WordPress Forms UsagePosted on May 2, 2023 in Security
Website administrators using form tools made available via WordPress or by WordPress plugins, such as Gravity Forms, should understand the potential security risks associated with them before using them to collect information on public facing websites. WordPress form tools are not as secure as other methods of collecting data, and poorly configured web forms may provide bad actors additional attack vectors. Here are a few tips and best practices for using forms in WordPress:
- Understand your audience and anticipated volume of response. Using a WordPress form is a good option for general contact forms or forms that expect low to moderate responses. WordPress forms on state-hosted websites leverage the compute and processing power of the underlying web infrastructure. Sudden surges in traffic could potentially affect the web server hosting your website and lead to performance degradation and/or availability issues for your website. For high volume responses (over thousands of responses), consider offloading your web form onto a cloud service such as Microsoft Forms or Google Forms. Those cloud services are built to withstand larger amounts of traffic.
- Prevent SPAM by implementing a CAPTCHA challenge. CAPTCHA fields are available and pre-configured within Gravity Forms, and can differentiate between real users and automated users, such as bots. The use of a CAPTCHA fields can help prevent or thwart unwanted form submissions.
- Enable form field validation where possible. It is good practice to configure field level validation so that you can dictate the type of data being entered into your form, as well as ensure data integrity of the data you are collecting. For example, if you must include a file upload field on your form, it is good practice to limit the file size and restrict the file type of files submitters are allowed to upload.
Aside from what you can do to help protect your website and web forms, ETS implements several host-level protections such as a website firewall, a content delivery network, cache tools, secured and zero-trust login methods, intrusion protection and anti-malware monitoring to ensure availability and further protect your website and its data.