Your site is only as secure as the server it lives on. We take care of our server by limiting the areas people can access. It’s up to the client to maintain their site, update their plugins, and follow good security practices. If failure to do so results in damage to our systems, you may be liable.
Security Plugins and Services
There are a number of plugins and services that can help improve the security of your site. For example, some popular plugins are:
- iThemes Security
- Wordfence
- All In One WP Security & Firewall
- BulletProof Security
However, these plugins do require some level of understanding so you may need to get someone qualified to help you set one up.
The following security services provide a firewall, a first line of defense, between attackers and your server. They’re an excellent way to prevent attacks before they even hit your server:
Updates
We do recommend that customers keep WordPress and all of their plugins and themes updated at all times as part of a regular maintenance plan. Not doing so is a serious security risk for your site. We also recommend that customers remove unused plugins from their sites if they no longer wish to keep them active. Old plugins and code are a huge security risk.
Anti-Spam Protection
Spam is a special sort of security issue. Mostly it’s just annoying but it can become a serious issue if it grows unchecked. Gravity Forms provides three ways to help combat spam:
* The honeypot form setting activates a common technique to trick bots into revealing themselves. It’s generally a good idea to have this setting activated for all forms.
* Akismet plugin integration.
* CAPTCHA field. This will display a field which requires the user to prove they’re human before they’re allowed to submit the form.
File Upload Security
We’re sometimes asked about the security around the file upload feature. Files can only be uploaded to the server if there’s a file upload field on an active form. If no active forms have a file upload field then no files can be uploaded to the server.
Limit file uploads to logged in users
If possible, set your form to require login. This will ensure that file uploads are only performed by authenticated users. If requiring login is not an option for you then please read the rest of this section carefully.
File Upload Field Settings – Allowed File Extensions
When a file upload field is added to a form make sure you configure the “allowed extensions” setting to be as restrictive as possible. There are certain extensions that Gravity Forms will always block to protect from attacks but it’s good practice to limit the extensions to the file extensions you expect to receive.
The Gravity Forms Uploads Folder
Gravity Forms creates a subfolder structure in the WordPress uploads root which is used to save uploaded files. Files are stored in folder with folders with unique names created with the same algorithm WordPress uses (salted HMAC-MD5) and are impossible to crack with brute force. A folder containing the files for the form will have a path similar to this:
/path/to/wordpress/wp-content/uploads/gravity_forms/82-ea1cf844318d032fd7e8fa8w1dacdfbe
You will notice empty index.html files in all of the subfolders. The purpose of these files is to prevent directory listings appearing in search engines for Web servers that are poorly configured. Please don’t remove these files, they are there to protect you.
Field Upload Field Merge Tags
Files are safe as long as the folder name is not shared for that form. This means merge tags can be used for notifications to administrators however, if files are confidential, it’s not safe to use file upload merge tags in confirmations or notifications to non-administrative users.
Changing the Gravity Forms Upload Path
You may wish to increase the security of your uploaded files by changing the place they’re stored to a different place on the server or a different server entirely. You can do this by using the gform_upload_path filter. If you do this, you’ll need to ensure that the Web server has the appropriate permissions to read and write to that folder.
Sensitive Data
The entry data is not encrypted. This means you should not use Gravity Forms to store very sensitive data like credit card details or passwords that could result in serious issues in the event of a data breach.
The JSON REST API
Gravity Forms provides an API which can be activated by administrators on the settings page.
The API provides two methods of authentication
- For WordPress plugins and themes running in the same installation: WordPress cookie authentication.
- For external clients: signature authentication.
Cookie authentication is the basic authentication method included with WordPress. When users log in, this sets up the cookies, so plugin and theme developers need only to have a logged-in user.
The Gravity Forms Web API uses nonces in addition to authentication to avoid CSRF issues. This prevents other sites from forcing you to perform actions without explicitly intending to do so.
All requests from external applications are authenticated by checking an expiring signature. This is similar to the approach used by Amazon to secure access to their S3 Storage API. Once authenticated, standard WordPress capability-based authorization is used to ensure that the API request is allowed to be fulfilled.
If you’ve activated the Web API, make sure the private key is secure and strong. Create a dedicated user account for the API and assign it with the lowest privileges possible.
For further information on how to implement authentication in an API client, please consult the documentation for the Web API.
Verifying the integrity of the source code files
If you’re concerned that your files may have been tampered with, you can check by comparing the md5 checksums for each of the files. The list of checksums for the current version can be downloaded from the downloads page. If you need the checksum file for a previous version, please get in touch with support and we’ll send it to you.
The checksum file name has the extension .md5 and contains the version number. Before performing the check make sure the file you have is the same as the version you have installed.
Instructions for Linux: Download the checksum file to the root of the gravityforms folder and run the following command:
md5sum -c gravityforms_{VERSION NUMBER}.md5
Reporting Security Vulnerabilities
Security vulnerabilities in all software are inevitable and we do our best to ensure that patches are developed, tested, released and announced as quickly as possible after they’ve been discovered. Full details are made available to customers and other trusted parties on request.
On occasion, security researchers have contacted us to disclose a security vulnerability. In these cases, it’s understandable that the researcher might want to publish details of the discovery themselves. We do expect researchers to respect the principles of responsible disclosure and to work with us to coordinate the content and timing of the public disclosure so customers are given a reasonable opportunity to update their sites.
If you have discovered a vulnerability in one of our products we want to hear from you as soon as possible. Please gather as much information together as you can so we can work quickly to address it. Here’s a checklist of the details we’d like to see.
- Severity (high, medium, low)
- Vulnerability Type: e.g., DoS, Overflow, XSS, CSRF, etc
- Exploitation Requires Authentication?: yes/no
- Version(s) of Gravity Forms (or Add-On) affected
- A description of the vulnerability
- Do you have reason to believe the vulnerability is being exploited?
- Are details of an exploit publicly available? If so, please provide us with a URL.
- What is the potential impact? How do you envisage it being used in an attack scenario?
- DREAD score, if known.
- CVE Identifier / Reference / Advisory Number, if applicable.
- If you wish to be credited for the responsible disclosure in the release announcement and the change log, please let us know. If you plan to disclose details of the vulnerability, please do let us know so we can coordinate the timing of the disclosure together.
- Any additional comments.
If you are a customer please open a support ticket as soon as possible and make it clear in the subject that your are reporting a security vulnerability.
If you are not a customer send all the details to security@rocketgenius.com. We have developers in a few time zones so don’t assume you have to leave it till the morning.
We’ll acknowledge receipt as soon as we’ve read it. If confirmed we’ll plan a patch and let you know when we plan to release it.
