Is Ninja Forms secure?

Is Ninja Forms secure/HIPAA compliant?

We get asked frequently whether users can submit sensitive data via Ninja Forms securely. On the one hand, Ninja Forms does everything it can to make sure all form submitted data is handled in as secure a way as possible. On the other hand, comprehensive data security goes far beyond what a form itself can do on its own.

Things to consider when considering the collection of sensitive information through a web form

  • Security is your responsibility. While plugins like Ninja Forms will generally try to make sure that data is handled in as secure a way as possible, you own your website. The security decisions you make on your site should be well researched and vetted by a security specialist. Securing hosted website data, whether delivered by a form or otherwise, is not a feature of Ninja Forms.
  • Email is generally insecure. If you are going to attempt to send sensitive data through email this information can easily be hijacked. There are secure encryption methods but they are outside the realm of a form plugin, generally speaking.
  • Your form data is only as secure as your server. It doesn’t matter what a form plugin does to make itself more secure: If your server is insecure then your forms are insecure. This even more true when you decide to store sensitive data on your servers. Server security can include but is not limited to:
    • SSL/HTTPS: Anytime you are going to receive sensitive data via a web form you need to have an SSL certificate for your site and serve and process that form via the https protocol. Here is a document to help you understand SSL certificates.
    • Database Encryption: This is the practice of at least partially encrypting plain text data in the database so that it is unreadable by anyone other than those who posses the authorized keys to do so. Generally this is not used often in WordPress development, but it is another method of securing data stored on your servers.
    • Proper User Management: If you have several admin users on your account, it only takes one account to be hacked to create a data leak. Having proper and enforceable password rules, and limiting access via roles and capabilities, can go a long way toward making sure your data is as secure as possible.

At the end of the day the real question isn’t whether Ninja Forms is secure, but whether or not your server is secure enough to handle sensitive data. More importantly, you must ask whether collecting and storing sensitive data is worth the risk, money, and time it takes to make sure that you are protecting your visitors’ data in a completely responsible fashion.