DFX Parish Retreat Letters

Manage personal, confidential messages for your parish retreats: attendants, encrypted letters, fine-grained permissions and GDPR compliance — all in one plugin.

DFX Parish Retreat Letters lets your parish manage the full lifecycle of confidential personal messages for retreat attendants — from collecting letters through a public web form to printing them securely in the admin, while keeping every piece of content fully encrypted and every action fully audited.

How it works

  1. Create a retreat and register your attendants.
  2. Share each attendant'”‘”‘s unique, private URL with the people who want to write to them — family, friends, spiritual directors.
  3. Writers fill in the form on a clean public page: rich-text message, image and document attachments, legal disclaimer, arithmetic CAPTCHA.
  4. Messages are stored encrypted in the database. Nobody can read them by browsing the admin — they are only revealed at print time.
  5. Authorised staff print the messages from the admin panel. Each print is logged with user, timestamp and IP.
  6. Messages are handed to attendants during or after the retreat.

Retreat and attendant management

    Create retreats with name, location, dates and a custom welcome message for the submission form. Legal disclaimer and acceptance checkbox, configurable per retreat. Optional notes and internal (non-exportable) notes per attendant. CSV import for attendants with merge mode for emergency-contact data. Each attendant has a profile with name, surnames, date of birth, inviting person, incompatibilities and emergency-contact details. Full CSV export including message URL and received-letter count per attendant.

Public submission form

    Cryptographically secure unique URL per attendant. Anyone with the link can submit a message without a WordPress account. Rich-text editor with formatting, images, and paste from Word or Google Docs. Attachments: images and documents (PDF, DOCX…). Multiple non-image files are bundled into a ZIP at print time. Arithmetic CAPTCHA against bots. Logged-in WordPress users skip it. Rate limiting (30 submissions/hour per IP) to prevent abuse. URL suffix with attendant initials for visual identification without exposing full name.

Confidentiality and printing

    The admin never displays message content. There is no preview panel — content is only decrypted and shown at print time. Every print is recorded in the print log (user, timestamp, IP). Multiple images in a single message are laid out so they don'”‘”‘t split across pages. Opt-in “From / To” header generated in the recipient'”‘”‘s browser (pdf-lib), with zero server memory cost.

Three-tier permission system

    Plugin Administrators (with the manage_retreat_plugin capability): create and delete retreats, manage attendants and permissions across all retreats, access global and privacy settings. Retreat Managers (assigned per retreat): full control of their assigned retreat and the Message Managers they invite to it. Message Managers (assigned per retreat): can only open and print confidential letters for their retreat. They don'”‘”‘t edit attendants or data. Their prints are logged.

Email invitations with secure, time-limited tokens. If the invitee already has a WordPress account, the role is granted on acceptance; otherwise an account is created automatically.

Encryption and security

    Content and attachments encrypted with AES-256-CBC and authenticated with HMAC-SHA256 before being written to disk or database. Encryption key auto-generated on first activation. The plugin nudges you to move it to wp-config.php as the DFXPRL_ENCRYPTION_KEY constant. Detects and resolves mismatches between file and database key. Audit log of every sensitive action: grants, revocations, invitations, prints.

GDPR and privacy compliance

    Right to Erasure (GDPR Art. 17): delete all personal data for an email or attendant in one action. Data Portability (GDPR Art. 20): export all personal data associated with an email as a structured file. IP anonymisation after a configurable retention period (default 30 days) via daily cron. Configurable retention: set how long messages and audit log entries are kept before automatic deletion. Designed with the Spanish LOPD-GDD in mind in addition to GDPR.

Status and licence

Stable release, in production use. Current version: 26.05.20. Tested up to WordPress 6.9. Requires PHP 7.4 or higher. Licence: GPLv3 or later. Full Spanish translation included; a .pot template ships for adding more languages.

Shares
Scroll to Top