() call, just before the unlink() function.

These three lines now become four lines:

$stat = stat( $dir . $file );
if ( $stat['mtime'] + 60 < time() ) // 60 secs
    chmod($dir . $file, '0755');
    @unlink( $dir . $file );Code language: PHP (php)

Unfortunately this is a file modification to file.php you have to make after each and every plugin update. In Contact Form 7 5.1.1 with Really Simple Captcha, I had to make the change in the file contact-form-7/modules/really-simple-captcha.php, on line 553.

The second method is to write a PHP script / function that deletes files older than ‘n’ seconds, for instance 1800 (30 minutes).

Unfortunately you’d have to request the URL to this script manually for the files to be deleted. Or someone has to make a hook into wp_cron, a function or plugin.

You can always try to hook this function into WordPress’ Cron utilizing the information from my post Optimize WordPress MySQL tables through Cron. As a Must-Use Plugin.

I’ll provide you with a function for you to use and expand. Provided “AS-IS” of course.

PHP function to remove Contact Form 7’s temporary captcha files

Create a new file and name it wp-maintenance.php for instance. Copy and past the code below:

 * Function to delete all temporary files older 
 * than 30 minutes created by Contact Form 7 Captcha
 * reference on Stackoverflow:
 * Follow me on Twitter: @Jan_Reilink
 * Please donate:

//flmt: file last modified time
function delSessionFiles( $dir, $flmt ) {
	if( $handle = opendir( $dir ) ) {
		while( false !== ( $file = readdir( $handle ) ) ) {
			if( $file != "." && $file != ".." ) {
				$filelastmodified = filemtime( $dir .'/'.$file );
				if( ( time() - $filelastmodified ) > $flmt && is_file( $dir .'/'.$file ) ) {
					chmod( $dir .'/'.$file, '0755' );
					unlink( $dir .'/'.$file );
		closedir( $handle );
		return TRUE;

if ( delSessionFiles( 'wp-content/uploads/wpcf7_captcha', '1800' ) === TRUE ) {
	echo "Contact Form 7 temp files deleted.";
?>Code language: PHP (php)

Upload this file to the root of your web site.

Now every time you request all temporary files older than 1800 seconds (or 30 minutes) are deleted.

Psst, want to know how to validate MIME types in PHP?

Show Your Support

donate with Paypal

If you want to step in to help me cover the costs for running this website, that would be awesome. Just use this link to donate a cup of coffee ☕($10 USD or €10 EUR for example). And please share the love and help others make use of this website. Thank you very much! <3 ❤️

4 thoughts on “How to clean up Contact Form 7 temporary captcha files on IIS web servers”

  1. Hi Wade Lim,

    Great to hear it worked great, and yes, out of the box it’s a manual process. But you can schedule a cURL or wget request as a cron job, or come to think about it: you can try to hook the clean-up function into a WordPress Cron through a Must Use Plugin. You can find some more information about this in my post Optimize WordPress MySQL tables through Cron.

  2. Hi Jan,

    I came accross this solution and it worked great for me by uploading it to the root and calling the file.
    However, it’s still a manual process. Is there any way that this could be automated? as in have it periodically call that script to delete the temp files?


  3. Hi Imtiaz, thank you for your comment. Great to hear my post provided you with a solution for this problem.

    Deleting the contents of the wpcf7_uploads file is a nice addition!

  4. Imtiaz Ahmad

    Great article and the only article I found to solve my problems of deleting the temporary files. I just added some more lines to cleanup the uploads of CSF7, i.e.,

    if (delSessionFiles(‘wp-content/uploads/wpcf7_uploads’, ‘1800’) === TRUE) {
    echo “Contact Form 7 uploaded files deleted.”;

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top