Support » Plugin: Formidable Forms Builder for WordPress - Contact Forms, Surveys & Quiz Forms Plugin » Major security data issue showing on private pages

  • Resolved nanny7

    (@nanny7)


    I looked here example and have similar issue in that the forms are in a private password protected page but the results showed up in google with sensitive personal confidential data.

    I removed the page showing the views but now find that for clients to add a form in a password protected page if they close their browser and come back they can see forms without having to go and use the password again.
    Now this needs to be fixed and yes using a pro but regardless if pro or not it needs to be kept private and when the form is either submitted or not submitted but the page is not viewed then they have to enter the password again.
    Hope you can point me in the right direction as we have had the police investigating the privacy.
    Thanks

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Steph Wells

    (@sswells)

    Just to clarify, there isn’t any form data that will be automatically posted somewhere that can be indexed. That said, this is an issue with your setup that is allowing private info to be on a public page. Can you please open a ticket in our help desk so our team can help you with this?
    https://formidableforms.com/new-topic/

    nanny7

    (@nanny7)

    no they are private password protected pages for sure, sorry don’t have the time to go back and forth between logins at the moment very busy and on different computer for logins.

    I think it might also be a problem with password protected page within WordPress as I have searched and others are having a problem so I am looking at some functions and hope it works with formidable forms:

    
    
    // Filter to hide protected posts
    function exclude_protected($where) {
    	global $wpdb;
    	return $where .= " AND {$wpdb->posts}.post_password = '' ";
    }
    
    // Decide where to display them
    function exclude_protected_action($query) {
    	if( !is_single() && !is_page() && !is_admin() ) {
    		add_filter( 'posts_where', 'exclude_protected' );
    	}
    }
    
    // Action to queue the filter at the right time
    add_action('pre_get_posts', 'exclude_protected_action');
    
    function custom_password_cookie_expiry( $expires ) {
        return 0;  // Make it a session cookie
    }
    add_filter( 'post_password_expires', 'custom_password_cookie_expiry' );
    
    

    thanks for your help the pages seen were coming from (hiding address but you will get my drift) frm_display/
    The view was on a private password protected page and but google got a hold of the entries. I removed the view completely and now find the password protected page holding the form you don’t need to login again so that is why I am looking at those functions.
    Thanks

    nanny7

    (@nanny7)

    only got a 404 first up no login at all then removed the first function and still didn’t need to login again really bad….

    Plugin Author Steph Wells

    (@sswells)

    I’d be happy to help you look into this further, but I’ll need you to open a ticket in our help desk with your paid account and include more information on how Formidable is involved along with links to the pages with the information that has been indexed. I’ll keep an eye out for your ticket.

    nanny7

    (@nanny7)

    Can’t do the original designer added the grandfather license.
    There are no views now but still being shown in google results and all of the frm_display and have done google removal but still showing. They say to put NOINDEX on those pages but how the hell can you do that and how to get this to work on them using something like this in htaccess:
    <FilesMatch “\.(css|flv|gif|htm|html|ico|jpe|jpeg|jpg|js|png|pdf|swf|txt)$”>
    <IfModule mod_expires.c>
    ExpiresActive Off
    </IfModule>
    <IfModule mod_headers.c>
    FileETag None
    Header unset ETag
    Header unset Pragma
    Header unset Cache-Control
    Header unset Last-Modified
    Header set Pragma “no-cache”
    Header set Cache-Control “max-age=0, no-cache, no-store, must-revalidate”
    Header set Expires “Mon, 10 Apr 1972 00:00:00 GMT”
    </IfModule>
    </FilesMatch>

    nanny7

    (@nanny7)

    I need to get this worked out as the police are involved as it is strictly confidential data

    Plugin Contributor jamie.wahlin

    (@jamiewahlin)

    You’ll need to create a ticket in our help desk so our support team can help you there.
    https://formidableforms.com/help-desk/

    Please add ATTN: Jamie in the ticket title.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Major security data issue showing on private pages’ is closed to new replies.