Sobi Forms
Sobi Forms is a lightweight contact form plugin built for speed and simplicity. Create multiple forms, embed them anywhere with a shortcode or Gutenberg block, and keep your front-end lean.
Learn more on the official site: sobiforms.com — features, FAQ, and the public roadmap.
Integrations (1.6)
- SMTP — route notification and visitor confirmation emails through your own mail server (Sobi Forms → Settings → SMTP). Test connection, send test email, optional wp-config password constant. Logs tab for failed deliveries with Retry.
- Webhooks — POST submission data as JSON to Zapier, Make, or any HTTPS endpoint. Configure the URL per form under After submit; Settings → Webhooks overview and Logs tab (30 days) with Retry on failures.
Performance-first front-end
- Vanilla JavaScript on the front-end
- ~3.7 KB CSS + JS combined (gzipped transfer; ~13.3 KB unminified source on form pages)
- Assets enqueue only when a form is rendered on the page – zero impact on other pages
- Script loaded in the footer with
deferstrategy (WordPress 6.3+) - No global front-end CSS frameworks
Form builder (admin only)
- Redesigned editor for more comfort — form canvas on the left, settings sidebar on the right; save without a full page reload
- Lucide icons in the admin builder and submissions inbox (modern, consistent UI)
- Document-first drag-and-drop editor (React via WordPress
wp-element, loaded only on the form edit screen) - Field types: text, email, link (URL), textarea, phone, number, date, select, multiple choice (radio tiles), multi-option checkbox, file upload; layout blocks: title (section heading), paragraph (instructions)
- URL prefill: optional per-field URL parameter to pre-populate scalar fields from query strings (client-side; cache-friendly)
- Hidden fields: compact sidebar table to pass invisible data (URL params and/or static defaults); invisible on the front; always submitted; visible in inbox
- File upload: one file per field; admin picks allowed types by category (Application, Image, Text) or individual extensions; private storage under
uploads/sobiforms/; download from the Submissions inbox (admin only). Save to database is required when a form includes a file field - Field settings: number min/max; text min/max characters; date min/max; show/hide label; textarea resize and max length; file max size (default 5 MB, capped by server)
- Radio and multi-checkbox options edited inline in the builder (add option, remove on hover); dropdown options in the field menu
- After submit — visitor response (success message or redirect) plus action cards: save to inbox, admin notification, user confirmation, webhook (Add action picker; retention on save to inbox)
- Availability: pause a form, auto-close at a date/time, or after a set number of submissions, with a visitor message when closed
Embedding
- Shortcode:
[sobiforms id="3"]or[sobiforms slug="contact"](ID or slug required; slug is fixed after creation) - Gutenberg block: Sobi Forms Contact with form picker
- Works with any page builder that supports shortcodes or blocks
Submissions
- Email notifications via
wp_mail()(HTML) or optional custom SMTP (configure under Sobi Forms → Settings) - Optional visitor confirmation email — simple thank-you receipt (configure under After submit in the form builder)
- Per-form delivery — combine inbox save, admin email, and/or webhook; new forms default to inbox save plus admin notification to the creator
- Inbox with read/unread, starred, spam queue, admin notes, search and filters; split list + detail layout with resizable columns; All / Unread / Starred view tabs and per-form filter in the list header
- Submission source page — frozen page title and pathname at submit time in the detail sidebar (no query string; use hidden fields for UTM/campaign params)
- Dashboard widget on the WordPress admin home — recent unread submissions at a glance; Create your first form when no forms exist yet
- Optional Akismet spam filtering (configure under Sobi Forms → Settings → Spam protection)
- Settings — SMTP (routing, test, Logs tab with failed deliveries and Retry) and Webhooks (Overview + Logs tabs; configure each webhook under After submit in the builder); Spam protection (rate limit, Akismet, optional Cloudflare Turnstile)
- Honeypot, nonce verification, configurable rate limiting (default 10 submissions/hour per hashed IP; disable with 0)
Security
- Nonce on every submission
- Honeypot field
- Server-side field validation against a strict JSON schema
- Capability checks and nonces on all admin actions
- Optional Akismet integration — spam submissions quarantined when the Akismet plugin is active
- File uploads — server-side MIME validation; upload directory hardened on Apache (direct HTTP access denied); admin-only download with path verification
Privacy Policy
Sobi Forms processes data submitted through your forms. Per form you choose how submissions are delivered:
- Email notifications – when the admin notification action is enabled with valid recipient addresses, field values are sent via
wp_mail()or SMTP. - Visitor confirmation – when Send user confirmation is enabled under After submit, the submitter may receive a simple thank-you at the address from the selected email field (no submitted field values in that email).
- Database storage – when Save to inbox is enabled (default for new forms), submissions are saved in custom tables on your site (
wp_sobiforms_submissions,wp_sobiforms_forms). Retention / auto-purge is configured on that action. You can use inbox-only delivery with no email. - Hashed IP – when storage is enabled, a one-way SHA-256 hash of the visitor IP is stored with each submission for abuse prevention. Raw IP addresses are not stored.
- Rate limiting – configurable under Settings → Spam protection (default 10 submissions per hashed IP per hour; set to 0 to disable). Transients expire automatically.
- Admin notes – internal notes on submissions are stored in your database and never shown on the front-end or included in emails.
- No tracking – Sobi Forms does not connect to third-party analytics or advertising when processing form submissions.
- Optional Akismet – if you enable Akismet spam filtering under Settings → Spam protection and the Akismet plugin is active, submission content may be sent to Akismet’s service for spam checks.
- Optional Cloudflare Turnstile – if you enable Turnstile under Settings → Spam protection, the browser loads Cloudflare’s Turnstile script and may send a verification token to Cloudflare when a form is submitted.
- Optional Webhooks – if you add Trigger webhook under After submit, submission data (and file URLs when applicable) are POSTed to the URL you provide.
- No data sent to the plugin author – form submissions stay on your server and mail server. The Feedback settings tab links to the WordPress.org support forum and sobiforms.com/roadmap only if you choose to open them.
Site owners are responsible for their privacy policy and lawful basis for collecting visitor data.
Licenses for Third-Party Resources
This plugin bundled resources covered by their own respective licenses: * Lucide Icons – https://lucide.dev License: ISC (https://lucide.dev/license) Copyright (c) Lucide Contributors
