Protective shield dome guarding a form interface from security threats, illustrating Gravity Forms security hardening

Gravity Forms Security: Complete Hardening Guide for WordPress (2025)

A single unpatched form plugin can hand attackers the keys to your entire WordPress installation. That is not a hypothetical scenario. In 2025, Gravity Forms users faced a supply chain attack that injected malware into official plugin downloads and a critical file upload vulnerability (CVE-2025-12974) that enabled unauthenticated remote code execution on millions of sites.

If you rely on Gravity Forms to collect leads, process payments, or store sensitive customer data, your forms are a high-value target. The good news is that most Gravity Forms security risks are preventable with the right configuration. This guide covers every layer of protection, from server-level hardening to field-level encryption, so you can lock down your forms before the next vulnerability drops.

Why Gravity Forms Security Matters More in 2025

Gravity Forms powers millions of WordPress sites, making it one of the most widely deployed form plugins in the ecosystem. That popularity creates a predictable attack surface. Every publicly accessible form is a potential entry point for bots, data harvesters, and more sophisticated attackers probing for known vulnerabilities.

Two events in 2025 underscored the urgency of taking form security seriously.

The Supply Chain Attack

In July 2025, attackers compromised the Gravity Forms distribution infrastructure and injected malware into manual downloads of versions 2.9.11.1 and 2.9.12. Sites that installed these compromised packages unknowingly sent submission data to an external domain. The incident was a wake-up call about supply chain risk: even trusted plugins can become attack vectors when distribution channels are targeted. Gravity Forms published a detailed security incident notice with remediation steps.

CVE-2025-12974: Arbitrary File Upload

Later in 2025, security researchers disclosed CVE-2025-12974, a high-severity vulnerability affecting all Gravity Forms versions through 2.9.21.1. The flaw existed in the legacy chunked upload endpoint, where the file extension blacklist omitted .phar files. Attackers could upload malicious PHP archives without authentication, achieving remote code execution if the server processed .phar files as PHP. The fix arrived in version 2.9.22, but any site running an older version remained exposed.

These are not isolated incidents. Gravity Forms has addressed multiple file upload vulnerabilities in recent years, including CVE-2025-12352 (CVSS 9.8), which affected the copy_post_image() function in post creation forms. The pattern is clear: file upload handling is a recurring attack surface that demands proactive configuration, not just patching.

Keep Gravity Forms and WordPress Updated

The most impactful security measure is also the simplest: run the latest version of everything. Every vulnerability described above was patched within days of disclosure. The sites that were compromised were running outdated versions.

What to Update and When

  • Gravity Forms core — Enable background auto-updates or check for updates at least weekly. Version 2.9.22 and later patch the critical upload vulnerabilities.
  • All Gravity Forms add-ons — Add-ons like User Registration, Stripe, and Advanced Post Creation introduce their own attack surfaces. Update these alongside core.
  • WordPress core — Major WordPress releases include security patches that affect how plugins handle file uploads, authentication, and database queries.
  • PHP — Run PHP 8.1 or later. Older PHP versions lack security fixes and may enable exploitation of vulnerabilities that newer versions block.

After every update, clear all caching layers: browser cache, page cache (WP Rocket, LiteSpeed, or equivalent), object cache, and CDN cache (Cloudflare, etc.). Stale cached files can serve outdated JavaScript that conflicts with updated form logic, causing submission failures that mimic security issues.

Lock Down File Upload Fields

File upload fields are the single most exploitable component in any form plugin. Every Gravity Forms file upload vulnerability has targeted the mechanism that accepts, validates, and stores uploaded files. Your configuration choices here directly determine whether attackers can use your forms to upload executable code. The official Gravity Forms security documentation covers upload protection in detail.

Restrict Allowed File Extensions

Never leave the allowed extensions field blank. Gravity Forms inherits WordPress defaults when no extensions are specified, which permits a broader range of file types than most forms need. Set the allowed extensions to only the specific types you expect to receive.

For most use cases, a restrictive allowlist looks like this:

  • Documents: pdf, docx, xlsx
  • Images: jpg, jpeg, png, webp
  • Compressed files (if required): zip

Explicitly exclude executable and script-adjacent formats: .php, .phar, .exe, .sh, .bat, .js, .svg (which can contain embedded JavaScript), and .html.

Set File Size Limits

Enforce a maximum file size appropriate to the content you collect. A contact form accepting resume uploads might allow 5 MB. A support form accepting screenshots might allow 10 MB. Setting explicit limits prevents abuse and reduces the impact of denial-of-service attempts through oversized uploads.

Require Authentication for Uploads

If your workflow allows it, restrict file uploads to logged-in users only. This eliminates the unauthenticated attack vector entirely, which would have blocked exploitation of both CVE-2025-12974 and CVE-2025-12352. For public-facing forms where authentication is not practical, combine strict extension restrictions with server-level protections.

Server-Level Upload Protection

Gravity Forms automatically generates an .htaccess file in the uploads folder that disables PHP parsing, preventing uploaded files from executing as code. Verify this file exists at wp-content/uploads/gravity_forms/ and contains rules that deny script execution. On Nginx servers, add an equivalent location block:

location ~* /wp-content/uploads/gravity_forms/.*\.php$ {
    deny all;
}

Additionally, configure your server to block .phar execution entirely by removing the PHP handler mapping for that extension. This single server configuration change would have mitigated CVE-2025-12974 even on unpatched installations.

Harden User Permissions and Role Access

The principle of least privilege applies directly to Gravity Forms. By default, only Administrators have full access to forms, entries, and settings. The problem arises when site owners grant broad capabilities to roles that do not need them. The Gravity Forms role management guide explains each capability in detail.

Core Gravity Forms Capabilities

Gravity Forms uses WordPress capabilities to control access. The key capabilities are:

  • gravityforms_edit_forms — Create and modify form structures
  • gravityforms_view_entries — View submitted entry data
  • gravityforms_delete_entries — Permanently remove entries
  • gravityforms_export_entries — Export data as CSV
  • gravityforms_view_settings — Access plugin settings
  • gravityforms_edit_settings — Modify plugin configuration
  • gravityforms_uninstall — Uninstall the plugin entirely

Never grant gravityforms_edit_settings or gravityforms_uninstall to non-administrator roles. Export capabilities should be restricted to roles that genuinely need data access, such as a dedicated data manager role.

Create Dedicated Roles for Entry Management

Rather than adding Gravity Forms capabilities to the Editor or Author role, create a dedicated “Form Manager” role using a plugin like PublishPress Capabilities. Grant only gravityforms_view_entries to users who need to process submissions without modifying form structures or settings.

Per-Form Entry Access

For organizations where different teams handle different forms, the Advanced Permissions add-on from CosmicGiant enables conditional entry access rules. A support team can be restricted to viewing only support form entries, while a sales team sees only lead form submissions. This prevents cross-departmental data exposure and limits the blast radius if any single account is compromised.

Encrypt Sensitive Entry Data

Gravity Forms does not encrypt entry data at rest by default. Every form submission is stored as plain text in the WordPress database. If an attacker gains database access through SQL injection, a compromised backup, or a hosting breach, all entry data is immediately readable.

Encryption Options

Third-party encryption plugins address this gap:

  • Gravity Forms Encrypted Fields (PluginOwl) — AES-256 field-level encryption with role-based access controls. You choose which fields to encrypt (email, phone, payment details) while leaving non-sensitive fields searchable. Supports data masking in the admin interface, showing partially redacted values until an authorized user requests full decryption.
  • Encryption for Gravity Forms (CrossPeak Software) — Encrypts both standard fields and uploaded file metadata. Useful when file uploads contain sensitive documents that need protection beyond filesystem-level security.

For sites handling health data, HIPAA-specific plugins provide isolated PHI storage with Business Associate Agreements that cover the encryption requirements.

What to Encrypt

Focus encryption on fields that contain personally identifiable information (PII) or regulated data:

  • Full names combined with email addresses or phone numbers
  • Physical addresses
  • Payment-adjacent information (card numbers themselves should use a payment gateway and never touch your database)
  • Health or insurance information
  • Government-issued ID numbers

Do not encrypt every field. Encrypted data cannot be searched or sorted within Gravity Forms, so encrypt only what requires protection and leave operational fields (submission date, form ID, category selections) unencrypted for daily workflow usability.

Configure Anti-Spam Protection

Spam is more than an annoyance. High-volume spam submissions consume server resources, pollute your entry data, and can mask genuine security probes within noise. Gravity Forms supports four anti-spam methods, and the strongest defense combines multiple layers. For a deeper look at stopping form spam on WordPress, see our dedicated guide.

Honeypot (Built-in)

The honeypot adds a hidden field that bots fill in but humans never see. Enhanced in Gravity Forms 2.7 and later, the honeypot can be configured to either block spam submissions outright or mark them as spam for review. It has zero performance impact (no external scripts) and no effect on accessibility. Enable this on every form as a baseline.

Cloudflare Turnstile

Turnstile is the recommended invisible CAPTCHA for 2025. It runs background browser challenges without requiring user interaction, making it fully accessible and privacy-friendly (no cookies, no tracking). It blocks sophisticated bots that bypass simple honeypots while adding minimal JavaScript overhead. Configure it in Forms > Settings > Turnstile with your Cloudflare site key.

reCAPTCHA v3

Google’s invisible reCAPTCHA scores each visitor from 0.0 (likely bot) to 1.0 (likely human). Gravity Forms lets you set a threshold score; submissions below the threshold are rejected or flagged. The default threshold of 0.5 works for most sites. Be aware that reCAPTCHA loads Google tracking scripts, which may conflict with GDPR cookie consent requirements.

Akismet Integration

Akismet checks submissions against its crowd-sourced spam database entirely on the server side with no frontend impact. It is especially effective against human-operated spam (paid spam services) that CAPTCHA solutions miss. Requires an Akismet API key and the WordPress Akismet plugin.

Recommended Anti-Spam Stack

For most sites: enable the honeypot on every form plus Cloudflare Turnstile as the primary CAPTCHA. Add Akismet if you receive human-operated spam. This combination provides layered defense with the best balance of effectiveness, performance, and accessibility.

Enforce HTTPS and Secure Headers

Every page containing a Gravity Form must load over HTTPS. Form data submitted over HTTP is transmitted in plain text, visible to anyone intercepting network traffic. This is non-negotiable for any form collecting personal information.

Beyond HTTPS, configure security headers that protect form pages from injection and framing attacks:

  • Content-Security-Policy (CSP) — Restricts which scripts can execute on the page. As of Gravity Forms 2.5.8, inline scripts use nonces, allowing tight CSP rules. Set script-src 'self' 'nonce-...' to block injected scripts while allowing Gravity Forms JavaScript to function.
  • X-Frame-Options — Prevents your forms from being embedded in iframes on other domains (clickjacking protection). Set to SAMEORIGIN unless you intentionally embed forms externally.
  • Strict-Transport-Security — Forces HTTPS for all future connections, preventing downgrade attacks. Set max-age=31536000; includeSubDomains.

Manage GDPR Compliance and Data Retention

GDPR and similar privacy regulations require that you collect only the data you need and retain it only as long as necessary. Gravity Forms includes several features that support compliance when configured correctly. The Gravity Forms GDPR compliance guide covers the full range of available settings.

Data Retention Policies

Starting with Gravity Forms 2.4, you can set per-form retention policies that automatically trash or permanently delete entries after a specified number of days. A contact form might retain entries for 30 days. A job application form might retain them for 90 days. Configure this under Form Settings > Personal Data.

IP Address and Personal Data Handling

Gravity Forms can prevent IP address collection entirely on a per-form basis. For forms where IP addresses serve no operational purpose (most contact forms), disable IP collection to minimize the personal data you store. This reduces your compliance burden and limits exposure in the event of a data breach.

Data Export and Erasure Requests

WordPress includes built-in tools for handling personal data export and erasure requests under Tools > Export Personal Data and Tools > Erase Personal Data. Gravity Forms integrates with these tools, allowing you to fulfill GDPR subject access requests without manually searching entries. Ensure your privacy policy documents which data your forms collect and how long it is retained.

Monitor and Audit Your Forms

Security is not a one-time configuration. Forms change, new add-ons get installed, team members gain access, and new vulnerabilities are disclosed. Regular auditing catches drift before it becomes exposure.

Monthly Security Checklist

  • Version check: Confirm Gravity Forms core, all add-ons, WordPress, and PHP are on the latest stable versions
  • User audit: Review which users have Gravity Forms capabilities and remove access that is no longer needed
  • Form review: Check each active form for file upload fields with overly permissive extensions or missing size limits
  • Entry review: Look for anomalous submission patterns (sudden volume spikes, entries from unexpected geographies, or entries with suspicious content in text fields)
  • Plugin audit: Remove any Gravity Forms add-ons that are no longer in use. Every installed add-on is additional attack surface
  • Backup verification: Confirm your backup solution captures the WordPress database (which contains entries) and the uploads directory (which contains uploaded files). See our WordPress backup plugins guide for recommendations

Track Form Changes

Use an activity logging plugin like WP Activity Log to track when forms are modified, when settings change, and when users access entry data. This creates an audit trail that helps you identify unauthorized changes and investigate incidents after the fact. Monitoring form analytics through a tool like our Form Analytics Pro can also reveal anomalous submission patterns that signal bot activity or targeted attacks.

Know Exactly How Your Forms Are Performing

Our Form Analytics Pro gives you conversion rates, abandonment tracking, and field-level analytics for every Gravity Forms form — zero configuration required. Spot unusual submission spikes and abandonment patterns that may signal bot activity or security probes. No Google Analytics needed.

See Form Analytics Pro →

Respond to a Gravity Forms Security Incident

When a vulnerability is disclosed or a breach is suspected, speed matters. Having a response plan before you need one reduces downtime and data exposure.

Immediate Response Steps

  1. Update immediately. Apply the Gravity Forms patch as soon as it is available. If a patched version is not yet released, consider temporarily disabling the affected feature (such as file upload fields).
  2. Scan your uploads directory. Search wp-content/uploads/gravity_forms/ for unexpected file types, especially .phar, .php, and files with double extensions like image.jpg.php.
  3. Check your plugin files. After the 2025 supply chain attack, Gravity Forms published checksums for clean versions. Compare your installed files against known-good hashes to verify integrity.
  4. Review server logs. Look for unusual POST requests to Gravity Forms endpoints, particularly /wp-json/gf/v2/ and legacy upload URLs.
  5. Rotate credentials. Change your WordPress admin passwords, application passwords, API keys, and any third-party integration credentials connected to Gravity Forms (Stripe keys, CRM API tokens, etc.).
  6. Notify affected users. If entry data may have been exposed, GDPR and most privacy regulations require timely notification. Document what data was affected, the timeline, and remediation steps taken.

Security Audit Quick Reference

Use this table as a rapid assessment tool. Work through each item quarterly, or immediately after any Gravity Forms update or security disclosure.

Category Check Action If Failed
Updates Core, add-ons, WordPress, and PHP on latest versions Update immediately and clear all caches
File Uploads Extensions restricted, size limits set, .htaccess intact Tighten field settings and verify server rules
Permissions Only administrators have edit/settings capabilities Remove excess capabilities from non-admin roles
Encryption PII fields encrypted at rest Install encryption add-on for sensitive fields
Anti-Spam Honeypot and Turnstile/reCAPTCHA active on all forms Enable on each form in form settings
HTTPS All form pages load over HTTPS with HSTS headers Install SSL certificate and force HTTPS site-wide
Data Retention Retention policies set per form, IP collection disabled where unnecessary Configure under Form Settings > Personal Data
Backups Database and uploads directory included in automated backups Configure backup plugin to include both targets
Audit Trail Activity logging enabled for form and entry changes Install WP Activity Log or equivalent
Tags
Review Your Cart
0
Add Coupon Code
Subtotal
Checkout