Contact Form 7 4.9

Contact Form 7 4.9 is now available. If you have contact forms for logged-in users, the newly introduced subscribers-only mode will be a great improvement. 4.9 adds new filter hooks and a custom DOM event that allows you to control your contact forms more flexibly. Fixes for several bugs seen in the previous versions are also included. I strongly recommend upgrading to 4.9 now.

Subscribers-only mode

You may want to ensure that only logged-in users can submit your contact form. In such cases, use the subscribers-only mode. In this mode, non-logged-in users can’t submit the contact form and will see a message informing them that login is required, while logged-in users can use it as usual.

To use the subscribers-only mode, open the Additional Settings tab panel and just input the following line into the field:

subscribers_only: true

No anti-spam verification will be provided for contact forms in the subscribers-only mode since only welcome people are supposed to be able to use them. If this assumption is not applicable to your site, subscribers-only mode probably isn’t a good option for you.

No nonce by default

A nonce is a randomly generated string used for security purposes. Contact Form 7 verifies a nonce to ensure that a form submission has correctly been sent from the contact form and not faked by a spammer.

You can set the WPCF7_VERIFY_NONCE constant to determine whether to verify nonces. In the past, the default value was true. Contact Form 7 4.9 changes the default value to false because any good effect expected from a nonce is limited when it is used for a publicly-open contact form that anyone can submit, and undesirable side effects have been seen in some cases.

You can continue to use nonces by setting the WPCF7_VERIFY_NONCE constant to true explicitly, or by using the new wpcf7_verify_nonce filter hook like the following:

add_filter( 'wpcf7_verify_nonce', '__return_true' );

Note that the subscribers-only mode needs nonces to work and a nonce is used in the contact form in the subscribers-only mode regardless of the value of the WPCF7_VERIFY_NONCE constant.

Requires: WordPress 4.7 or higher
Tested up to: WordPress 4.8.1

» Download Contact Form 7 plugin from

Change log

  • Supports subscribers_only setting
  • Changes the default value of WPCF7_VERIFY_NONCE to false
  • WPCF7_FormTagsManager::collect_tag_types() supports invert option
  • New filter hooks: wpcf7_verify_nonce, wpcf7_subscribers_only_notice, wpcf7_remote_ip_addr, and wpcf7_submission_is_blacklisted
  • Fixed: Form-tag’s tabindex option did not accept 0 or negative integer values
  • Shows a validation error when no option in a radio buttons group is checked
  • Config validator: Adds a validation rule against the use of deprecated settings (on_sent_ok and on_submit)
  • Allows to pass the skip_mail option through the WPCF7_ContactForm::submit() and WPCF7_Submission::get_instance() function parameters.
  • Triggers wpcf7beforesubmit custom DOM event. You can manipulate the formData object through an event handler.