Collecting user data through forms is a necessity. Business owners, bloggers, or online shop owners usually have some sort of Contact Form in it. The contact form serves as a means of answering questions, subscribing users to a Newsletter, or simply as a means of exchanging secure messages between interested parties.
Non-techy people may not know, that there are some security concerns with collecting user-submitted data, say:
Improperly validated or escaped data may pose a security concern to one’s website. Bad parties (the hackers) through a number of different methods & techniques may obtain access to our website. Say through the SQL injection technique they may obtain our admin account’s password.
Improperly stored data may in case of a leak (i.e. data leaving our database and being publicly revealed) result in legal troubles (or we may simply lose clients once they find out about that).
Improper access control (i.e. access to personal data through unprivileged parties) may result in a leak (accidental or on purpose). Obviously, if we are a store owner we may not want our editors/developers to have access to our client’s database.
To overcome the above security threats and mitigate the risks we should use the best tools at the market at our disposal. In the case of WordPress or WooCommerce websites, my personal recommendation is to use Gravity Forms along with a number of add-ons to offer a secure means of collecting and storing that.
Security on the other hand (in that particular case scenario) relates to how we safely collect the data and how we securely store the data once it is saved in our database.
In the following article, I’ll explain how to properly configure Gravity Forms to improve one’s website security when it comes to preventing data leaks and access control management. In, a nutshell, the setup I propose will help one in:
SPAM reduction.
Secure Data Collection (against manually created forms or other Contact Form plugins).
Secure Data Storage.
Access Control Management.
If set up properly, this should mitigate the risk of a data leak or any other hack-related issue.
Default Security Features of Gravity Forms
Field Rules
What I like about Gravity Forms is that some features are pretty secure out of the box. The forms offer data validation and sanitization by default. Say by selecting the Field Settings Tab of any given field (the Email field, in our case scenario) one can pretty quickly set it up as required with no duplicates allowed. Moreover, the plugin assures that only legit emails would go through, not allowing anything else to pass, say: a random number. This applies to Both Server-side and Front End Side data sanitization and validation. In the, end we save a lot of time trying to come up with something ourselves.
Gravity Forms Email Field Settings
The Captcha Field
Another, default interesting feat of Gravity Forms is its Captcha Field. Gravity Forms integrates seemlessly with reCaptcha v2 service allowing us to reduce SPAM content, submissions made by bots etc.
As written on the Gravity Forms documentation page:
The CAPTCHA field allows you to add a captcha field to your form, to help protect your website from spam and bot abuse by trying to determine if the form is being submitted by a human, or defeating a form submission attempt by a scripted bot. The Gravity Forms Captcha field is available under the Advanced Fields section within the form editor.
Gravity Forms Captcha Field
Gravity Forms Captcha Settings Screen
Adding Captcha to Gravity Forms forms, despite a 3rd-party service integration is pretty easy and I strongly encourage one to use it with every form.
Personal Data Tab
Another interesting feature of Gravity Forms is the Personal Data Tab, which is an easy control of user-submitted data. This tab lets one control for how long data should be stored or what should happen upon data Export or Removal. In the case of simple websites with Contact Form in it, I suggest removing the Personal Data automatically within a few days, once the conversation has been moved elsewhere or finalized.
Gravity Forms Personal Data Tab is intuitive to use
Custom Validation Rules
For those of you looking for Advanced Data Validation and Sanitization (say, a custom, Secret Token Validation) Gravity Forms offers that as well! With its great documentation, one can create a custom Validation logic, which can be done through a number of submission hooks. In, our case the two most interesting ones would be:
The pre-submission hook – a hook allowing us to modify or even validate data before it was being submitted. Say, we could add and encode some of the data to prevent it from easy decoding upon a leak.
The validation hook – a hook allowing one to sanitize and validate the data, either preventing the submission from happening or not. Say, we could verify a Secret token, thus reducing the number of submissions to a form to a set of privileged users.
By default your forms, form entries and the data stored on your site are all visible to the users with proper access control, say Administrators or Editors of your or your client’s website. I recommend the following add-ons to further bullet proof your website, allowing you better access control:
Protect your Gravity Forms by locking down form and form entries on a granular level: block or provide access as needed to staff, students, clients and other users.
User Role Editor WordPress plugin allows you to change user roles and capabilities easy.
Just turn on check boxes of capabilities you wish to add to the selected role and click “Update” button to save your changes. That’s done.
These two plugins either combined or not, will give you the ability to restrict your or your client’s users from accessing a vulnerable data for bad deeds, making your data even more secure.
Summary
Collecting and storing user submitted data doesn’t have to be a problem if we use the proper tools we have at our disposal. With Gravity Forms for WordPress, one, even without technical knowledge can improve his personal data’s security with decent level of knowledge and practice. In this short article, I covered some basic ideas on how to improve his forms security.
Get Gravity Forms at👇
Featured Image by: https://www.pexels.com/pl-pl/zdjecie/rece-laptop-internet-pisanie-5474285/
By browsing through the site and filling in the Contact Forms you agree to our PRIVACY POLICY. Moreover WP doin website uses COOKIES to improve your experience. We assume you're ok with this, but you can opt-out if you wish. ACCEPTREJECTCookie settings
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Cookie
Duration
Description
cookielawinfo-checkbox-advertisement
1 year
Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics
1 year
Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Analytics" category.
cookielawinfo-checkbox-functional
1 year
The GDPR Cookie Consent plugin sets the cookie to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
1 year
Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Necessary" category.
cookielawinfo-checkbox-others
1 year
Set by the GDPR Cookie Consent plugin, this cookie stores user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance
1 year
Set by the GDPR Cookie Consent plugin, this cookie stores the user consent for cookies in the category "Performance".
CookieLawInfoConsent
1 year
CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Cookie
Duration
Description
__cf_bm
30 minutes
Cloudflare set the cookie to support Cloudflare Bot Management.
aet-dismiss
never
Disqus sets this cookie for the functionality of the website’s comment system.
badges-message
never
Disqus sets this cookie for the functionality of the website’s comment system.
drafts.queue
never
Disqus sets this cookie for the functionality of the website’s comment system.
submitted_posts_cache
never
Disqus sets this cookie for the functionality of the website’s comment system.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Cookie
Duration
Description
__jid
30 minutes
Disqus sets this cookie to remember the user's Disqus login credentials across websites that use Disqus.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Cookie
Duration
Description
__gads
1 year 24 days
Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.
_ga
1 year 1 month 4 days
Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*
1 year 1 month 4 days
Google Analytics sets this cookie to store and count page views.
_gh_sess
session
GitHub sets this cookie for temporary application and framework state between pages like what step the user is on in a multiple step form.
brwsr
1 year 1 month 4 days
This cookie is set by the provider Impact Radius. This cookie is used for affiliate marketing.
CONSENT
2 years
YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
disqus_unique
1 year
Set to record internal statistics for anonymous visitors.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Cookie
Duration
Description
__gpi
1 year 24 days
Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.
DSID
1 hour
This cookie is set by DoubleClick to note the user's specific user identity. It contains a hashed/encrypted unique ID.
IDE
1 year 24 days
Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
test_cookie
15 minutes
doubleclick.net sets this cookie to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE
5 months 27 days
YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC
session
Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices
never
YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id
never
YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId
never
YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests
never
YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
