Title: Shed Form Author: teamstaccato Published: May 9, 2026 Last modified: May 9, 2026 --- Search plugins ![](https://ps.w.org/shed-form/assets/banner-772x250.png?rev=3526984) ![](https://ps.w.org/shed-form/assets/icon-256x256.png?rev=3526984) # Shed Form By [teamstaccato](https://profiles.wordpress.org/teamstaccato/) [Download](https://downloads.wordpress.org/plugin/shed-form.1.6.22.zip) * [Details](https://co.wordpress.org/plugins/shed-form/#description) * [Reviews](https://co.wordpress.org/plugins/shed-form/#reviews) * [Installation](https://co.wordpress.org/plugins/shed-form/#installation) * [Development](https://co.wordpress.org/plugins/shed-form/#developers) [Support](https://wordpress.org/support/plugin/shed-form/) ## Description Shed Form is a WordPress contact form plugin specifically designed for Japanese websites. It features a 3-step submission flow (Input Confirmation Complete), a visual form builder, built-in spam protection, and full submission history management. **Key Features:** * **3-Step Submission Flow** — Input Confirmation Complete, the standard expected by Japanese website visitors * **Visual Form Builder** — Drag & drop field arrangement with 12 field types * **Spam Protection** — Cloudflare Turnstile integration, NG phrase scoring with silent blocking, IP blocking, and rate limiting * **Submission History** — View, search, manage status, export to CSV, and review blocked submissions * **Email Logging** — Full log of sent emails with one-click resend for failed deliveries * **Multiple Layouts** — Table, Stack, Inline, and DL layouts with responsive support * **Form Scheduling** — Set start/end dates to automatically open and close forms * **Japanese Validation** — Hiragana, Katakana, postal code, and Japanese phone number validation built in **Supported Field Types:** text, textarea, email, tel, number, select, radio, checkbox, consent, date, file, hidden #### 日本語の説明 Shed Form は、日本の Web サイトに特化した WordPress 用お問い合わせフォームプラグ インです。 **主な機能:** * 確認画面付き3ステップ送信(入力確認完了) * ドラッグ&ドロップでフィールドを配置するフォームビルダー * Cloudflare Turnstile 連携、NGフレーズスコアリング、IPブロック、レート制限による スパム対策 * 送信履歴管理(検索・ステータス管理・CSV出力・ブロック済み確認) * メール送信履歴と再送信機能 * 4種類のレイアウト(テーブル・スタック・インライン・DL型) * フォーム有効期限設定 * ひらがな・カタカナ・郵便番号・日本の電話番号バリデーション ### Third-Party Services This plugin connects to external services in the following cases: #### Cloudflare Turnstile When Turnstile spam protection is enabled in the form settings, this plugin sends verification requests to Cloudflare’s API during form submission. * Service: [Cloudflare Turnstile](https://www.cloudflare.com/products/turnstile/) * Privacy Policy: [https://www.cloudflare.com/privacypolicy/](https://www.cloudflare.com/privacypolicy/) * Terms of Service: [https://www.cloudflare.com/website-terms/](https://www.cloudflare.com/website-terms/) * Data sent: Turnstile token (generated client-side), site key, user IP address * When: Only when Turnstile is enabled and a form is submitted #### ZipCloud (Postal Code Lookup) When a form includes a postal code field with auto-fill enabled, this plugin sends the entered postal code to the ZipCloud API to retrieve the corresponding address. * Service: [ZipCloud](https://zipcloud.ibsnet.co.jp/) * Privacy Policy: [https://zipcloud.ibsnet.co.jp/](https://zipcloud.ibsnet.co.jp/) * Terms of Service: [https://zipcloud.ibsnet.co.jp/](https://zipcloud.ibsnet.co.jp/) * Data sent: Postal code (zip code) entered by the user * When: Each time a user enters a postal code in a field with auto-fill enabled * Note: This is a free, publicly available Japanese postal code lookup service. No authentication or personal data is required. #### NG Phrase Cloud Update When the administrator manually clicks the “Update from Cloud” button in the plugin settings, this plugin fetches the latest spam phrase list from the WP Shed server. * Service: [WP Shed](https://wpshed.jp/) * Privacy Policy: [https://wpshed.jp/privacy/](https://wpshed.jp/privacy/) * Terms of Service: [https://wpshed.jp/legal/](https://wpshed.jp/legal/) * Data sent: None (one-way download only) * When: Only when the administrator explicitly clicks the update button ## Screenshots * [[ * Form editor — drag & drop field arrangement * [[ * Frontend form display with confirmation screen * [[ * Submission history with status management * [[ * Email log with resend functionality * [[ * Turnstile and spam protection settings * [[ * NG phrase management ## Installation 1. Upload the plugin folder to the `/wp-content/plugins/` directory, or install directly through the WordPress plugin screen. 2. Activate the plugin through the ‘Plugins’ menu in WordPress. 3. Go to **Shed Form Form List** to create your first form. 4. Copy the generated shortcode (e.g. `[shedform_form id="1"]`) and paste it into any page or post. 5. (Recommended) Set up Cloudflare Turnstile for spam protection under **Shed Form Settings**. ## FAQ ### How many forms can I create? There is no limit. You can create as many forms as you need. ### Can I place multiple forms on the same page? Yes. Use different shortcode IDs, e.g. `[shedform_form id="1"]` and `[shedform_form id="2"]`. ### How does the spam blocking work? The plugin scores submission content against NG (blocked) phrases. When the score exceeds a threshold, the submission is silently blocked — the user sees the completion screen, but no email is sent to the administrator. Blocked submissions can be reviewed in the Submission History under the “Blocked” tab. ### Does this plugin support Cloudflare Turnstile? Yes. Create a Turnstile site in your Cloudflare dashboard, enter the Site Key and Secret Key in **Shed Form Settings Turnstile**, and enable it per form in the form editor. ### What happens when a form reaches its expiration date? The form displays a custom message (HTML editable) and rejects all submissions, including direct POST requests. ### Can I export submission data? Yes. Go to **Shed Form Submission History** and click the CSV export button. ### The admin notification email is not arriving. What should I check? 1. Check **Shed Form Email Log** — is the email status “sent” or “failed”? 2. If blocked, check the “Blocked” tab in Submission History. 3. If “failed”, check the error message and consider installing an SMTP plugin (e. g. WP Mail SMTP). 4. Check your spam/junk folder. ### Is there a paid version? Shed Form itself is completely free. Optional paid add-ons (MW WP Form Importer, Export/Import, Performance Profiler) are available at [wpshed.jp](https://wpshed.jp/). ## Reviews There are no reviews for this plugin. ## Contributors & Developers “Shed Form” is open source software. The following people have contributed to this plugin. Contributors * [ teamstaccato ](https://profiles.wordpress.org/teamstaccato/) [Translate “Shed Form” into your language.](https://translate.wordpress.org/projects/wp-plugins/shed-form) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/shed-form/), check out the [SVN repository](https://plugins.svn.wordpress.org/shed-form/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/shed-form/) by [RSS](https://plugins.trac.wordpress.org/log/shed-form/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 1.6.22 * Fix: Corrected Privacy Policy URL for WP Shed NG Phrase service in Third-Party Services section. #### 1.6.21 * Code quality: Renamed JS global variable `wsfPreview` to `shedformPreview` to comply with WordPress.org prefix requirements. * Code quality: Renamed `wpshed_` option keys for NG phrase cache to `shedform_` prefix (shedform_default_phrases_cache, shedform_phrases_cache_version, shedform_phrases_cache_updated). Migration runs automatically on update. * Code quality: Removed obsolete `wpshed_license_key` / `wpshed_license_cache` option writes from migration function (no longer used after updater removal in v1.6.19). * Code quality: Wrapped hardcoded `同意する` strings with `__()` for i18n in 3 locations. * Code quality: Added phpcs:disable NonPrefixedVariableFound to page-settings.php and form-complete.php template files. * Disclosure: Added Terms of Service URLs for ZipCloud and WP Shed NG Phrase API in Third-Party Services section. #### 1.6.20 * Code quality: Added phpcs:disable for NonPrefixedVariableFound in all template files (view templates included from callbacks — variables are scoped to each template, not global API). * Code quality: Added PluginCheck.Security.DirectDB.UnescapedDBParameter phpcs: ignore to RENAME TABLE migration query ($old_table/$new_table are built from $wpdb->prefix + hardcoded map, no user input). #### 1.6.19 * Changed: Removed custom auto-updater (WPShed_Updater) — plugin is distributed exclusively via WordPress.org. #### 1.6.18 * Fixed: Undefined method Shedform_Field_Manager::get_fields() in ajax_restore_submission()— changed to get_by_form() (caused fatal error on “process as normal” action). * Code quality: Wrap consent confirmation label with esc_html__() for i18n. * Code quality: Wrap CSV export status labels with __() for i18n. * Code quality: Add esc_attr() to nav-tab-active and display:none inline style echoes in form editor. #### 1.6.17 * Security: Added nonce verification to mail log detail view (auto-read-mark access now CSRF-protected). * Security: “詳細” list links in mail logs now use wp_nonce_url() to include nonce parameter. * Security: Cross-link from mail log detail to submission detail now includes nonce for check_admin_referer() on the submissions page. #### 1.6.16 * Security: Added nonce verification to submission detail view (auto-read-mark state change now CSRF-protected). * Security: Sanitize validation and extras JSON field values on save (rule sanitize_key, message/param sanitize_text_field, _url keys esc_url_raw, regex param validated by shedform_validate_regex_phrase). #### 1.6.15 * Changed: All function, class, constant, hook, option, and table prefixes renamed from wsf_/WSF_ to shedform_/SHEDFORM_/Shedform_ to meet WordPress.org 4-character prefix requirement. * Migration: Existing wp_wsf_* database tables automatically renamed to wp_shedform_* on upgrade (data preserved). * Migration: Existing wsf_* WordPress options automatically migrated to shedform_* on upgrade. #### 1.6.14 * Changed: Credit display changed to opt-in (default OFF) — removes Trialware violation. Setting added to Shed Form Settings. * Changed: Upload directory moved from wp-content/shedform-uploads/ to wp-content/ uploads/shed-form/ (wp_upload_dir() based). Automatic migration for existing users. * Fixed: Inline blocks in page-mail-logs.php replaced with wp_add_inline_script() * Security: options JSON now sanitized recursively with sanitize_text_field(). validation/extras validated by json_decode() + key whitelist (regex patterns preserved). * Disclosure: Added ZipCloud postal code API to Third-Party Services in readme. txt * Updated: SortableJS 1.15.6 1.15.7 * Fixed: file_put_contents() replaced with WP_Filesystem API for .htaccess and index.php creation #### 1.6.13 * Code quality: Added phpcs:ignore for DirectQuery/NoCaching/SchemaChange/UnescapedDBParameter on migration ALTER TABLE and INFORMATION_SCHEMA queries in shed-form.php * Code quality: Added Squiz.PHP.DiscouragedFunctions.Discouraged to ini_set phpcs: ignore in class-shedform-validator.php (restore-after-finally blocks) * Code quality: Added NoCaching to $wpdb->update() phpcs:ignore in class-shedform- admin.php * Code quality: Added UnescapedDBParameter to CSV export batch-query phpcs:ignore lines in class-shedform-admin.php * Code quality: Added UnfinishedPrepare to $wpdb->prepare() with spread-operator placeholder in class-shedform-admin.php * Code quality: Added InputNotSanitized to phpcs:disable block in sanitize_input_for_display() in class-shedform-form.php * Code quality: Added NonceVerification.Recommended phpcs:ignore to read-only list filter GET params in page-submissions.php * Code quality: Added InterpolatedNotPrepared and moved ReplacementsWrongNumber phpcs:ignore to correct lines in page-submissions.php #### 1.6.12 * Code quality: Added phpcs:ignore/disable annotations for PluginCheck.Security. DirectDB.UnescapedDBParameter across all DB-heavy files — table names from $wpdb- >prefix are safe * Code quality: Added phpcs:disable blocks to manager/template classes (field-manager, form-manager, row-manager, settings) for repetitive DirectQuery/NoCaching/InterpolatedNotPrepared false positives * Code quality: Added phpcs:disable/enable blocks to sanitize_input() / sanitize_input_for_display() for NonceVerification.Missing — nonce verified by calling functions * Code quality: Fixed remaining ini_set (restore in finally blocks) and set_error_handler phpcs:ignore annotations in shed-form.php and class-shedform-validator.php #### 1.6.11 * Code quality: Removed deprecated load_plugin_textdomain() call (auto-loaded since WordPress 6.7) * Code quality: Added missing wp_unslash() to $_GET accesses in admin pages and mail-logs template * Code quality: Added sanitize_url() to HTTP_REFERER handling in template helpers * Code quality: Added phpcs:ignore annotations for justified WPCS false positives( DirectQuery on custom tables, NonceVerification on read-only admin GET params, ini_set/set_error_handler for ReDoS protection) #### 1.6.10 * Version bump for mobile performance investigation testing #### 1.6.9 * Added: Field description — each field can now have supplementary helper text displayed below the input #### 1.6.8 * Code quality: Removed wp_kses_post() from JSON fields (options/validation/extras) in ajax_save_field() — prevents silent corruption of regex patterns containing angle brackets * Code quality: Nonce sanitization changed from sanitize_key() to sanitize_text_field()( WPCS compliance) * Code quality: Replaced raw $_GET[‘status’] access with already-sanitized $filter_status variable in submissions page #### 1.6.7 * Security: Session token now stores form_id — token from form A can no longer be used to complete form B * Security: Session token destroyed immediately after retrieval (was destroyed after DB write) — eliminates 1-hour replay window * Security: Textarea fields capped at 20,000 characters server-side to prevent spam-scoring DoS via oversized input * Security: Blocked phrase matching now runs per-field in addition to concatenated text, reducing split-phrase bypass risk * Security: File uploads now reject filenames containing PHP/script extensions in any position (e.g., shell.php.jpg) * Added: Honeypot hidden field — bots that fill the invisible field are silently blocked regardless of spam score #### 1.6.6 * Security: From: display name now encoded with RFC 2047 MIME encoding (mb_encode_mimeheader)— prevents header injection via non-ASCII characters or special chars * Security: admin_email_to validated with is_email() and CRLF-stripped before passing to wp_mail() * Security: Resend mail CC/BCC now re-validated with is_email() and CRLF-stripped on restore from DB * Security: ajax_download_file() path check now uses trailing DIRECTORY_SEPARATOR( same pattern as set_attachments()) to prevent sibling-directory bypass * Security: Email subject CRLF stripped at plugin layer in both admin notification and auto-reply * Performance/Security: CSV export now streams in batches of 500 rows — prevents memory exhaustion on large datasets; keyword filter moved to SQL layer #### 1.6.5 * Security: CSV injection fix — user-supplied field values starting with =, +, -, @ are prefixed with a single-quote in CSV export * Security: {page_url} tag now uses home_url() instead of $_SERVER[‘HTTP_HOST’] to prevent host-header injection * Security: ReDoS validation probe improved with near-miss test strings; PCRE control verbs (*LIMIT_BACKTRACK etc.) now rejected at save time * Security: pcre.recursion_limit added alongside backtrack_limit in all regex guards; try/finally ensures limit is always restored * Security: field validation ‘pattern’ rule now runs with the same ReDoS guard as blocked-phrase regex matching * Security: set_attachments() path check uses trailing DIRECTORY_SEPARATOR to prevent shedform-uploads-evil prefix bypass * Security: wp_unslash() added to remaining $_POST accesses in admin handlers * Added: Admin notice warning when server is Nginx (where .htaccess upload protection is ineffective) #### 1.6.4 * Security: ReDoS protection — NG phrase regex patterns now validated with length limit (500 chars) and pcre.backtrack_limit guard; malformed/explosive patterns are skipped with error_log * Security: X-Forwarded-For IP spoofing mitigation — rightmost IP used instead of leftmost when behind a proxy * Security: Email attachment path traversal prevention — set_attachments() now validates all paths with realpath() against the shedform-uploads base directory #### 1.6.3 * Security: Upload subdirectories (form_id/year/month) now get .htaccess and index. php protection on creation * Security: Content-Disposition header uses RFC 5987 (filename*=UTF-8) for correct Japanese filename handling * Fixed: ALTER TABLE migration queries annotated with phpcs:ignore (no user input, WPCS compliance) #### 1.6.2 * Security: XSS fix — {url_param} dynamic tag now uses wp_kses() instead of sanitize_text_field() only * Security: XSS fix — {page_title} dynamic tag now escaped with esc_html() * Security: File upload — finfo_file() unavailability now rejects upload instead of skipping MIME check * Security: File upload — real MIME type passed to wp_handle_upload() instead of client Content-Type * Security: File upload — file size now measured server-side with filesize() instead of trusting $_FILES[‘size’] * Security: wp_unslash() added to all $_POST access in form input processing (WPCS compliance) * Fixed: Double-escaping in consent scroll content (removed redundant esc_html() inside wp_kses_post()) #### 1.6.1 * プラグインスラッグを shed-form に統一(WordPress.org 申請対応) #### 1.6.0 * Added: GPL-2.0+ license for WordPress.org directory compatibility * Added: Privacy policy suggestion via wp_add_privacy_policy_content * Added: Third-party service disclosure in readme.txt * Changed: NG phrase cloud update from automatic cron to manual button * Changed: Bundled SortableJS locally instead of CDN * Improved: Internationalization — all hardcoded Japanese strings wrapped with __() * Improved: Generated .pot file for translation support #### 1.5.4 * Fixed: Reply-To placeholder expansion in admin and auto-reply emails * Improved: Email placeholder handling for field keys #### 1.5.3 * Added: Consent field type with scroll-to-enable functionality * Improved: Static caching in settings class to reduce database queries #### 1.5.1 * Fixed: Submit button disabled until Turnstile verification completes * Security: Replaced PHP sessions with WordPress transients and one-time tokens ## Meta * Version **1.6.22** * Last updated **2 days ago** * Active installations **Fewer than 10** * WordPress version ** 6.0 or higher ** * Tested up to **6.9.4** * PHP version ** 8.1 or higher ** * Language * [English (US)](https://wordpress.org/plugins/shed-form/) * Tags * [contact form](https://co.wordpress.org/plugins/tags/contact-form/)[email](https://co.wordpress.org/plugins/tags/email/) [form](https://co.wordpress.org/plugins/tags/form/)[Japanese](https://co.wordpress.org/plugins/tags/japanese/) [spam protection](https://co.wordpress.org/plugins/tags/spam-protection/) * [Advanced View](https://co.wordpress.org/plugins/shed-form/advanced/) ## Ratings No reviews have been submitted yet. [Your review](https://wordpress.org/support/plugin/shed-form/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/shed-form/reviews/) ## Contributors * [ teamstaccato ](https://profiles.wordpress.org/teamstaccato/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/shed-form/)