OW Forms

OW Forms is a modern WordPress form builder for sites that prioritize performance, accessibility, and GDPR compliance. Built by OptionWeb for production use on client sites, it ships with a JSON-driven schema engine, a REST-based submission pipeline, and a curated set of 16 field types — text, email, tel, URL, number, textarea, select, radio, checkbox, checkbox-group, date, time, datetime, file upload, hidden, and rating — plus auto-injected GDPR consent and anti-spam fields.

The anti-spam stack runs four layers in parallel: a visually-hidden honeypot input that bots fill but humans never see, a time-trap that rejects submissions completed faster than a configurable threshold, a multi-provider CAPTCHA layer (Cloudflare Turnstile, Google reCAPTCHA v3, hCaptcha, or Friendly Captcha), and optional OW Shield IP reputation scoring with a disposable-email blocklist. Every signal is logged so you can tune thresholds without flying blind. Submissions that score above 80 are silently rejected — no error message, no honeypot leak.

GDPR compliance is native, not bolted on. Every form gets a consent checkbox linked to your privacy policy, IP addresses can be stored pseudonymized or not at all, user agents are SHA-256 hashed by default, and a daily cron purges submissions older than your retention window (CNIL default: 1095 days). When OW Consent is active, OW Forms wires into its DSAR endpoint — erasure requests automatically delete matching submissions by email hash, with full audit trail. Submission emails are SHA-256 hashed with a plugin-owned salt (option owfo_dsar_salt, generated once at activation) so the database never holds plaintext PII linkable across systems, and DSAR erasure keeps working even after wp config shuffle-salts.

The one-click Contact Form 7 importer parses every CF7 form in your database, builds the equivalent OW Forms schema (preserving recipient, subject, and field types), and rewrites every [contact-form-7 id="..."] shortcode in your posts to [owfo_form id="..."]. Email notifications support HTML or plain text with {{token}} interpolation, optional auto-reply, signed outbound webhooks (HMAC-SHA256), and a Gutenberg block in addition to the shortcode and REST API.

External services

OW Forms relies on optional third-party CAPTCHA services to protect form submissions
from spam. None of these services are contacted unless you explicitly enable a
CAPTCHA provider in OW Forms → Settings → Anti-spam.

The OW Shield integration is fully local — when the OW Shield plugin is installed
and active on the same site, OW Forms reads its IP reputation score from the local
database/cache. No request leaves your server for this lookup; OW Shield itself
may contact its own reputation service, which is disclosed in the OW Shield readme.

The Friendly Captcha widget JavaScript is bundled with OW Forms under
assets/js/vendor/ (no external CDN is hit at page render). Source: the upstream
MIT-licensed package at https://github.com/FriendlyCaptcha/friendly-challenge —
the files shipped here are the official npm friendly-challenge@0.9.18 build
outputs (widget.module.js and widget.module.min.js, unmodified, renamed to
friendly-challenge-0.9.18.module.js / friendly-challenge-0.9.18.module.min.js
to make the version explicit in the filename). Both the minified and the
human-readable non-minified source are shipped per WordPress.org Plugin Check
requirements.

When a CAPTCHA provider is enabled, OW Forms loads the vendor’s JavaScript widget
on pages that render a form, and posts the challenge solution back to the vendor’s
verification API when a visitor submits the form. The data sent to the vendor is
limited to: (a) the challenge token generated client-side by the vendor’s widget,
(b) the visitor’s IP address (passed through to the vendor for fraud scoring), and
(c) the site’s API secret key configured in the settings.

Cloudflare Turnstile

• What it is: a CAPTCHA / bot-mitigation service by Cloudflare, Inc.
• When data is sent: only when spam_captcha_provider is set to turnstile, and
  only on form submission. The widget JS is also loaded on every page that renders
  a form.
• Data sent: Turnstile challenge token, visitor IP, your Turnstile secret key.
• Terms of service: https://www.cloudflare.com/website-terms/
• Privacy policy: https://www.cloudflare.com/privacypolicy/

Google reCAPTCHA v3

• What it is: an invisible CAPTCHA / risk-scoring service by Google LLC.
• When data is sent: only when spam_captcha_provider is set to recaptcha_v3, and
  only on form submission. The widget JS is also loaded on every page that renders
  a form (this is how reCAPTCHA v3 builds its risk score).
• Data sent: reCAPTCHA token, visitor IP, your reCAPTCHA secret key. Google may
  also collect additional telemetry as described in their privacy policy.
• Terms of service: https://policies.google.com/terms
• Privacy policy: https://policies.google.com/privacy

hCaptcha

• What it is: a privacy-focused CAPTCHA service by Intuition Machines, Inc.
• When data is sent: only when spam_captcha_provider is set to hcaptcha, and
  only on form submission. The widget JS is also loaded on every page that renders
  a form.
• Data sent: hCaptcha token, visitor IP, your hCaptcha secret key.
• Terms of service: https://www.hcaptcha.com/terms
• Privacy policy: https://www.hcaptcha.com/privacy

Friendly Captcha

• What it is: a privacy-first, proof-of-work CAPTCHA service by Friendly Captcha GmbH
  (Germany). No user puzzle, no tracking cookies.
• When data is sent: only when spam_captcha_provider is set to friendly_captcha,
  and only on form submission. The widget JS itself is bundled with OW Forms (not
  loaded from an external CDN); only the verification request reaches the vendor.
• Data sent: Friendly Captcha challenge token, visitor IP, your Friendly Captcha
  secret key.
• Terms of service: https://friendlycaptcha.com/legal/terms/
• Privacy policy: https://friendlycaptcha.com/legal/privacy-end-users/

Outgoing webhook (admin-configured)

• What it is: a URL of your choosing that OW Forms POSTs to after each submission.
  No data leaves your site until you fill the webhook_url setting in OW Forms →
  Settings → Notifications.
• When data is sent: on every form submission, immediately after the admin
  notification email is dispatched. Non-blocking — your visitor’s submission
  response is not delayed by the webhook endpoint’s latency.
• Data sent: form id, submission id, sanitized field payload (the same data
  stored in your wp_owfo_submissions table), site URL, ISO 8601 timestamp.
  If a webhook secret is configured, an X-OWFO-Signature HMAC-SHA256 header
  is added so the receiver can verify the payload origin.
• Vendor: whoever owns the URL you configured. OW Forms has no built-in vendor
  for this — it is your responsibility to ensure the receiving endpoint complies
  with applicable privacy regulations for your submissions.