Contact Form 7 is widely used in the WordPress space with 5+ million installs, and it seems to be mentioned prominently on nearly every “My top 10 free wordpress plugins” list. And the truth is, if you only plan to use a just a simple contact form and have a small site, you can’t do much wrong with CF7. In fact, the plugin is often part of the installation routine of premium themes, meaning that the theme will do everything for you and if you choose to install the demo, you will get a nicely designed form that should work out of the box.
But things are more complicated now, and that makes CF7 a bad choice in my opinion. Here’s why:
It slows down your site
You will always find CF7 in the top 10 for plugins that slow down your site. The plugin is very script heavy and these scripts are slow and inject themselves on EVERY PAGE in your site when the plugin is active.
Speed is a massive part of the overall visitor experience on your site and thus a decisive ranking factor for Google. You can check for yourself if you measure your homepage on gtmetrix.com and repeat the measurement after deactivating CF7.
High risk of losing data
Contact Form 7 does not store submissions, instead it relays the submitted data directly to your email inbox. Guess what happens when something in this process is not working? You get nothing. Actually, worse than that – you have a lead or client wondering why you don’t respond. People may think you’re out of business or uninterested, and you’re not even aware of that.
To avoid that, you will need to add another plugin called Flamingo, so can regularly check if there have been submissions that did not make it into your inbox (there is a huge number of reasons why this can happen).
Another plugin to maintain, another potential source of conflict.
“Free” can become quite expensive
You need add-ons for almost everything. This can be annoying (see above) as your plugin section can get a bit crowded, but you will learn that these are not always free. So while you start off with a free plugin, its limitations get you into various 3rd party paid plans fast, depending on the feature you want to add. Check these 25 CF7 plugin recommendations to get a picture.
What’s more, you should know that using multiple plugins from different developers is risky. If there’s a problem, it can be difficult to get help.
The struggle to get GDPR compliant forms
At first sight, the contact form 7 is compliant, because it does not store the submitted information, as pointed out above.
So you will want to be able to store submitted data, just in case. And therefore you will need to ask the visitor to accept the handling of his or her data. This is possible with CF7 shortcodes, but still a tricky challenge, and guess what: your theme usually never has a style for this new acceptance field, and it will give your otherwise polished site that amateur look when the user gets to fill out your form.
It’s so easy to mess up your forms
Both visually as well as functionally, it is too easy to break things. For one, there is no visual editor, so you really have no idea how the form will look like, and when you add new elements like a checkbox, want two fields to appear in one row, have all fields align, etc., you will have a hard time getting there.
Secondly, you may notice when it is too late that your recently added field is not forwarded to your inbox, because you forgot to add the shortcode in the proper places. You assume that any field in your form should be submitted and sent to you as admin, right? Not with CF7 – you are always just a short step away from losing valuable information.
Whether you want to include a (Re)Captcha against spam bots, track form submissions via Google Analytics, or directly serve the submitted data to you subscription list on Mailchimp, you will need to integrate the form with other tools. If you don’t do any of these, you are actually throwing away a HUGE amount of business potential, and you could just as well ask yourself why you bother running a website..
Even with ReCaptcha, you will find a host of videos telling you “how to fix” it, while with anything else, you need developer skills to make them happen (or more plugins, as we see from the submission storage). Want to direct your visitor to a thank you page? A simple and common-sense request, and possible it is, but… it’s complicated.
Popular can mean riskier
One of the reasons why Microsoft Windows was famous for security issues while Apple’s MacOS had the nimbus of being virus-free was simply the market share. The bigger the market, the more hackers you have working on it. CF7 is an interesting target for hackers because of the sheer number of websites where it is active.
So when there is a breach, it immediately puts 5+ Million sites at risk, as it happened this year with the “privilege escalation hack“. It was quickly solved and this speaks for the developer. I believe that with auto-update enabled in WordPress (since 5.5) and when only using CF7 on its own, you will have a minimum risk
Add to that the numerous CF7 addons, which in themselves pose a risk. This is particularly valid for the free addons, which more often than not are unsupported or abandoned. As an example, you would need a datepicker plugin for CF7, which ended up unsupported and a serious threat to websites using it. One might argue that date-picker fields are pure convenience and should not be part of the core product. But I consider “convenience” as essential and business relevant, because it strongly influences the conversion rate of forms.
The easier you make it for your visitors, the better for your business.