In top form: the 10 most-used form builders across the web
- 16 days ago
- 5 min read
Name, email, five-star review… we fill out online forms so often we barely notice them anymore. However, form builders and ‘experience management’ software are behind the scenes on all these websites. Which platforms and plugins are most popular across the web? The data reveals all—read on to learn more.
What are online form builders?
Any time you fill out a survey, contact a business via their website, or submit preferences online, you are essentially filling out a form. These forms are sometimes coded into a website, but for those less technologically inclined, no-code forms can be used on or embedded into a website for visitors to use. The platforms that offer these services are called ‘form builders,’ and their shapes and sizes vary depending on their origin, destination, and intended uses—and with so many uses come so many options.
At Dataprovider.com, we gather and structure web data like this, tracking the installations and usage of online technologies like form builders. So, to get an inside look at the web’s most used online forms, we turned to the data.
There are two clear winners in the form builder sphere: Contact Form 7 and Medallia. With over 50% of the market share, Contact Form 7 runs the show. This form builder is a WordPress plugin, and a free one at that. This helps clarify the popularity, given that WordPress is the most used CMS globally. Its open-source philosophy means that free plugins are typically well received, and the prevalence of Contact Form 7 across WordPress sites is corroborated by its 10m+ active installations stat on the WordPress Plugin Directory.
Medallia trails at a close second. This software platform is focused on ‘experience management’—customer, contact center, employee, and digital—utilizing surveys and other feedback collection forms. Following these two front-runners, other WordPress plugins make it high onto the list: WPForms Lite and WPForms Pro rank 3rd and 6th among the most used form builders. Gravity Forms is also a premium WP plugin, as are Formidable Forms and Ninja Forms—ranking 4th, 7th, and 8th most used form builders, respectively.
Beyond the dominance of WordPress websites online today, there are a number of non-plugin form builders that make the top ten. Google Forms is part of Google’s Editors suite and can be used embedded in a site or simply accessed as a link, while Refiner is a ‘microsurvey’ software—these are the little rating boxes that pop up on a website asking for quick, one-click feedback, especially for web and mobile product companies. Microsoft Forms is a free-to-use part of Office 365 for surveys, polls, and quizzes, and finally, Typeform is an interactive high-design software that specializes in making ‘forms worth filling out’.
Excluding WordPress
We’re sorry to do it, but we had to ask: if we exclude websites that use WordPress as their content management system, what does the top ten look like then?
Unsurprisingly, Medallia dominates this list. As a CMS-agnostic software, it is not limited to WordPress, and seems to be much loved across the web. Contact Form 7 does still make an appearance in second place, as do other non-WP options from Figure 1, but a number of new names enter the race. Getsitecontrol is not a form builder specifically, but offers popups and inline forms as part of its (email) marketing suite. Shopify’s growing popularity is demonstrated by the presence of Hulk Form Builders and Powerful Contact Form Builder on this new list, given that both are apps for Shopify sites. Wufoo and Qualtrics are two builders that make the list but with rather small user bases, with the former being reasonably dated, and the latter focused on internal use for companies and universities.
Are online forms secure?
A core part of web form builders is their purpose as data collection tools—customer data, employee data, and various kinds of personal data are all submitted through online forms. Businesses need to trust that the plugins are reliable, users need to trust that any personally identifiable information (PII) is stored securely, and the companies behind form builders must ensure this trust is warranted. This kind of valuable data is wanted by hackers, making the software behind online forms targets for cyberattacks, or at least vulnerable to data leaks.
This means that privacy is absolutely paramount on websites with forms, and digital security cannot be taken lightly when it comes to PII. According to our spider, the security of form-having websites is lacking: we look to the data on SSL certificates, Content Security Policies (CSP), and HTTP headers for details.
Of websites that use form builders, 93.6% have a valid SSL (Secure Sockets Layer) certificate, meaning the information that travels between a site and its visitors is encrypted (Figure 3). However, this also means that 6.4% of websites that collect information from their visitors have no or an invalid certificate, making it easier for malicious actors to intercept and access potentially sensitive data.
Further, a CSP is specified on only 13.3% of websites that use online forms. CSP helps to mitigate the risk of Cross-Site Scripting (XSS) attacks, which could potentially compromise form submissions or steal personal data. Enforcing a strict policy on which scripts can be loaded and executed reduces the risk of malicious scripts accessing sensitive information. In Figure 4 we see that 86.7% of the websites in question do not protect their visitors in this way.
CSPs are specified via HTTP headers, as are other security measures like X-Frame-Options and X-Content-Type-Options. The X-Frame-Options header prevents clickjacking attacks by ensuring that your website cannot be embedded within a hacked frame. Malicious actors use clickjacking to trick users into submitting sensitive information, and disallowing framing ensures that a website’s forms are not exposed to this risk. Despite its importance, only 11.4% of websites with forms specify this header (Figure 3). X-Content-Type-Options works similarly, allowing websites to specify what kinds of browser actions are disallowed. ‘Sniffing’, for example, has been used for recognizing online file types but opens undue security risks. By setting this HTTP header to “nosniff,” websites can prevent browsers from incorrectly interpreting or executing content types—which could be exploited in drive-by downloads or content injection attacks—and helps protect user data from compromise. That said, only 18.4% of websites that collect information through forms specifically disallow sniffing via the X-Content-Type-Options header.
What’s next for forms?
Online forms are a modern and efficient way to collect information from various targets, and websites use the form builders that best suit their site and their purposes. The popularity of WordPress plugin form builders matches the general popularity of WordPress, while ‘experience management software’ options are also increasingly used for their broader feedback-collection capabilities. Security remains a crucial point when it comes to the websites using forms, but at least the percentage of valid SSL certificates among them is relatively high. In any case, online forms are here to stay, and it is up to each party to ensure that their data collection processes are secure.
