DFX Parish Retreat Letters lets your parish manage the full lifecycle of confidential personal messages for retreat attendants — from collecting letters through a public web form to printing them securely in the admin, while keeping every piece of content fully encrypted and every action fully audited.
How it works
- Create a retreat and register your attendants.
- Share each attendant's unique, private URL with the people who want to write to them — family, friends, spiritual directors.
- Writers fill in the form on a clean public page: they can type a rich-text message, attach images or documents, and agree to a legal disclaimer. A simple arithmetic CAPTCHA protects against bots.
- Messages are stored encrypted in the database. Nobody can read them by browsing the admin — they are only revealed at print time.
- Authorised staff print the messages from the admin panel. Each print is logged with the user's name, timestamp, and IP address.
- Messages are handed to attendants during or after the retreat.
Retreat management
- Create retreats with name, location, start and end dates, and a custom welcome message shown on the submission form.
- Set a legal disclaimer text and an acceptance checkbox label that writers must tick before they can submit.
- Enable or disable optional Notes and Internal Notes fields per retreat (Notes are exportable; Internal Notes are not).
- Set custom body CSS classes on the message-form page per retreat, so each retreat can use a different visual style.
- Choose a custom header block and footer block (any WordPress block or template part) to brand the submission form page.
- Delete a retreat together with all its attendants and messages in one action.
Attendant management
- Add attendants individually or import them from a CSV file (supports merge mode to add emergency-contact data without overwriting existing records).
- Each attendant stores: name, surnames, date of birth, and the following optional fields — notes, internal notes, emergency-contact details (name, surnames, relationship, email), inviting person, and incompatibilities.
- Export attendants to CSV including their unique message URL, message count, and all standard fields.
- Sort and filter the attendant list by name, message count, notes, or any other available column.
- The attendant list shows at a glance how many messages each person has received and how many have not yet been printed.
- Delete individual attendants, or remove all attendants from a retreat at once.
Confidential message submission (public form)
- Each attendant has a unique, cryptographically secure URL (based on a random token). Anyone with the link can submit a message without logging in to WordPress.
- The submission form provides a rich-text editor (with formatting, images, and copy-paste from Word or Google Docs).
- Writers can attach images and documents (PDF, DOCX, and other common types). If a message has multiple non-image files, they are bundled into a ZIP for printing.
- An optional legal disclaimer with a configurable acceptance checkbox can be required before submission.
- A simple arithmetic CAPTCHA prevents automated submissions. Logged-in WordPress users skip the CAPTCHA.
- The form URL includes the attendant's initials as a suffix for easy identification when sharing links, without exposing the full name.
- Rate limiting (20 requests per hour per IP) prevents abuse.
Secure message access and printing
- The admin interface never displays message content — there is no content-preview panel. This protects confidentiality if a screen is visible to others.
- Authorised users open a message and click Print. The plugin decrypts the content on the fly, renders it in a print-ready format with the recipient's name and the sender's name, and sends it to the printer.
- Each print action is recorded in a print log (user, timestamp, IP address). The log is visible from the attendant's message list.
- Multiple images in a single message are laid out so they do not split across pages.
Three-tier permission system
The plugin uses three access levels, each scoped to specific retreats:
Plugin Administrators (WordPress users with the
manage_retreat_plugin capability, automatically granted to WordPress Administrators):
- Create and delete retreats.
- Manage all attendants and all messages across all retreats.
- Grant or revoke permissions for any retreat.
- Access Global Settings and Privacy & Compliance pages.
Retreat Managers (assigned per retreat):
- Full control of their assigned retreat: edit retreat details, manage attendants, access all messages.
- Invite and assign Message Managers to their retreat.
- Cannot access other retreats or global settings.
Message Managers (assigned per retreat):
- Read-only access to attendant names for context.
- Can open and print confidential messages for their retreat.
- Cannot edit attendants, retreat details, or permissions.
- All print actions are logged.
User invitations
- Invite any email address to become a Retreat Manager or Message Manager for a specific retreat directly from the retreat's Access Management tab.
- The invitee receives an email with a secure, time-limited token link.
- If the email address already belongs to a WordPress user, they are granted the role immediately on acceptance. If not, a new WordPress account is created for them.
- Pending invitations can be cancelled at any time. Expired invitations are cleaned up automatically.
Encryption and data security
- All message content and file attachments are encrypted with AES-256-CBC and authenticated with HMAC-SHA256 before being written to the database or disk.
- The encryption key is generated automatically on first activation and stored in the database. An admin notice prompts you to move it to
wp-config.php by defining the constant DFXPRL_ENCRYPTION_KEY for better security. If the constant and the database key ever differ, the plugin detects the mismatch and offers a one-click resolution.
- Every sensitive admin action (permission grants, revocations, invitation events) is written to a permission audit log.
GDPR and privacy compliance
- Right to Erasure (GDPR Article 17): delete all personal data for a specific email address or attendant in one action.
- Data Portability (GDPR Article 20): export all personal data associated with an email address as a structured file.
- IP address anonymisation: sender IP addresses are automatically anonymised after a configurable retention period (default 30 days). A daily WordPress cron job handles the cleanup.
- Configurable data retention: set how long messages and audit log entries are kept before automatic deletion.
- Spanish privacy law (LOPD-GDD): the plugin was designed with Spanish data-protection requirements in mind, in addition to GDPR.
- All settings are found under Retreats > Privacy & Compliance.
Global settings
Under
Retreats > Global Settings you can configure:
- Default header and footer blocks for the message submission form (overridable per retreat).
- Default body CSS classes for the submission form page.
- Encryption key management (including the option to remove a database-stored key in favour of the
wp-config.php constant).
Internationalisation
- The plugin ships with a complete Spanish (es_ES) translation.
- A
.pot template file is included so you can add your own language.
- The public submission form uses informal Spanish ("tú") for a friendlier tone.
- Upload the
dfx-parish-retreat-letters folder to /wp-content/plugins/.
- Activate the plugin through the WordPress Plugins menu.
- The plugin automatically creates all required database tables on activation.
- Navigate to Retreats in the WordPress admin sidebar to get started.
Recommended post-installation steps
- Go to Retreats > Global Settings and review the default header, footer, and body-class settings for the submission form.
- Go to Retreats > Privacy & Compliance and configure data-retention periods to match your local legal requirements.
- For production sites, add the following line to
wp-config.php to store the encryption key outside the database:
define( 'DFXPRL_ENCRYPTION_KEY', 'your-long-random-secret-here' );
Replace the placeholder with a long, cryptographically random string — for example one generated by wp_generate_password( 64, true, true ) in the WordPress shell, or by an equivalent secure random generator. The plugin will display a notice reminding you to do this if the key is still in the database.
- Verify that your site uses HTTPS. The submission form URLs contain sensitive tokens and must be served over a secure connection.