Is your WordPress form really as secure as you think? A lot of people get caught out but it's something you can't really afford to ignore.
Online security is a bit of a hot topic these days. Not a day goes by where some poor business has their website hacked and their users' data stolen. This can spell disaster for even the strongest of businesses out there.
While you might not think anything like that could happen to you, every other victim of hacking thought exactly the same. Online attacks can affect any business, big or small.
Therefore, website security is or at least should become a priority for you. If you deal with customer data, or even payment details, this makes it all the more important that you do something about your security. When you've got data like this, you inevitably become more of a target.
If you have a self-hosted website, your website’s security is ultimately your responsibility. If you can't protect your users' data, you could run into more than just security issues.
One area of concern you may be having is with your online forms. WordPress forms are such an important part of any business website now, that they can't afford to be overlooked. If not properly maintained they can become the weak link in your otherwise smooth business operation.
So in today's post, we thought we'd address this common concern: "is my WordPress form secure?" If not, what can I do about it? We'll also be talking a bit about how Formidable Forms protects its forms and uses the best modern practices to do so.
Is WordPress secure?
First of all, is using a big name like WordPress a guarantee of security?
Our WordPress forms are built with strong security in mind. But that doesn't mean you should sit back and relax. Simply having your website on WordPress won't mean a thing unless you're also using plugins that are secure and up to date.
In fact, using WordPress can sometimes make you more vulnerable. Given that 33% of ALL websites are hosted by WordPress, it’s a big market for hackers. Once they’ve exposed vulnerabilities on one WordPress site, they can apply those same tools to thousands of others.
According to research from Sucuri, WordPress is one of their most commonly affected CMS platforms to deal with. WordPress websites made up 90% of Sucuri’s clean-up requests last year.
However, it's important to note that this data is influenced by the fact that Sucuri offer a free security plugin on WordPress. As WordPress is their primary focus, naturally, more of their clients are likely to be WordPress users. This doesn't mean that WordPress is more dangerous or should be avoided.
Sucuri found that most of the problems were not caused by the core program itself, but by simple mistakes and lack of the correct maintenance from webmasters.
Even if you have full faith in WordPress, it won’t mean a thing unless you’re properly maintaining your website on your end too. Here are our top tips to ensure your forms and WordPress site are secure.
Ways to ensure your WordPress site and forms are secure
1. Switch to HTTPS
When it became apparent that HTTP wasn't protecting as well as everyone had hoped, a new solution was released. HTTPS works in a similar way to the old version but uses the secure protocol SSL to deliver data, on top of it.
Unfortunately, not everyone has switched over to HTTPS yet and are therefore running a security risk with their data.
Back in 2017, Chrome started showing a ‘Not Secure’ warning on website logins and credit card forms not using HTTPS and a SSL certificate. This was eventually expanded to any website not using the updated method.
This warning let people know that any information submitted in a form could be intercepted by others. If you haven't yet switched over, this doesn’t really inspire confidence for any user coming onto your website, looking to buy from you.
Would you enter your payment details into a website that couldn't guarantee your security? Probably not. You could miss out on so much business as a result, which only slows your growth.
This means that switching to HTTPS is probably the single most important thing you can do to protect your data. Before doing anything else, make sure you switch over to HTTPS if you haven’t already.
2. Keep everything up to date
The next important thing to always remember is to update everything to the latest version. That goes for WordPress itself, all of your plugins and themes too.
Once someone has found a vulnerability in a version of WordPress or a plugin, this information is shared publicly. News like this travels fast and it means that all outdated sites are automatically at a huge risk from multiple sources.
Part of the reason why WordPress is such a target is because there are so many different plugins people can use. This just means more areas of opportunity, and weaknesses to exploit, in order to break into your website.
Sucuri’s research found that over a third of clean-up requests came from websites with outdated versions installed. Many of these websites could have avoided threats if only they had updated.
Even trusted plugins can have vulnerabilities, that’s why it’s so important to stay up to date with them.
Updating WordPress and your plugins is such a simple task that only takes a few minutes to do. So, don’t leave updates to the last minute or ignore them. Before you know it, your site could come under attack.
3. Only download plugins and updates from reputable sources
Following on from the previous point, when you do download plugins and updates for them, they absolutely need to come from legitimate sources.
Updating plugins needs to be done carefully, because even an innocent-looking update could have a nasty surprise.
Sometimes, what’s called a ‘back door’ can be installed on your website when you install a plugin. This means that within the plugin, there is malicious code hidden amongst the genuine code. They’re often found within the php files on your web server but they can be very hard to spot.
This 'back-door' allows the hacker access to website files held by their hosting account, to use malware against it or to post spam content.
What protection can Formidable Forms offer for secure WordPress forms?
We get a lot of questions about this, understandably so.
We also verify logged in users with a nonce before actions can be performed in the back-end, just to make sure the action was intentional.
If you’re using your forms for payments, it’s really important that you keep on top of Payment Card Industry Data Security Standards (PCI DSS).
Non-compliance could become a serious problem for yourself and your users if things go wrong.
When it comes to payments in Formidable, we will always ensure that we’ll meet any upcoming changes in standards for payment forms. Therefore, you know you can trust your Formidable forms now and in the future. Read more about how to set up secure payments.
Protect your web forms from spam
On the subject of protecting your website, it’s always worth mentioning spam too. While it won’t have the same direct threat to your website as malware would, it can still be a big security issue.
Not dealing with spam can slow your website speed because it’s dealing with a lot of spam content. This can take a lot of time to sort out, pulling your focus from other areas of your business, including security.
With Formidable Forms, we have several spam protection methods that are essentially invisible to the user, therefore not disrupting their user experience.
We use reCAPTCHA, Honeypot protection, integration with Akismet and the WordPress comment blacklist to ensure your forms are protected from spam.
It's really easy to enable these in Formidable Forms and we'd always encourage you to have several methods working in tandem. This ensures that all spam is picked up before it becomes a problem.
Choose secure WordPress forms
We really hope this post has reassured you, whether you're a current user or are considering joining us. Security is one of our top concerns, we build everything in Formidable with that in mind. We'd urge you to think carefully about your security protocols and whether you could be doing more to protect your site and website forms.
If you're not currently using Formidable Forms and are interested in learning more, please take a look at our list of form builder features. You can build anything from contact forms to registration forms, to something more advanced with our simple drag and drop interface.