Formatrica – Drag and Drop Form Builder

تفصیل

Formatrica was built to solve common frustrations with form builders: dated interfaces, overly complex workflows, and feature gating that makes proper evaluation difficult. It delivers a clean, modern drag-and-drop experience with practical defaults, so you can create a production-ready form in 5-6 clicks and add it to any page via shortcode or block.

Key Features

Form Builder
* Intuitive drag-and-drop form builder (Vue.js + Pinia + SortableJS)
* Real-time preview with live field editing
* Form preview functionality with zoom control (50-100%)
* 15 pre-built templates: Simple Contact, Business Contact, Newsletter Signup, Job Application, Appointment Request, Real Estate Inquiry, Course Registration, Event Registration, Customer Feedback, Support Ticket, Front-end Post Submission, Request a Quote, RSVP Response, Volunteer Signup, User Registration
* Smart Quick Start notification for new forms

Field Types
* Text, Email, Telephone, Password
* Textarea for long-form content
* Select (single/multiple), Radio, Checkbox
* File Upload with validation and size limits
* Date Picker
* Hidden fields for internal metadata
* Custom Text blocks for static content
* Submit Button with customizable labels

Security & Anti-Spam
* Honeypot protection (enabled by default)
* CSRF token validation
* IP-based rate limiting (configurable per form)
* Multiple CAPTCHA providers:
– Google reCAPTCHA v3
– Cloudflare Turnstile
– FriendlyCaptcha
* CAPTCHA secrets stored encrypted at rest with write-only admin controls
* Minimum submission time detection
* File upload validation with type and size restrictions

Privacy Controls
* IP address storage options: Full, Anonymized, or None
* Default: Anonymized (removes last octet)
* Auto-delete submissions after X days (optional)
* GDPR-friendly data handling

Email Delivery
* Multiple delivery providers:
– WordPress default (wp_mail)
– SendGrid API
– SMTP2GO API
– Mailgun API (with EU/US region support)
– Postmark API
– Brevo API (formerly Sendinblue)
– Amazon SES (with AWS Signature v4 authentication)
– Custom SMTP
– Mailpit (for development)
* Encrypted credentials storage (AES-256-CBC)
* Test email functionality
* Customizable sender name, email, subject, and recipient
* Smart defaults from WordPress settings
* Verification emails for registration forms use the same provider configured in that form’s settings

User Registration
* Special form type for WordPress user registration
* Integrates with WordPress user creation flow
* Email verification required: users must confirm their email before logging in
* Verification emails respect each form’s configured delivery provider (SMTP/API/wp_mail)
* Login is blocked for unverified users with a clear message on wp-login.php

Integrations & Webhooks
* Zapier: Connect to 5,000+ apps via Webhooks by Zapier trigger
* Make.com: Build visual automation workflows (formerly Integromat)
* Slack: Instantly notify Slack channels via Incoming Webhooks
* WordPress Post: Create pending posts (or other post types) with field mappings, taxonomy, and meta controls
– Full ACF (Advanced Custom Fields) support with 20+ field types
– Author mode: current user, fixed user, or anonymous
– Featured image support, taxonomy term creation, custom post meta
* WooCommerce: Generate orders and optional customer records directly from form submissions
* Mailchimp: Subscribe contacts to audiences with field mapping and double opt-in
* Salesforce (Essentials): Create Web-to-Lead entries without OAuth
* HubSpot: Submit contacts to HubSpot forms using a Private App token
* Custom Webhooks: POST submission data to any endpoint
* Async integration queue: Background processing for external webhooks (WordPress Cron)
– Dramatically improves form submission performance (5-15s → <200ms)
– 10 jobs per batch, 3 retry attempts with error logging
– Keeps local integrations synchronous for data consistency
* Secret key signing for verification (custom webhooks only)
* Custom payload filtering via hooks
* SSRF protection and security validation

Developer-Friendly
* Comprehensive API documentation
* 15+ action and filter hooks for extensibility
* REST API endpoints for forms and submissions
* Provider-specific payload filters (Slack, Mailchimp, Salesforce, HubSpot, WordPress Post)
* PSR-4 autoloaded architecture with Service Layer design
* Clean separation of concerns: Validation, Security, File Handling, Rendering, and Integrations layers
* 22 single-responsibility classes for maintainability and testability
* Database schema versioning system with migration support
* Modular ES6 JavaScript with class-based structure
* Vite-powered build system
* Full TypeDoc-style inline documentation
* Admin list improvements: Active/Inactive filters, Activate/Deactivate actions, and safe delete confirmations

Hooks & Filters

Action Hooks

formatrica_before_submission
Fires before processing a form submission.
do_action(‘formatrica_before_submission’, $form_id, $form, $request_data, $context);

formatrica_after_submission
Fires after successful submission processing.
do_action(‘formatrica_after_submission’, $form_id, $sanitised, $result, $form, $context);

formatrica_user_registered
Fires after a new WordPress user is registered via form.
do_action(‘formatrica_user_registered’, $user_id, $data);

formatrica_webhook_failed
Fires when webhook delivery fails.
do_action(‘formatrica_webhook_failed’, $error_data);

formatrica_integration_dispatch
Fires when an integration ID is not handled by the built-in dispatchers, allowing custom providers.
do_action(‘formatrica_integration_dispatch’, $integration_id, $settings, $form, $payload, $context, $field_meta);

Filter Hooks

formatrica_submission_request
Filter raw submission data before validation.
apply_filters(‘formatrica_submission_request’, $request_data, $form_id, $form, $context);

formatrica_sanitized_submission
Filter sanitized submission data before processing.
apply_filters(‘formatrica_sanitized_submission’, $sanitised, $form_id, $form, $request_data, $context);

formatrica_webhook_payload
Filter webhook payload before sending to integrations (Zapier, Make, Slack) or custom webhooks. The $context parameter includes an integration key identifying the target.
apply_filters(‘formatrica_webhook_payload’, $body, $form, $payload, $context, $field_meta);

formatrica_slack_payload
Filter the Slack payload before dispatching to the incoming webhook.
apply_filters(‘formatrica_slack_payload’, $body, $form, $payload, $context, $field_meta);

formatrica_mailchimp_payload
Filter the Mailchimp member payload before it is sent via the API.
apply_filters(‘formatrica_mailchimp_payload’, $body, $form, $payload, $context, $field_meta);

formatrica_salesforce_payload
Filter the Salesforce Web-to-Lead form data before submission.
apply_filters(‘formatrica_salesforce_payload’, $data, $form, $payload, $context, $field_meta);

formatrica_hubspot_payload
Filter the HubSpot Forms API payload before dispatch.
apply_filters(‘formatrica_hubspot_payload’, $body, $form, $payload, $context, $field_meta);

formatrica_duplicate_title
Filter duplicated form title.
apply_filters(‘formatrica_duplicate_title’, $title, $original_form);

formatrica_min_submission_time
Filter minimum time between page load and submission (anti-bot).
apply_filters(‘formatrica_min_submission_time’, 2, $form_id);

formatrica_max_upload_size
Filter maximum file upload size in MB.
apply_filters(‘formatrica_max_upload_size’, $max_size, $field);

formatrica_allowed_file_types
Filter allowed MIME types for file uploads.
apply_filters(‘formatrica_allowed_file_types’, $allowed_types, $field);

formatrica_max_image_dimension
Filter maximum image dimension in pixels.
apply_filters(‘formatrica_max_image_dimension’, 4096, $field);

formatrica_recaptcha_v3_min_score
Filter minimum reCAPTCHA v3 score threshold.
apply_filters(‘formatrica_recaptcha_v3_min_score’, 0.5, $form_id);

For detailed examples, see the plugin documentation.

REST API

Formatrica registers REST API endpoints under the formatrica/v1 namespace. All admin endpoints require the manage_options capability and a valid REST nonce.

Public Endpoints

The following endpoints are intentionally public (no authentication required) because they serve front-end form functionality for unauthenticated visitors:

POST /formatrica/v1/forms/{form_id}/submissions
Accepts a form submission from any visitor. Security is enforced at the application layer: CSRF token validation, honeypot field detection, minimum submission time check, IP-based rate limiting, CAPTCHA verification, and full field sanitisation/validation.

GET /formatrica/v1/utility/countries
Returns a read-only list of country names for front-end country select fields. No user data is accepted or stored.

GET /formatrica/v1/utility/states/{country}
Returns a read-only list of states/provinces for a given ISO 3166-1 alpha-2 country code (e.g. US, DE). The country code is validated to exactly two uppercase letters. No user data is accepted or stored.

Admin Endpoints (require `manage_options` + REST nonce)

• GET/POST /formatrica/v1/forms — List or create forms
• GET/PUT/PATCH/DELETE /formatrica/v1/forms/{form_id} — Read, update, or delete a form
• POST /formatrica/v1/emails/test — Send a test email
• GET /formatrica/v1/wp/post-types — List available post types
• GET /formatrica/v1/woocommerce/catalog — List WooCommerce products/categories
• POST /formatrica/v1/integrations/mailchimp/lists — Fetch Mailchimp audience lists
• GET/POST /formatrica/v1/settings/email — Read or update email settings
• POST /formatrica/v1/settings/email/test — Test email configuration
• GET /formatrica/v1/settings/email/diagnostics — Email delivery diagnostics

External services

Formatrica does not contact any external service by default. Each service below is used only when a site administrator explicitly enables and configures it for a form.

CAPTCHA Verification

When a CAPTCHA provider is enabled on a form, the visitor’s browser loads the provider’s JavaScript widget and, on submission, the visitor’s IP address and a verification token are sent to that provider’s server-side verification endpoint. This happens once per form submission.

• Google reCAPTCHA v3 — Verifies submissions are from real users by scoring browser behaviour.
  Data sent: visitor IP address, verification token, site key.
  Terms of Service | Privacy Policy

• Cloudflare Turnstile — Non-intrusive bot detection challenge.
  Data sent: visitor IP address, verification token, site key.
  Terms of Service | Privacy Policy

• FriendlyCaptcha — Privacy-focused proof-of-work CAPTCHA.
  Data sent: visitor IP address, puzzle solution, site key.
  Terms of Service | Privacy Policy

Email Delivery

When a third-party email delivery provider is configured, submission notification emails are transmitted to the provider’s API each time a form is submitted. Data sent includes: recipient address, sender name and email, subject line, and the message body containing the submitted form data.

• SendGrid (Twilio) — Transactional email API.
  Terms of Service | Privacy Policy

• SMTP2GO — Transactional email API.
  Terms of Service | Privacy Policy

• Mailgun (Sinch) — Transactional email API.
  Terms of Service | Privacy Policy

• Postmark (ActiveCampaign) — Transactional email API.
  Terms of Service | Privacy Policy

• Brevo (formerly Sendinblue) — Transactional email API.
  Terms of Service | Privacy Policy

• Amazon SES (AWS) — Transactional email API. Uses AWS Signature v4 authentication.
  Terms of Service | Privacy Policy

Custom SMTP and Mailpit send data to your own mail server. The default WordPress provider uses wp_mail() with no external API call.

Integrations

When an integration is enabled and configured by the site administrator, form submission data is sent to the configured endpoint upon each form submission. Data sent includes: form title, submitted field values, and field metadata. The Zapier, Make.com, and custom webhook integrations also include the submitter’s IP address and user agent in the payload.

• Zapier — Automation platform. Receives a JSON webhook with full submission data on each form submission.
  Terms of Service | Privacy Policy

• Make.com (formerly Integromat) — Automation platform. Receives a JSON webhook with full submission data on each form submission.
  Terms of Service | Privacy Policy

• Slack — Team messaging. Sends a formatted message containing form title and submitted field values to a Slack Incoming Webhook URL. No IP address or user agent is sent.
  Terms of Service | Privacy Policy

• Mailchimp (Intuit) — Email marketing. Subscribes the visitor’s email address and optionally mapped name fields to a Mailchimp audience list.
  Terms of Service | Privacy Policy

• Salesforce — CRM. Submits mapped lead fields via the Web-to-Lead endpoint. Only the fields explicitly mapped by the administrator are sent.
  Terms of Service | Privacy Policy

• HubSpot — CRM. Submits mapped contact properties to the HubSpot Forms API using a Private App token. Only the fields explicitly mapped by the administrator are sent.
  Terms of Service | Privacy Policy

• Custom Webhooks — Sends a signed JSON payload to an arbitrary endpoint URL configured by the site administrator.

Privacy

Local Data Storage

• Submissions are stored in a custom database table on your WordPress site when storage is enabled.
• IP address storage can be set to Full, Anonymized (last octet removed), or None per form.
• Automatic submission deletion can be enabled with a configurable retention period.
• API keys and secrets are encrypted at rest using AES-256-CBC and are never exposed in the admin UI or REST API responses.