Form Settings
Core Forms has two levels of settings: per-form settings that apply to a single form, and global settings that apply to all forms on your site. This guide covers both.
Per-Form Settings
Each form has its own Settings tab in the form editor. Go to Core Forms > [Your Form] > Settings to configure these options.
Submissions
Control how form submissions are stored and throttled.
| Setting | Default | Description |
|---|---|---|
| Save submissions | Yes | Store submissions in the database (wp_cf_submissions table). Turn off for simple forms where you only need email notifications. |
| Prevent duplicate submissions | Off | Block repeat submissions from the same user within a browser session. Uses a session cookie to detect duplicates. |
| Rate limit | 0 | Maximum submissions per IP address per hour. Set to 0 for unlimited. Useful for preventing abuse on public forms. |
Example: For a newsletter signup, you might set rate limit to 5 to prevent a single user from submitting dozens of times.
After Submission
Define what happens when a user successfully submits the form.
| Setting | Default | Description |
|---|---|---|
| Confirmation type | Show success message | Choose between: Show success message, Redirect to URL, or Redirect to page. |
| Hide form after success | Off | Replace the entire form with the success message. If off, the message appears above the form and the form remains visible. |
| Redirect URL | (empty) | The URL to redirect to after submission. Only used when confirmation type is "Redirect to URL". |
| Scroll to message | On | Automatically scroll the page to the success message after submission. Helpful for long pages where the form is below the fold. |
Redirect URL Variables
When using the redirect confirmation type, you can include dynamic data variables in the URL:
https://example.com/thank-you/?name=[NAME]&email=[EMAIL]&form=[CF_FORM_ID]&time=[CF_TIMESTAMP]
| Variable | Output |
|---|---|
[NAME] |
Value of the name field |
[EMAIL] |
Value of the email field |
[CF_FORM_ID] |
The numeric ID of the submitted form |
[CF_TIMESTAMP] |
Unix timestamp of the submission |
You can use any field name as a variable by wrapping it in square brackets: [field_name].
Confirmation Type: Redirect to Page
The "Redirect to page" option shows a dropdown of all published pages on your site. After submission, the user is redirected to the selected page. This is simpler than entering a URL manually and ensures the link stays valid if the page slug changes.
Anti-Spam
Protect your forms from spam submissions. Multiple methods can be used simultaneously for layered protection.
| Setting | Default | Description |
|---|---|---|
| Honeypot field | On | Adds a hidden field that is invisible to humans but filled in by bots. Submissions with a filled honeypot are silently rejected. |
Additional spam protection methods are configured in the global settings (see below) and automatically apply to forms:
- Google reCAPTCHA v3 -- Invisible challenge that scores visitors. Configure site key and secret key in global settings.
- Cloudflare Turnstile -- Privacy-focused alternative to reCAPTCHA. Configure in global settings.
- Akismet -- Checks submission content against the Akismet spam database. Requires the Akismet plugin.
- Math CAPTCHA -- Displays a simple math problem (e.g., "What is 3 + 7?") that the user must solve.
When spam is detected, Core Forms returns a success response to the submitter (to avoid tipping off bots) but marks the submission as spam internally. You can review spam submissions in Core Forms > Spam.
Save & Resume
Allow users to save partially completed forms and return later to finish.
| Setting | Default | Description |
|---|---|---|
| Enable save & resume | Off | When enabled, a "Save Draft" button appears on the form. Users receive a unique link to resume their form later. |
| Draft expiry | 30 days | Number of days before unfinished drafts are automatically deleted. Range: 1--365 days. |
This is especially useful for long forms like applications, surveys, or multi-step registration forms where users may need time to gather information.
Scheduling
Restrict when the form accepts submissions. Useful for event registrations, limited-time offers, or business-hours-only forms.
| Setting | Default | Description |
|---|---|---|
| Enable schedule | Off | When enabled, the form only accepts submissions during the configured window. |
| Open date -- Close date | (empty) | Date range during which the form is open. Leave empty for no date restriction. |
| Days of the week | All | Check specific days (Mon--Sun) when the form should be open. Leave all unchecked for every day. |
| Time window | 24h | Open and close times within each active day. Supports overnight windows (e.g., 22:00--06:00). Leave empty for 24-hour availability. |
| Closed message | "This form is currently closed." | The message displayed when the form is outside its scheduled window. |
Scheduling Examples
Event registration open for one week: - Enable schedule: On - Open date: 2026-05-01 - Close date: 2026-05-07
Business hours only (weekdays 9 AM to 5 PM): - Enable schedule: On - Days: Mon, Tue, Wed, Thu, Fri - Open time: 09:00 - Close time: 17:00
Overnight support form (10 PM to 6 AM): - Enable schedule: On - Open time: 22:00 - Close time: 06:00
The time window correctly handles overnight spans where the close time is earlier than the open time.
Appearance & Behavior
Control how the form looks and behaves on the frontend.
| Setting | Default | Description |
|---|---|---|
| Submit button text | "Submit" | Custom text for the submit button. Leave empty to use the default. |
| Loading text | "Sending..." | Text shown on the submit button while the form is being submitted via AJAX. |
| AJAX submission | On | Submit the form without a full page reload. Disable for traditional form submission behavior. |
| Form CSS class | (empty) | Extra CSS classes added to the <form> element. Separate multiple classes with spaces. |
CSS Class Example
Setting the form CSS class to my-form dark-theme produces:
<form class="cf-form cf-form-42 my-form dark-theme" ...>
Advanced
Power-user settings for custom styling and scripting.
| Setting | Default | Description |
|---|---|---|
| Default form theme | On | Load the built-in form stylesheet for clean default styling. Disable if your theme already styles form elements or if you want full control over CSS. |
| Custom CSS | (empty) | CSS rules applied only to this form, scoped to .cf-form-{ID}. Entered in a code editor textarea. |
| Custom JavaScript | (empty) | JavaScript executed when this form loads, wrapped in an IIFE: (function(){ ... })(). Only visible to users with the unfiltered_html capability (administrators). |
Custom CSS Example
/* Target this specific form */
.cf-form-42 input[type="text"],
.cf-form-42 input[type="email"] {
border: 2px solid #333;
border-radius: 4px;
padding: 12px;
}
.cf-form-42 button[type="submit"] {
background: #0073aa;
color: #fff;
font-size: 16px;
padding: 12px 32px;
}
Custom JavaScript Example
// Auto-fill the date field with today's date
var dateField = document.querySelector('.cf-form-42 input[name="date"]');
if (dateField) {
dateField.value = new Date().toISOString().split('T')[0];
}
Messages Tab
Each form has a Messages tab where you customize the text shown to users during and after form submission.
| Message | Default | When It Appears |
|---|---|---|
| Success | "Thank you! We will be in touch soon." | After a successful submission |
| Invalid Email Address | "Sorry, that email address looks invalid." | When an invalid email is submitted |
| Required Field Missing | "Please fill in the required fields." | When a required field is empty |
| General Error | "Oops. An error occurred." | When an unexpected error occurs |
| reCAPTCHA Failed | "reCAPTCHA verification failed. Please try again." | When reCAPTCHA token is invalid |
| reCAPTCHA Low Score | "Your submission appears to be spam. Please try again." | When reCAPTCHA score is too low |
| Spam | "Your submission was flagged as spam." | When Akismet flags as spam |
| Math CAPTCHA Failed | "Incorrect answer to the math problem. Please try again." | When math answer is wrong |
All message fields support basic HTML tags: <strong>, <em>, and <a>.
Message Examples
Success: Thanks, {{user.first_name}}! We'll respond within 24 hours.
Error: Something went wrong. Please <a href="/contact">contact us directly</a>.
Required: Please complete all fields marked with *.
Global Settings
Global settings apply to all forms site-wide. Go to Core Forms > Settings to configure them.
General
| Setting | Default | Options | Description |
|---|---|---|---|
| Enable Nonce | No | Yes / No | Include a WordPress nonce field in each form for CSRF protection. Set to "No" if your site uses full-page caching, as cached nonces become invalid. |
| Load Stylesheet | No | Yes / No | Apply basic form styles (layout, spacing, field sizing) to all Core Forms forms. This is a minimal stylesheet -- most themes already style form elements. |
| Wrapper Tag | p |
p, div, span, label |
The HTML tag used to wrap form fields in the Visual Builder output. |
Nonce and Caching
If you use a page caching plugin (WP Super Cache, W3 Total Cache, LiteSpeed Cache, etc.), set Enable Nonce to "No". Here is why: WordPress nonces are time-limited tokens. When a page is cached, the nonce value is frozen in the cache. After the nonce expires (typically 12--24 hours), form submissions from the cached page will fail validation.
Core Forms compensates with other security measures (honeypot, rate limiting, referrer checking) that work reliably with caching.
Google reCAPTCHA v3
| Setting | Description |
|---|---|
| Site Key | Your reCAPTCHA v3 site key from google.com/recaptcha/admin |
| Secret Key | Your reCAPTCHA v3 secret key |
Once configured, reCAPTCHA v3 automatically protects all your forms. It runs invisibly in the background -- no user interaction required. Submissions are scored from 0.0 (likely bot) to 1.0 (likely human).
Emailit
| Setting | Description |
|---|---|
| API Key | Your Emailit API key from app.emailit.com/settings/api-keys |
When configured, a "Send Email via Emailit" action becomes available for your forms. Emailit is a transactional email API that can replace wp_mail() for more reliable email delivery.
Spam Protection
| Setting | Description |
|---|---|
| Akismet Whitelist | Keywords or phrases that bypass Akismet spam checking. One per line, case-insensitive. Use this if Akismet is flagging legitimate submissions. |
Settings Priority
When multiple settings interact, here is the order of priority:
- Per-form settings override global settings where applicable.
- Global reCAPTCHA/Turnstile keys are shared across all forms -- there is no per-form override for API keys.
- The honeypot is a per-form setting. It defaults to "On" for new forms.
- Anti-spam methods stack -- a submission must pass all enabled checks (honeypot AND reCAPTCHA AND Akismet) to be accepted.
Recommended Settings by Use Case
Contact Form (General Purpose)
Save submissions: Yes
Confirmation type: Show success message
Hide form: Yes
Honeypot: On
reCAPTCHA: Configured globally
AJAX: On
Newsletter Signup (Minimal)
Save submissions: No (rely on Mailchimp/email action)
Confirmation type: Show success message
Hide form: Yes
Rate limit: 5 per hour
Honeypot: On
AJAX: On
Event Registration (Time-Limited)
Save submissions: Yes
Confirmation type: Redirect to page (confirmation page)
Schedule enabled: Yes
Open date: Event registration start
Close date: Event date
Prevent duplicates: On
Honeypot: On
Job Application (Long Form)
Save submissions: Yes
Save & resume: On
Draft expiry: 60 days
Confirmation type: Redirect to URL (/application-received/)
AJAX: On
Honeypot: On
Support Request (Business Hours)
Save submissions: Yes
Confirmation type: Show success message
Schedule enabled: Yes
Days: Mon, Tue, Wed, Thu, Fri
Open time: 09:00
Close time: 17:00
Closed message: "Our support team is available Monday–Friday, 9 AM–5 PM. Please submit your request during business hours."
Exporting and Importing Settings
Form settings are stored as post meta on the core-form post type. When you export forms via Tools > Export (selecting the "Core Forms" post type), all settings, messages, and form markup are included in the export file.
To migrate forms between sites:
- On the source site: Tools > Export > Core Forms > Download Export File.
- On the destination site: Tools > Import > WordPress and upload the XML file.
Next Steps
- Set up email notifications and autoresponders
- Configure webhooks to send data to external services
- Learn about file uploads for accepting documents
- Explore submission management for reviewing and exporting data