Core Forms
Get Core Forms

Create WordPress User Integration

Create a WordPress user account from form data when a form is submitted.

Action type: create_user Class: Core_Forms\Actions\CreateUser Source: src/actions/class-create-user.php

Setup

  1. Edit your form > Actions tab > Add Action > Create WordPress User.
  2. Map the email, name, and optional username fields.
  3. Select a role.
  4. Choose whether to send a password email.

Settings Reference

Setting Required Default Description
Email Field Yes email Form field name containing the email address
Username Field No -- Form field for username (auto-generated from email if empty)
Name Field No name Form field containing the full name
Role No subscriber WordPress role to assign
Send Password No On Email the new user their login credentials

Role Security

The integration enforces safe roles to prevent privilege escalation via form submissions. Only these roles are allowed:

  • subscriber
  • contributor
  • author
  • editor

administrator is never allowed. If an unsafe role is configured, it falls back to subscriber.

The allowed roles can be extended via the cf_create_user_allowed_roles filter:

add_filter( 'cf_create_user_allowed_roles', function( $roles ) {
    $roles[] = 'custom_role';
    return $roles;
} );

Username Generation

If the Username Field is empty or the username is already taken: 1. Extracts the part before @ from the email address. 2. Sanitizes it with sanitize_user(). 3. If that username exists, appends incrementing numbers (jane, jane2, jane3, ...).

Name Handling

The Name Field value is split on the first space: - First word becomes first_name - Remaining words become last_name - Full value becomes display_name

Duplicate Prevention

If a user with the submitted email already exists, the action returns false without creating a duplicate. It does not update existing users.

Password Handling

  • A random 16-character password is generated via wp_generate_password().
  • If "Send Password" is enabled, wp_new_user_notification() sends the standard WordPress new user email to both the admin and the new user.

How It Works

  1. Validates the role against the safe roles list.
  2. Validates and sanitizes the email address.
  3. Checks if a user with that email already exists (skips if so).
  4. Generates or sanitizes the username, handling duplicates.
  5. Generates a random password.
  6. Creates the user via wp_insert_user().
  7. Optionally sends the new user notification email.
  8. Returns true on success.

Example: Registration Form

Form with name, email, and username fields:

  • Email Field: email
  • Username Field: username
  • Name Field: name
  • Role: subscriber
  • Send Password: checked

Troubleshooting

  • User not created: Check that the email is valid and does not already exist in WordPress.
  • Wrong role assigned: Verify the role exists and is in the safe roles list. Custom roles require the cf_create_user_allowed_roles filter.
  • No email received: Ensure WordPress email is working (test with a password reset). Check spam folders.
  • Username conflicts: The auto-generation handles conflicts by appending numbers, but very long email prefixes may be truncated by sanitize_user().