Sobi Forms

Sobi Forms is a lightweight contact form plugin built for speed and simplicity. Create multiple forms, embed them anywhere with a shortcode or Gutenberg block, and keep your front-end lean.

Performance-first front-end

• Vanilla JavaScript on the front-end
• ~3.5 KB CSS + JS combined (minified footprint on form pages)
• Assets enqueue only when a form is rendered on the page – zero impact on other pages
• Script loaded in the footer with defer strategy (WordPress 6.3+)
• No global front-end CSS frameworks

Form builder (admin only)

• Document-first drag-and-drop editor (React via WordPress wp-element, loaded only on the form edit screen)
• Field types: text, email, textarea, phone, number, select, radio, checkbox
• Multiple recipient emails per form
• After submit: inline success message or redirect to a published page

Embedding

• Shortcode: [sobiforms], [sobiforms id="3"], [sobiforms slug="contact"]
• Gutenberg block: Sobi Forms Contact with form picker
• Works with any page builder that supports shortcodes or blocks

Submissions

• Email notifications via wp_mail() (HTML)
• Optional database storage (off by default)
• Inbox with read/unread, starred, admin notes, search and filters
• Honeypot, nonce verification, rate limiting (5 submissions/hour per hashed IP)

Security

• Nonce on every submission
• Honeypot field
• Server-side field validation against a strict JSON schema
• Capability checks and nonces on all admin actions

Privacy Policy

Sobi Forms processes data submitted through your forms. By default:

• Email only – field values are sent to the recipient address(es) you configure per form via wp_mail(). Nothing is stored in the database unless you enable storage.
• Optional database storage – when enabled under Sobi Forms -> Settings -> Privacy & Storage, submissions are saved in custom tables on your site (wp_sobiforms_submissions, wp_sobiforms_forms). You control retention (auto-delete after N days).
• Hashed IP – when storage is enabled, a one-way SHA-256 hash of the visitor IP is stored with each submission for abuse prevention. Raw IP addresses are not stored.
• Rate limiting – a transient keyed by hashed IP limits submissions to 5 per hour. Transients expire automatically.
• Admin notes – internal notes on submissions are stored in your database and never shown on the front-end or included in emails.
• No tracking – Sobi Forms does not connect to third-party analytics, advertising, or remote APIs when processing form submissions.
• No data sent to the plugin author – form submissions stay on your server and mail server. The optional Feedback settings tab links to an external form only if you choose to open it.

Site owners are responsible for their privacy policy and lawful basis for collecting visitor data.

Development

Human-readable source for the admin builder is in src/admin-builder/. Run npm install and npm run build to regenerate build/admin-builder/. React and @wordpress/* are loaded from WordPress; see third-party-licenses.txt for bundled libraries.