WPForms

Overview

WPForms is a drag-and-drop form builder plugin for WordPress, deployed on hundreds of thousands of sites ranging from small blogs to enterprise portals. Rather than operating as a third-party tracking service, it executes entirely within the host site's own WordPress environment. Its client-side scripts render the form interface and handle submission logic, with optional integrations that extend functionality to external payment processors and email platforms.

What This Script Does

The WPForms loader script (wpforms.min.js) is enqueued by WordPress and served from the host site's own domain, not a third-party CDN. On page load it initializes form validation, conditional logic, and multi-step navigation.

Cookies and storage: WPForms sets a session cookie to implement its anti-spam honeypot mechanism, preventing duplicate or bot-generated form submissions. This cookie does not contain personally identifiable information and is scoped to the host site domain. No persistent cross-site tracking cookies are written.

Network requests: Core form submissions POST to the host site's own server via the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) or a REST API route. No data is sent to WPForms' own servers as part of a standard form submission.

Third-party integrations: When configured with add-ons, WPForms can load additional scripts from Stripe (js.stripe.com), PayPal, Mailchimp, or Constant Contact. These third-party scripts operate under their own privacy terms and may set their own cookies independently of WPForms itself.

Consent & Compliance

GDPR and ePrivacy Directive: The core WPForms script does not set persistent tracking cookies and does not transmit data to third-party servers, placing it outside the consent requirement of the ePrivacy Directive for core functionality. However, when third-party payment or marketing add-ons are active, those integrations load external scripts that require consent depending on their purpose. The form itself collects personal data (name, email, etc.) which is subject to GDPR data processing requirements, but form submission is a controller-side obligation, not a consent-for-cookies matter.

CCPA/CPRA: WPForms does not sell or share personal information. Data submitted through forms is processed by the site operator acting as the data controller.

Consent category: functional. The plugin serves an operational purpose — enabling visitors to contact the site, complete orders, or respond to surveys — and does not track users across sessions or sites for advertising purposes.

Should You Block This Without Consent?

No.

The core WPForms scripts are functional and necessary for form rendering. Blocking them would make contact forms, payment forms, and survey widgets non-functional for all visitors. If third-party payment or marketing add-ons are enabled, consent should be managed for those specific integrations rather than the WPForms scripts themselves.