[ez-toc]

Introduction

Collecting user data through forms is a necessity. Business owners, bloggers, or online shop owners usually have some sort of Contact Form in it. The contact form serves as a means of answering questions, subscribing users to a Newsletter, or simply as a means of exchanging secure messages between interested parties.

Non-techy people may not know, that there are some security concerns with collecting user-submitted data, say:

  1. Improperly validated or escaped data may pose a security concern to one’s website. Bad parties (the hackers) through a number of different methods & techniques may obtain access to our website. Say through the SQL injection technique they may obtain our admin account’s password.
  2. Improperly stored data may in case of a leak (i.e. data leaving our database and being publicly revealed) result in legal troubles (or we may simply lose clients once they find out about that).
  3. Improper access control (i.e. access to personal data through unprivileged parties) may result in a leak (accidental or on purpose). Obviously, if we are a store owner we may not want our editors/developers to have access to our client’s database.

To overcome the above security threats and mitigate the risks we should use the best tools at the market at our disposal. In the case of WordPress or WooCommerce websites, my personal recommendation is to use Gravity Forms along with a number of add-ons to offer a secure means of collecting and storing that.

About Gravity Forms & Security

Gravity Forms is a WordPress plugin that offers a robust interface for creating forms to collect data, I have outlined the marvelous features offered by the plugin in my previous blog entry, which you may find here: https://wp-doin.com/2023/10/11/streamline-your-website-with-gravity-forms-for-wordpress/.

Security on the other hand (in that particular case scenario) relates to how we safely collect the data and how we securely store the data once it is saved in our database.

In the following article, I’ll explain how to properly configure Gravity Forms to improve one’s website security when it comes to preventing data leaks and access control management. In, a nutshell, the setup I propose will help one in:

  1. SPAM reduction.
  2. Secure Data Collection (against manually created forms or other Contact Form plugins).
  3. Secure Data Storage.
  4. Access Control Management.

If set up properly, this should mitigate the risk of a data leak or any other hack-related issue.

Default Security Features of Gravity Forms

Field Rules

What I like about Gravity Forms is that some features are pretty secure out of the box. The forms offer data validation and sanitization by default. Say by selecting the Field Settings Tab of any given field (the Email field, in our case scenario) one can pretty quickly set it up as required with no duplicates allowed. Moreover, the plugin assures that only legit emails would go through, not allowing anything else to pass, say: a random number. This applies to Both Server-side and Front End Side data sanitization and validation. In the, end we save a lot of time trying to come up with something ourselves.

Gravity Forms Email Field Settings

Gravity Forms Email Field Settings

The Captcha Field

Another, default interesting feat of Gravity Forms is its Captcha Field. Gravity Forms integrates seemlessly with reCaptcha v2 service allowing us to reduce SPAM content, submissions made by bots etc.

As written on the Gravity Forms documentation page:

The CAPTCHA field allows you to add a captcha field to your form, to help protect your website from spam and bot abuse by trying to determine if the form is being submitted by a human, or defeating a form submission attempt by a scripted bot. The Gravity Forms Captcha field is available under the Advanced Fields section within the form editor.

Adding Captcha to Gravity Forms forms, despite a 3rd-party service integration is pretty easy and I strongly encourage one to use it with every form.

Personal Data Tab

Another interesting feature of Gravity Forms is the Personal Data Tab, which is an easy control of user-submitted data. This tab lets one control for how long data should be stored or what should happen upon data Export or Removal. In the case of simple websites with Contact Form in it, I suggest removing the Personal Data automatically within a few days, once the conversation has been moved elsewhere or finalized.

Gravity Forms Personal Data Tab is intuitive to use

Gravity Forms Personal Data Tab is intuitive to use

Custom Validation Rules

For those of you looking for Advanced Data Validation and Sanitization (say, a custom, Secret Token Validation) Gravity Forms offers that as well! With its great documentation, one can create a custom Validation logic, which can be done through a number of submission hooks. In, our case the two most interesting ones would be:

The pre-submission hook – a hook allowing us to modify or even validate data before it was being submitted. Say, we could add and encode some of the data to prevent it from easy decoding upon a leak.

The validation hook – a hook allowing one to sanitize and validate the data, either preventing the submission from happening or not. Say, we could verify a Secret token, thus reducing the number of submissions to a form to a set of privileged users.

Looking for help with the plugin?

Access Control Management

By default your forms, form entries and the data stored on your site are all visible to the users with proper access control, say Administrators or Editors of your or your client’s website. I recommend the following add-ons to further bullet proof your website, allowing you better access control:

Advanced Permissions for Gravity Forms 

Protect your Gravity Forms by locking down form and form entries on a granular level: block or provide access as needed to staff, students, clients and other users.

User Role Editor

User Role Editor WordPress plugin allows you to change user roles and capabilities easy.
Just turn on check boxes of capabilities you wish to add to the selected role and click “Update” button to save your changes. That’s done.

These two plugins either combined or not, will give you the ability to restrict your or your client’s users from accessing a vulnerable data for bad deeds, making your data even more secure.

Summary

Collecting and storing user submitted data doesn’t have to be a problem if we use the proper tools we have at our disposal. With Gravity Forms for WordPress, one, even without technical knowledge can improve his personal data’s security with decent level of knowledge and practice. In this short article, I covered some basic ideas on how to improve his forms security.

Get Gravity Forms at👇

Featured Image by: https://www.pexels.com/pl-pl/zdjecie/rece-laptop-internet-pisanie-5474285/

WP doin dev & security
WP doin dev & security

Oh hi there 👋
It’s nice to meet you.

Sign up to receive WordPress tips in your inbox, every month.

I don’t spam! Read my privacy policy for more info.