What OctaForms is
OctaForms is a form engine for WordPress. It is not a page builder and it has no drag-and-drop canvas. You (or your theme) render the form markup. OctaForms takes over the moment a visitor presses Submit: it accepts the request, validates the fields, stores the submission, and delivers it by email and webhooks.
If you have ever wanted the reliability of a real backend behind your contact forms, without a bloated builder taking over your markup and your styles, this is that.
Who this is for
Section titled “Who this is for”This documentation serves two people, and most pages are useful to both. Where a page needs code or server knowledge, it is marked.
- Site owners who know WordPress and want to set up forms, read submissions, and keep spam out. You will spend most of your time in Getting started and Building forms.
- Developers who render their own markup and talk to the REST API directly. You will also want Integrating with your theme and the delivery and webhook guides.
How it works
Section titled “How it works”The split is the whole idea. Your side owns how the form looks. OctaForms owns what happens to the data.
- A form is defined once as a block of JSON: its fields, validation rules, emails and webhooks. The form has a slug, and that slug is the address other things point at. It locks after the form is published so integrations never break.
- Your theme renders the HTML for that form. You can hand-write the markup, use the small bundled JavaScript helper, or drop in the starter shortcode to get going fast.
- When a visitor submits, the browser posts to a small REST API. OctaForms runs the submission through a fixed pipeline: rate limiting, spam checks, validation, storage, then delivery.
- You read submissions in the admin, and they arrive by email and at any webhook endpoints you configured.
Durability before timeliness
Section titled “Durability before timeliness”This is the promise that shapes the whole plugin, so it is worth stating plainly.
Every submission is written to a durable queue before the visitor gets their success response. Nothing depends on an email server being reachable at that exact second. The main notification gets one immediate attempt inside the request. Anything that does not go through right away is retried by a background job with growing delays.
The trade is deliberate. A submission might arrive in your inbox a minute late under load, but it is never silently lost. And nothing fails quietly: every protection, every degraded state, leaves a trace you can find in the admin or in Site Health.
What you get
Section titled “What you get”- A public REST API with a stable, slug-based contract.
- A validation engine with the rules you expect (
required,email,min,max,date,regex) plus Polish rules (phone,nip,postCodePL), extensible with your own. - Email notifications and autoresponders, plus multiple signed webhooks per form.
- Anti-spam that catches bots without dropping real people: a honeypot with a reviewable quarantine, and rate limiting that bans floods but never punishes a busy office network.
- Privacy built in: consent snapshots, hashed IPs, and native WordPress export and erase support.
- A floating “quick contact” widget, a WP-CLI command set, and Site Health checks.
Ready to set one up? Head to Getting started.