PLEASE NOTE: These forums are no longer utilized and are provided as an archive for informational purposes only. All support issues will be handled via email using our support ticket system. For more detailed information on this change, please see this blog post.

My gravity forms are easily hackable !!!

  1. ramey

    All of a sudden, I started to get new form submissions every 3 min. The resulted in 100's of bogus form submissions. I tracked this down (eventually) to the following.

    The hacker was requestiing the page with the form along with POST data for the form. The POST data passed the gravity forms filters. That is, it contained legal but BS data - basically links to his websites. He doesn't do it by actually opening the form and pressing the submit button - but rather emulating what happens when a user presses he submit button.

    Soooo - where is he best place to trap this? I can require that the use be a registered user - but I don't know which hook to use? It seems that some hooks are invoked before the form is submitted. If I trap it on "post_submission" it's already too late as the post has been created?

    Any help appreciated.

    Robert Ramey

    Posted 10 years ago on Monday February 4, 2013 | Permalink
  2. Any form on the web can be submitted without actually visiting the web page and pressing submit. If you're getting a lot of spam submissions, you can try blocking the visitor's IP block in your .htaccess file, or you can require that the visitor be logged in by checking the box on the form settings, Advanced tab, "Require user to be logged in".

    Does that help you?

    Posted 10 years ago on Monday February 4, 2013 | Permalink
  3. ramey

    a) I have the spammer's IP blocked which address this particular situation for now.

    b) I have the box " Require user to be logged in (?) " checked. But I'm creating a custom form and I'm guessing I'm overriding this. I can use the WP api to require that one be logged in to see the form, but this has a few problems of it's own

    1) I want users who are not logged in to be able to see the form before making any commitment.
    2) I'm using he form to display the custom post created by the form. This has to be viewable by anyone.

    If you're really interested, you can check it out at

    Soooo ideally what I would like is to trap and reject any form submissions which come from anyone not logged in. Here is my code. I don't know if it really works. That is, I don't know if the rejects the post soon enough to avoid having it created. I guess I'll just have to unblock the IP address (Their still trying to spam me - I guess I should feel flattered).

    Any suggestions you want to make would be appreciated.

    	10, 2
    function library_submission_handler($entry, $form)
    	$post_id = $entry['post_id'];
    	//echo "entry = " .  print_r($entry) . "";
    	if(get_post_type($post_id) != 'bi_library')
    	if(! is_user_logged_in())
    	$post = get_post($post_id);
    	$post->post_excerpt = $entry["10"];
    	wp_set_post_tags($post_id, $entry["32"], false);
    	//$post->post_status = 'pending';
    	$post->comment_status = 'open';
    	wp_update_post( $post );
    Posted 10 years ago on Monday February 4, 2013 | Permalink
  4. One suggestion would be to use gform_after_submission instead of gform_post_submission, as gform_post_submission has been deprecated.

    However, that is after the entry and the post are created, so that is still too late.

    You could use the gform_pre_submission_filter to check to see if the user is logged in at that time, and reject the submission at that point. Or even the gform_validation filter to return an error if the user is not logged in.

    I think your approach would be fine, but just done with a different hook or filter.

    Posted 10 years ago on Monday February 4, 2013 | Permalink