A secure, cache-compatible WordPress form builder plugin. Write custom HTML forms while we handle security, spam protection, and email notifications automatically.
π Developer Documentation: DEVELOPER.md | π Website: ProWPKit.com
- β‘ Raw HTML Forms - Full control over your form design
- π Built-in Security - Nonce checks, honeypot, captcha, rate limiting
- οΏ½ Secure File Vault - Protected uploads with role-based access control
- οΏ½π§ Professional Emails - Branded HTML templates with custom styling
- π‘οΈ Anti-Spam - Cloudflare Turnstile, reCAPTCHA, IP rate limiting
- π Admin Dashboard - Manage submissions with filters and search
- πΎ Cache Compatible - Works with all caching plugins and CDNs
- π¨ Customizable - Full CSS control and email template customization
- π File Uploads - Secure uploads with type validation and ownership checks
- Download the plugin
- Upload to
/wp-content/plugins/pwp-forms/ - Activate via WordPress Admin β Plugins
- Go to PWP Forms to create your first form
- Navigate to PWP Forms β Add New Form
- Add your HTML in the Form tab:
<div class="pwp-field">
<label>Your Name</label>
<input type="text" name="name" class="pwp-input" required />
</div>
<div class="pwp-field">
<label>Email</label>
<input type="email" name="email" class="pwp-input" required />
</div>
<div class="pwp-field">
<label>Message</label>
<textarea name="message" class="pwp-textarea" rows="5" required></textarea>
</div>- Configure email settings in the Mail tab
- Click Publish and copy the shortcode
Add the shortcode to any page or post:
[pwp_form id="123"]
Use the toolbar to insert field types:
- Text Inputs: Text, Email, Tel, URL, Number, Date
- Selection: Dropdown, Checkbox, Radio
- Advanced: File Upload, Acceptance, Hidden
The submit button is added automatically. Customize the label above the editor.
Configure in the Mail tab:
Smart Tags Available:
[your-name],[your-email]- Form field values[_all_fields]- Auto-generated table of all data[_site_title],[_site_url]- Website info[_date],[_time]- Submission timestamp
Example Template:
<h2>New Contact Form Submission</h2>
<p>From: [your-name] ([your-email])</p>
<p>Message: [your-message]</p>
<hr />
<p>Submitted: [_date] at [_time]</p>Customize in PWP Forms β Settings β Email Templates:
- Logo URL
- Color palette (background, container, text, accent)
- Font family and size
- Footer text
All emails (automated + admin replies) use these settings.
Go to PWP Forms β Submissions to:
Filter by:
- Status (New, Read, Replied, Closed)
- Date (month/year picker)
- Search (email, content, or form ID)
Actions:
- View submission details
- Reply directly to user
- Change status
- Delete submission
- Bulk delete
GDPR Compliance:
- Use "Privacy Tools" to delete all data for an email address
- Removes submissions and associated files
Configure in PWP Forms β Settings β General:
Captcha Options:
-
Cloudflare Turnstile (recommended)
- Get free keys at Turnstile
- No tracking, privacy-friendly
-
Google reCAPTCHA v2
- Get keys at reCAPTCHA
Rate Limiting:
- Default: 10 submissions per hour per IP
- Prevents spam and abuse automatically
- No configuration needed
The plugin includes minimal styling. Add custom CSS in your theme:
.pwp-form {
max-width: 600px;
}
.pwp-input,
.pwp-textarea {
border: 2px solid #e0e0e0;
border-radius: 8px;
padding: 12px;
}
.pwp-submit {
background: #667eea;
color: white;
padding: 16px 48px;
}Built-in Classes:
.pwp-field- Field wrapper.pwp-input- Input styling.pwp-textarea- Textarea styling.pwp-half- 50% width on desktop.pwp-third- 33% width on desktop
π Security Fix (Critical):
- β SQL Injection Protection - Fixed critical SQL injection vulnerability in submissions search
- β
WordPress.org Compliance - Replaced
esc_sql()with$wpdb->prepare()statements - β
Proper Escaping - Implemented
$wpdb->esc_like()for LIKE query wildcards - β Code Quality - Meets WordPress.org plugin directory security standards
Recommendation: Immediate update recommended for all users.
π Major Security Enhancements:
- β
Secure File Vault - Files now upload to protected
/pwp-secured/directory - β
Access Control -
.htaccessblocks all direct file access (403 Forbidden) - β Role-Based Viewers - Admins can view all files, users only their own
- β Ownership Verification - Critical security checks prevent unauthorized access
- β Output Buffer Protection - Prevents file corruption from stray output
- β Proper MIME Types - Ensures correct file type headers for downloads
π Additional Security Improvements:
- Fixed PII leak on cached pages
- Fixed nonce expiry issues
- Added IP-based rate limiting (10/hour)
- Safe file deletion with usage checks
- Admin replies use HTML templates
β‘ Performance:
- Full caching compatibility (CDN, page cache)
- Dynamic data loading via JavaScript
- Reduced server processing
π New Features:
- Client-side user data population
- Fresh nonce fetching on page load
- Customizable rate limits via filter
- Nginx configuration support for file protection
Form Builder Improvements:
- Implemented horizontally scrollable toolbar for better accessibility
- Updated field snippets to include placeholders and human-readable values
- Replaced manual submit button with automatic, mandatory submit button
Email & Notifications:
- Added visual color swatches for color picker values in emails
Submission Management:
- Standardized default submission status to 'New'
- Added 'Closed' status for better workflow management
- Fixed status display issues in dashboard
Security Fixes:
- Fixed critical vulnerability in
delete_user_datato restrict file deletion towp-content/uploadsdirectory only - Enforced strict MIME type checking for file uploads against internal whitelist
Bug Fixes:
- Fixed handling of multi-file uploads (e.g.,
<input name="files[]">) - Improved
$_FILESarray normalization to correctly handle both single and array uploads
- Initial release
- WordPress 6.0+
- PHP 8.0+
- HTTPS recommended
- Apache with mod_rewrite or Nginx (see DEVELOPER.md for Nginx configuration)
We welcome contributions! See DEVELOPER.md for technical documentation.
For Developers:
- Hooks & Filters documentation
- AJAX endpoints
- Database schema
- Secure file handling architecture
- Customization examples
GPLv2 or later. See LICENSE for details.
- Documentation: DEVELOPER.md for technical docs
- Website: ProWPKit.com
- Issues: GitHub Issues
- Community: WordPress Support Forum
- Visual form builder
- Conditional logic
- Multi-step forms
- CSV export
- Webhook integrations
- Payment gateways