Echozat Leads Capture

Echozat Leads Capture is a lightweight form builder for WordPress. Administrators create forms using an intuitive shortcode syntax, embed them on any page or post with [echozat_leads_capture id="<hash>"], and view or export the collected submissions from a dedicated admin section.

Key features:

• Visual shortcode editor — click toolbar buttons to insert pre-built field shortcodes at the cursor position; no typing required.
• Supported field types — Text, Email, URL, Tel, Number, Date, Textarea, Dropdown (select), Checkboxes, Radio buttons, Acceptance (terms checkbox), Math captcha, Google reCAPTCHA v2, and Submit button.
• Required fields — append * to any field type (e.g. [email* your-email]) to make it required.
• Field attribute options — pass inline key:value options inside any field shortcode to control HTML attributes: placeholder, autocomplete, maxlength, minlength, pattern, min, max, step, rows, and cols. Example: [text your-name placeholder:Your Name maxlength:100].
• Per-form mail notifications — configure To/From/Subject/Body with dynamic placeholders: [field-name], [form-title], [form-id], [submission-id], [submission-date], [site-name], and [site-url].
• Per-form messages — independently override success, error, validation error, spam, captcha error, file upload error, and already-submitted messages per form.
• Per-form Google reCAPTCHA v2 — store site key and secret key at the form level.
• Submission management — paginated response list per form with IP address, user agent, timestamp, and all field values as columns; inline AJAX response detail view; cross-form “All Responses” listing with per-form filtering.
• Submission analytics — the form detail page shows total submissions, submissions this month, submissions this week, and a 30-day daily submissions chart.
• CSV export — download all responses for a form as a CSV file.
• Form duplication — clone any existing form (copies all settings; responses are not copied) with a single click.
• Admin search — search forms by title; search responses by field value, IP address, or date.
• Global SMTP settings — route all wp_mail calls through a custom SMTP server (host, port, encryption, authentication).
• Spam protection — honeypot field (silently discards bot submissions), IP-based rate limiting (5 submissions per minute by default), and duplicate-submission guard (same IP + data within 10 seconds).
• Security — nonce verification on every admin and frontend action; all database queries use $wpdb->prepare(); all output is escaped.
• Clean uninstall — activation creates two custom tables; uninstall drops them and removes all plugin options.

Source Code

The complete, human-readable (uncompiled) source for this plugin’s JavaScript
and CSS is included in the plugin package, in the assets/ directory:

• assets/admin/js/, assets/public/js/ — source JavaScript
• assets/admin/scss/, assets/admin/css/, assets/public/scss/ — source CSS

External Services

This plugin optionally integrates with Google reCAPTCHA v2 to provide bot and spam protection on frontend forms. This feature is entirely opt-in: reCAPTCHA is only active on a specific form when an administrator explicitly enters a Site Key and Secret Key in that form’s settings and adds the [recaptcha] shortcode to the form content.

What data is sent and when:

• Visitor’s browser → Google — When a page containing a form with reCAPTCHA enabled is loaded, the visitor’s browser loads the reCAPTCHA widget script directly from https://www.google.com/recaptcha/api.js. Google may collect standard browser information (IP address, browser type, cookies, etc.) as part of rendering and solving the challenge.
• Your server → Google — When a visitor submits a form that has reCAPTCHA enabled, this plugin sends the reCAPTCHA response token and the visitor’s IP address to https://www.google.com/recaptcha/api/siteverify to verify that the challenge was solved correctly. No other form field data is included in this server-side request.

Both of the above requests only occur when reCAPTCHA is enabled on a specific form and a visitor is interacting with that form.

Service provider: Google LLC

• Terms of Service: https://policies.google.com/terms
• Privacy Policy: https://policies.google.com/privacy
• reCAPTCHA-specific terms: https://cloud.google.com/recaptcha/docs/faq

If you do not wish to use Google reCAPTCHA, simply do not configure a Site Key / Secret Key in Form Settings and omit the [recaptcha] shortcode from your form content. The plugin functions fully without it; alternative spam protection (honeypot field, IP-based rate limiting, math captcha) remains active regardless.

Extensibility

The plugin exposes the following actions and filters for external code:

Actions:

• echoleadcap_after_submission — fires after a response row is inserted; receives ($response_id, $form_id, $data).
• echoleadcap_after_save_form — fires after a form is created or updated; receives ($form_id, $row, 'create'|'update').
• echoleadcap_after_delete_form — fires after a form is deleted; receives ($form_id).

Filters:

• echoleadcap_before_save_form — mutate form data before insert/update; receives ($data, $form_id).
• echoleadcap_leads_trust_proxy_headers — return true to trust the X-Forwarded-For header for client IP detection (off by default).