Skip to content
UMC Digital
UMC Sites
Formidable Forms Security Banner Image

Strengthening Formidable Forms Security

Protecting University Systems from Targeted Attacks

As a university community, we face persistent and sophisticated cyber threats on a daily basis. Attackers constantly seek vulnerabilities within our web platforms, and one particularly common exploitation method targets Formidable Forms—specifically, forms that utilize the file upload field on publicly accessible pages. Without proper safeguards, these forms can become entry points for malicious activity, placing university systems and sensitive data at significant risk.

To mitigate these risks and uphold the integrity of our digital infrastructure, it is crucial to follow these best practices when using Formidable Forms on your site.

1. Implement Captcha on All Forms to Filter Spam and Automated Attacks

Every form on your website should have a Captcha enabled. This simple yet powerful tool helps filter out automated spam submissions and prevents bots from abusing your forms. Whether or not a form includes an upload field, enabling Captcha is a critical first line of defense against bulk attacks and potential exploit attempts.

Recommendation:

  • Use hCaptcha for modern and reliable bot protection.

  • Ensure Captcha is enabled under Formidable → Global Settings → hCaptcha Configuration.

Need an hCaptcha Site Key? Request an hCaptcha Site Key.

2. Secure File Upload Fields with Access Restrictions

Forms that include file upload fields pose a higher security risk and must be handled with extra caution. To protect sensitive data and prevent unauthorized uploads:

  • Host Upload Forms on Secure Pages:

    • Ensure that any form requiring file uploads is hosted on a secure page, by putting it under the /secure parent page.

    • Access should be restricted exclusively to users with valid uNIDs.

3. Configure File Upload Fields to Allow Only Specific File Types

Allowing unrestricted file uploads is a significant security vulnerability. Attackers often attempt to upload malicious scripts or executables disguised as harmless files.

Action Steps:

  • Navigate to the file upload field settings in your form.

  • Under Allowed File Types, explicitly define safe file formats (e.g., .pdf, .docx, .jpg).

  • Never leave this set to "Allow all file types."

4. Lock Down Uploaded Files Through Form Permissions

Proper permissions for uploaded files are essential to prevent unauthorized access or distribution.

  • In the form’s Settings → Permissions tab:

    • Enable "Protect all files uploaded in this form."

      • This ensures that files are stored securely and access is restricted.

    • Set “Roles required to access files” to Administrator and Editor only.

      • This prevents general users from viewing or downloading sensitive files.

    • Check “Prevent search engines from indexing uploads.”

      • This keeps uploaded files out of public search results, further safeguarding sensitive information.