Is Ninja Forms secure/HIPAA compliant?
Let’s start by saying that this is not exclusive to Ninja Forms, but is true of all data being sent through a web form.
We get asked frequently whether users can submit sensitive data via Ninja Forms securely. On the one hand, Ninja Forms does everything it can to make sure all form submitted data is handled in as secure a way as possible. On the other hand, a secure form submission goes far beyond what a form itself can do on it’s own.
Things to consider when considering the collection of sensitive information through a web form
- Security is your responsibility. While plugins like Ninja Forms will generally try to make sure that data is handled in as secure a way as possible, you own your website. The security decisions you make on your site should be well researched and vetted by a security specialist.
- Email is extremely insecure. If you are going to attempt to send sensitive data through email this information can easily be hijacked. There are secure encryption methods but they are outside the realm of a form plugin, generally speaking.
- Your form data is only as secure as your server. It doesn’t matter what a form plugin does to make itself more secure, if your server is insecure then your forms are insecure. This even more true when you decide to store sensitive data on your servers. Server security can include but is not limited to:
- SSL/HTTPS: Anytime you are going to receive sensitive data via a web form you need to have an SSL certificate for your site and serve and process that form via the https protocol. Here is a document to help you understand SSL certificates.
- Database Encryption: This is the practice of at least partially encrypting plain text data in the database so that it is unreadable by anyone other than those who posses the authorized keys to do so. Generally not used often in WordPress development but it is another method of securing data stored on your servers.
- Proper User Management: If you have several admin users on your account it only takes one account to be hacked to create a data leak. Having proper, and enforceable, password rules & limiting access via roles and capabilities can go a long way to making sure your data is as secure as possible.
At the end of the day the real question isn’t whether Ninja Forms is secure, but whether or not your server is secure enough to handle this data. More importantly, is collecting and storing that sensitive data worth the risk, money, and time it takes to make sure that you are protecting your visitor’s data in a completely responsible fashion. Even after that, the data is never completely secure, consider the now infamous Target data breach.