WordPress forms security is probably the most essential component of any web application system. If an application cannot even secure the data it collects, everything else it does is pretty much useless anyway. Today we are going to talk about why security is essential in the context of web forms and how we can create highly secure online forms on a WordPress website.

You must have interacted with a lot of online forms by now. Whether it is for contact requests, registering for an event, or probably just signing up for a newsletter service. When working with any of these, you must have just entered your details and submitted the form. Right? But how you be really sure that your data on the site will remain secure? The problem of WordPress forms security is so widespread that Google took notice of it in 2017 and started displaying such forms as insecure to users, through its Chrome web browser.

WordPress Forms Security

WordPress, being the most popular platform for building websites, isn’t safe from this scourge. One such major vulnerability was detected in the Ninja Forms plugin in 2016. And Ninja Forms is currently installed on more than a million WordPress websites.

So, what can a WordPress site owner do to secure online forms and to keep user information safe from prying eyes? Well, the answer is RegistrationMagic. It is the fastest growing user registration plugin available for WordPress and offers exceptional WordPress forms security features to keep form submissions safe.

Here’s a quick look at the security features RegistrationMagic offers…

1. reCaptcha

RegistrationMagic provides seamless integration of its online forms with Google’s reCaptcha user authentication check. reCaptcha for RegistrationMagic forms can be activated from RegistrationMagic’s Global Security Settings.

All you need to do is enable the reCaptcha setting there and add your Site Key and Secret Key. Both of which can be obtained from Google’s reCaptcha Portal. Once activated, it’ll setup the reCaptcha authentication on all your RegistrationMagic forms.

2. Form Submission Limit for a Device

Hackers are increasing employing brute force techniques to find flaws in a form’s security and exploit it. However, this a trial and error method and requires plenty of failed attempts before any success is achieved.

RegistrationMagic halts such brute force attacks halfway by giving you the power to limit form submissions from a particular device. This means that if a hacker is trying to find security flaws in the website from the form, RegistrationMagic will stop any further submissions from his/her device. This will end the possibility of any further attacks from it.

3. Password Rules

Enabling password rules is a highly effective way to make sure users registering from your form aren’t putting in weak passwords. Weak passwords can easily be targeted by hackers to gain access to your website and then wreak havoc once inside. Always ensure that user accounts on your website have limited access and are not using weak passwords.

Following are the key rules that passwords should follow to be considered strong…

1. At least one uppercase letter
2. At least one number
3. Contain at least one special character
4. Minimum length (should be at least 7 letters long)
5. Maximum length (15 is a good max limit but the more the better)

4. Ban IP Addresses

If you received a lot of redundant form submissions from a particular IP address, it is always a good idea to ban that IP address from accessing the form again. You never know if those redundant form submissions were spam or someone just trying to break into your website. In most cases, it is the latter.

5. Ban Email Addresses

Similar to banning IP addresses, you can also ban email addresses from accessing the form too. To make the form stronger in resisting any possible attacks, use both the bans simultaneously.

6. Blacklisted/Reserved Usernames

Common usernames are easy pickings for hackers. Before getting to the password of a user account, a hacker has to determine the username of the account first. However, if someone is using common usernames like ‘admin’ or ‘company’, that person has done half of the hacker’s work then and there. The hacker now only has to determine the password for the account as the username is already on their list to go for first. So, always reserve common usernames from being used on your website.

Make use of RegistrationMagic and follow these simple WordPress forms security rules to secure online forms and to keep hackers away from your web forms for good.

The post WordPress Forms Security Best Practices [Security Guide] appeared first on RegistrationMagic.

When you have a WordPress site on which any user can register, you can make it a vibrant and diverse community fairly quickly. However, this also brings with it a security problem. When any user can set his/her own password, there is a high probability that they can set a weak password. If a hacker gets hold of this weak password, he/she can take over your complete site in just a few minutes. This can cause great havoc to your online community, with even a possibility that you may not be able to revive it. Since you cannot rely on users to set strong passwords by themselves, it is better instead to just force strong password on WordPress users.

According to a study conducted by Centrify last year, hacked passwords are the reason behind 81% of all data breaches online. They even have a guide on how you yourself (and even your grandma) can hack weak passwords. If hacking a weak password is something you can do yourself, a professional hacker can do the kind of damage that’ll be almost irreparable.

After checking out the scary statistics, you might be wondering how you can request all your site users to set strong passwords for their accounts. The honest answer to this is you can’t. However, you can force the strong password on WordPress users through the user registration form itself. And the best tool you can have to create secure user registration forms on WordPress is RegistrationMagic.

Set Password Rules with RegistrationMagic

RegistrationMagic prevents users from setting weak passwords by employing its “Password Rules” feature. You can find “Password Rules” in RegistrationMagic’s “Global Settings” section. Install the RegistrationMagic plugin on your WordPress site and visit its “Global Settings” link.

You will then see multiple headers under “Global Settings”. One of which is “Security”. Click on it and you find all the things that you need to take care of your WordPress form security. This is the global security settings for RegistrationMagic forms. The settings that you apply from here is applicable to all the forms, not any certain form on your site.

It is here that you will find the “Enable Password Rules” checkbox. Enable this setting and a list of all “Password Rules” will appear.

There are 5 “Password Rules” and we will explore each one of them now.

Must contain an uppercase letter

The “Must contain an uppercase letter” rule ensures that the user enters at least one uppercase letter in his/her password. This increases the variation among characters in the password. How much variation is there in your password determines how secure the password is.

Must contain a number

The “Must contain a number” rule ensures that the user put in at least one number in the password. This is again a method of adding variation to the password.

Must contain a special character

The “Must contain a special character” rule ensures that the user puts in at least one special character in the password. Special characters are the characters on your keyboard which are neither an alphabet or a number. OWASP has a complete of special characters if you need to know what these are.

Minimum length & Maximum length

Then there’re the “Minimum length” and “Maximum length” password rules. These rules make sure that the password user chooses isn’t less than the “Minimum length” and more than the “Maximum length”. A password should at least be 10 characters long to be considered a strong password. The longer the password, the safer it is.

Password Rules on User Registration Form

Now, let’s see these rules in action on our user registration form.

As soon as I start entering in the password, a bar and a text below the password field keeps me updated on whether it is weak or strong. When I add only lowercase letters, it tells me that the password is ‘Weak’.

When I increase its length and add uppercase and numerical characters, it tells me that the password is ‘Medium’ strength.

Now, when I add some special characters to the mix, the form tells me that my password is ‘Strong’. Also, the bar below the field is now totally green, telling me that this password is safe for use. This is how you can force strong password on your users to make their accounts secure.

So, the best example of a strong password is one which is 10 characters long and has a mix of numbers, special characters with lowercase and uppercase letters.

One Plugin Many Uses

There are many other measures that you can take to secure your form and make it perform as a professional one. This WordPress registration page builder plugin offers various fields and widgets to add to your form. So that you can add products, prices, timers, extra space etc. on your form.

Being able to force strong password on your users already offers your site some security check. Now you are free to take as many users as you want to create your own blogging site or online store.

I hope this tutorial covered everything you needed to know on how to force strong password on WordPress users. If you still have any questions, feel free to write in the comments section below. Our support team will get in touch with you immediately.

For more tutorials on how to work with RegistrationMagic’s amazing user management tools, stay tuned to our Blogs.

The post How to Force Strong Password on WordPress Users appeared first on RegistrationMagic.

Welcome back to another one of RegistrationMagic tutorials. Today we’ll talk about how to secure against WordPress registration spam (grrr…). If you haven’t received any spam mail from your unprotected forms, consider yourself lucky. But sooner or later, spam will catch you. And there’s an air of finality about it. Want to know how spam can hurt you?

1. Clog your inbox and bring down productivity to a crawl.
2. Constantly trigger your autoresponder, and contribute in getting it blacklisted or choking server email queue.
3. Swell up or even crash your site’s database
4. Attempt a hack or code injection
5. Take away your peace of mind!

And you wanna take none of it, if you’re serious about your site. So instead of counting on luck alone, you will need some pretty strong protection to secure registration form. Them bots are out there prowling the web. RegistrationMagic has set of built-in tools that allows you to secure registration form and boot spam like a boss!

WordPress Registration Spam Security Settings

Let’s open RegistrationMagic. Spam settings are inside Global Settings → Security

You will find multiple options within this settings panel. We recommend configuring it as soon as you make your first form live.

Google’s reCAPTCHA is your quintessential line of defence. It is so common around the web that users pretty much expect it to accompany any form. We keep our code up to date with newest reCAPTCHA versions so that your form keeps up with latest standards. But there are extra steps required to make it work. Once you enable reCAPTCHA you will need to generate the two keys for your domain. To do this, head on to this link Make sure you enter your domain name correctly using “http” or “https” – whichever applies to your case. Once you have the keys, paste them into Security panel.

Next, submission limit for a device blocks any specific device used to access your site when it tries to fill out the form more than a pre-set limit. Many spam attacks originates from a single device.

Banning an IP address is another important spam fighting tool. As you must be aware, RegistrationMagic is already equipped to capture IP address of the form submitter (See General Settings). If you start receiving bogus or empty submissions from a specific IP, paste it here. You can also block an IP range, if that’s what you are after. Once you hit save, no more spam from that IP.

Banning an Email address works similar to banning an IP. If the spam attack originates from multiple IPs but has specific email or email pattern, use this option to close the door. Wildcard is supported, therefore you can block a domain too. Just enter “*@domainname.com” to block submissions from any specific email domain.

So by combining all four options, you can fight any type of WordPress registration spam! All you have to be is little vigilant and configure the plugin properly. We’ll take care of the rest while you handle folks registering on your site. Good luck

The post Stop WordPress registration spam, with RegistrationMagic Plugin appeared first on RegistrationMagic.