Tech Stack Guides

How to Tell If a Website Uses Contact Form 7

Contact Form 7 is the most installed WordPress form plugin. Detect it via the wpcf7 form markup, the /wp-content/plugins/contact-form-7/ assets and the _wpcf7 hidden fields.

StackOptic Research Team27 May 20266 min read
Detecting Contact Form 7 via the wpcf7 form markup and contact-form-7 plugin assets

Contact Form 7 (often abbreviated CF7) is the most-installed form plugin for WordPress, powering the contact and lead forms on a vast number of WordPress sites. Because it renders a distinctive markup pattern with telltale hidden fields, detecting it is straightforward: inspect a form and look for the wpcf7 classes and _wpcf7 hidden inputs. This guide covers every reliable signal, the submission mechanics, the look-alikes to rule out, and what CF7 usage tells you about the site.

What is Contact Form 7?

Contact Form 7 is a free, long-established WordPress plugin for creating and managing forms — most commonly contact forms, but also simple lead-capture and enquiry forms. Site owners define a form with CF7's simple markup syntax and place it via a shortcode; CF7 handles rendering, validation, email delivery and basic spam protection (with Akismet or reCAPTCHA integration). It is famously minimal and free, which made it the default form plugin for the WordPress world, especially on small-business and brochure sites that just need a working contact form.

For detection, the key context is twofold: CF7 is a WordPress plugin, so finding it confirms WordPress; and its presence indicates a site using a simple, free form solution rather than a premium form builder. Because it is so ubiquitous, CF7's presence is a near-universal building block on the WordPress contact page rather than a strong differentiator. Still, it is useful for understanding the site's setup. Its distinctive markup and hidden fields make it one of the easiest plugins to confirm by inspecting a form.

How Contact Form 7 renders and submits

A Contact Form 7 form has a recognisable structure: a wrapping <div class="wpcf7"> (with data-wpcf7-id and a lang), inside which sits a <form class="wpcf7-form">. Every CF7 form includes hidden inputs that are the surest fingerprint: _wpcf7 (the form ID), _wpcf7_version (the plugin version), _wpcf7_locale, _wpcf7_unit_tag (a unique per-instance ID like wpcf7-f123-p45-o1), and _wpcf7_container_post. The fields and the response area use wpcf7-prefixed classes (wpcf7-form-control, wpcf7-submit, wpcf7-response-output).

Assets load from /wp-content/plugins/contact-form-7/ (its CSS and JS). Modern CF7 submits via AJAX to the WordPress REST API: /wp-json/contact-form-7/v1/contact-forms/<id>/feedback. So a CF7 site shows the wpcf7 wrapper and wpcf7-form, the _wpcf7 hidden fields (revealing the version), the contact-form-7 plugin assets, and the /wp-json/contact-form-7/ submission route. Knowing these makes detection instant.

How to tell if a website uses Contact Form 7

Confirm at least one strong signal (the markup suffices).

1. Inspect a contact form. Right-click the form and look for the <div class="wpcf7"> wrapper, <form class="wpcf7-form">, and _wpcf7 hidden inputs.

2. Read the hidden fields. The _wpcf7, _wpcf7_version and _wpcf7_unit_tag hidden inputs are the definitive signal, and _wpcf7_version reveals the plugin version.

3. Check asset paths. Look for CSS/JS from /wp-content/plugins/contact-form-7/.

4. Watch the submission. Submitting the form fires an AJAX request to /wp-json/contact-form-7/v1/contact-forms/<id>/feedback — a characteristic CF7 signal.

5. Confirm WordPress. Because CF7 is a WordPress plugin, the site will show WordPress signals (/wp-content/, /wp-json/).

What the Contact Form 7 signals look like

<div class="wpcf7" id="wpcf7-f123-p45-o1" lang="en-US" dir="ltr">
  <form class="wpcf7-form init" ...>
    <input type="hidden" name="_wpcf7" value="123" />
    <input type="hidden" name="_wpcf7_version" value="5.9" />
    <input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f123-p45-o1" />
    <input class="wpcf7-form-control wpcf7-submit" type="submit" value="Send" />
GET /wp-content/plugins/contact-form-7/...
POST /wp-json/contact-form-7/v1/contact-forms/123/feedback   (on submit)

The wpcf7 wrapper, the wpcf7-form, and the _wpcf7 hidden fields are conclusive.

Contact Form 7 versus other form plugins — avoiding false positives

Match the markup to keep WordPress form plugins distinct. Contact Form 7 uses wpcf7 classes and _wpcf7 hidden fields; WPForms uses wpforms- classes and /wp-content/plugins/wpforms-lite/ (or wpforms/); Gravity Forms uses gform_ classes and gform_wrapper; Ninja Forms uses nf-form classes; Fluent Forms uses ff_ classes. Each prefix is distinct. The wpcf7/_wpcf7 markers are unique to Contact Form 7. A site might use more than one form plugin (CF7 for contact, another for surveys), so check each form. CF7's minimal, free nature also distinguishes it from feature-rich premium builders.

How reliable is each Contact Form 7 signal?

The wpcf7 wrapper, the wpcf7-form, and the _wpcf7 hidden fields are definitive, and _wpcf7_version reveals the version. The /wp-content/plugins/contact-form-7/ assets and the /wp-json/contact-form-7/ submission route corroborate. The WordPress context reliably accompanies it. There is essentially no false-positive risk once you see the wpcf7 markup. As a rule, inspecting a contact form settles it immediately, and the version field indicates how current the plugin is.

What Contact Form 7 usage reveals about a site

Finding Contact Form 7 tells you the site is a WordPress site using the most common, free form plugin — typically a small-business, brochure or content site that needs a basic contact or enquiry form without paying for a premium builder. Because CF7 is so ubiquitous and minimal, its presence is a near-universal building block rather than a strong signal. Still, details add colour: an old _wpcf7_version suggests a neglected, possibly insecure site (form plugins are spam and security targets); the spam protection in use (Akismet, reCAPTCHA/hCaptcha/Turnstile integration) indicates how the owner handles form spam; and the absence of a premium builder suggests a simpler, lower-budget setup. If you sell WordPress services, form/lead tools, or security, a CF7 site marks a basic WordPress setup — and an outdated CF7 is a small maintenance/security talking point.

What finding Contact Form 7 means for sales, agencies and competitive research

For sales and prospecting, CF7 alone is a weak qualifier (it is everywhere), but it confirms a WordPress site with basic forms, and an old version flags a neglected site. The lack of a premium builder hints at budget.

For agencies and consultants, finding CF7 — especially an outdated version or one without spam protection — is a concrete maintenance/security/lead-capture talking point: upgrading, adding CAPTCHA, or moving to a more capable forms solution for better leads.

For competitive and market research, CF7 versus premium builders (WPForms, Gravity Forms) indicates how much a site invests in forms and lead capture, a small signal of marketing sophistication.

Contact Form 7 in the wider WordPress stack

Contact Form 7 sits in the forms layer of a WordPress stack, accompanying the usual components — a theme, a page builder, an SEO plugin (Yoast/Rank Math), and analytics. For spam protection it integrates with Akismet or a CAPTCHA (reCAPTCHA, hCaptcha or Turnstile), so finding CF7 should prompt you to check which anti-spam measure is in place. On lead-focused sites, the contact form may feed a CRM or email tool via an integration. For an auditor, the valuable details are the CF7 version (maintenance/security), the spam-protection method, whether the form integrates with a CRM/email tool, and whether a premium builder is also present; together these reveal how the site handles forms and leads and whether it is well-maintained. There is a lead-capture angle worth flagging, too: Contact Form 7 is deliberately minimal, with no built-in analytics, conditional logic, multi-step flows or native CRM integration, so a business relying on it for important enquiries is often leaving conversion and follow-up improvements on the table. A site whose forms matter commercially — a lead-gen or service business running everything through a bare CF7 form — is a strong candidate for a more capable forms-and-automation setup, which makes detecting CF7 in that context a genuinely actionable finding rather than a trivial one.

A quick Contact Form 7 confirmation walkthrough

Open the site, go to the contact page, and inspect the form. Look for the <div class="wpcf7"> wrapper, <form class="wpcf7-form">, and the hidden inputs _wpcf7, _wpcf7_version and _wpcf7_unit_tag — note the version. Check the Network tab for /wp-content/plugins/contact-form-7/ assets, and submit the form (if appropriate) to see the /wp-json/contact-form-7/ AJAX request. Confirm WordPress. The wpcf7 markup and _wpcf7 fields are enough to confirm Contact Form 7.

A quick Contact Form 7 detection checklist

  • Inspect a contact form for the wpcf7 wrapper and wpcf7-form — conclusive.
  • Read the _wpcf7, _wpcf7_version and _wpcf7_unit_tag hidden inputs.
  • Check assets under /wp-content/plugins/contact-form-7/.
  • Watch for the /wp-json/contact-form-7/ submission route on submit.
  • Confirm WordPress, since CF7 is a WordPress plugin.
  • Distinguish CF7 (wpcf7) from WPForms (wpforms-), Gravity Forms (gform_) and Ninja Forms.

Detecting Contact Form 7 at scale

Checking one site is quick, but mapping form-plugin adoption across many WordPress domains — to find basic setups, outdated installs, or lead-capture opportunities — calls for automation. StackOptic detects Contact Form 7 and thousands of other technologies from a real browser, reading the form markup, hidden fields and assets. For related reading, see our guide to identifying a WordPress theme and its plugins and the full Contact Form 7 technology profile.

Frequently asked questions

What is the fastest way to tell if a site uses Contact Form 7?

Inspect a contact form and look at its markup. Contact Form 7 wraps forms in a <div class="wpcf7"> with a <form class="wpcf7-form"> and hidden inputs named _wpcf7, _wpcf7_version and _wpcf7_unit_tag. That wpcf7 markup is the definitive signal.

What are the _wpcf7 hidden fields?

Contact Form 7 adds hidden inputs to every form: _wpcf7 (the form ID), _wpcf7_version (the plugin version), _wpcf7_unit_tag (a unique instance ID) and _wpcf7_container_post. Finding these _wpcf7-prefixed hidden fields confirms Contact Form 7 and even reveals its version.

How does Contact Form 7 submit forms?

Modern Contact Form 7 submits via AJAX to the WordPress REST API route /wp-json/contact-form-7/v1/contact-forms/<id>/feedback. Seeing a request to /wp-json/contact-form-7/ when the form is submitted is a strong, characteristic CF7 signal.

Does Contact Form 7 mean the site uses WordPress?

Yes. Contact Form 7 is a WordPress plugin, so finding it means the site runs WordPress. Its forms are rendered within WordPress, so its presence confirms WordPress as the CMS, verifiable via /wp-content/ and /wp-json/ paths.

What does it mean if a site uses Contact Form 7?

Contact Form 7 is the most-installed free WordPress form plugin. Finding it is extremely common and indicates a WordPress site using a simple, free contact/lead form — typical of small-business and brochure sites that need basic forms without a premium builder.

Analyse any website with StackOptic

Get the full technology stack, performance, security and SEO report in seconds — free.

Analyse a website

Related articles