Contact Form 7 4.9 is now available. If you have contact forms for logged-in users, the newly introduced subscribers-only mode will be a great improvement. 4.9 adds new filter hooks and a custom DOM event that allows you to control your contact forms more flexibly. Fixes for several bugs seen in the previous versions are also included. I strongly recommend upgrading to 4.9 now.
You may want to ensure that only logged-in users can submit your contact form. In such cases, use the subscribers-only mode. In this mode, non-logged-in users can’t submit the contact form and will see a message informing them that login is required, while logged-in users can use it as usual.
To use the subscribers-only mode, open the Additional Settings tab panel and just input the following line into the field:
No anti-spam verification will be provided for contact forms in the subscribers-only mode since only welcome people are supposed to be able to use them. If this assumption is not applicable to your site, subscribers-only mode probably isn’t a good option for you.
No nonce by default
A nonce is a randomly generated string used for security purposes. Contact Form 7 verifies a nonce to ensure that a form submission has correctly been sent from the contact form and not faked by a spammer.
You can set the
WPCF7_VERIFY_NONCE constant to determine whether to verify nonces. In the past, the default value was true. Contact Form 7 4.9 changes the default value to false because any good effect expected from a nonce is limited when it is used for a publicly-open contact form that anyone can submit, and undesirable side effects have been seen in some cases.
You can continue to use nonces by setting the
WPCF7_VERIFY_NONCE constant to true explicitly, or by using the new
wpcf7_verify_nonce filter hook like the following:
add_filter( 'wpcf7_verify_nonce', '__return_true' );
Note that the subscribers-only mode needs nonces to work and a nonce is used in the contact form in the subscribers-only mode regardless of the value of the
Requires: WordPress 4.7 or higher
Tested up to: WordPress 4.8.1
- Changes the default value of
- New filter hooks:
- Fixed: Form-tag’s tabindex option did not accept 0 or negative integer values
- Shows a validation error when no option in a radio buttons group is checked
- Config validator: Adds a validation rule against the use of deprecated settings (on_sent_ok and on_submit)
- Allows to pass the
skip_mailoption through the
wpcf7beforesubmitcustom DOM event. You can manipulate the formData object through an event handler.