WordPress Security: Allowing public to create drafts

Hello, I'm using a premium form plugin (FormCraft) to create a form. This form will be accessible for the public and the information submitted in this form will be used to create a post draft. Take a look at the plugin's documentation where this feature "Form to Post" is explained: http://ncrafts.net/formcraft/docs/form-to-post/

My question is this: from a security standpoint, how safe is doing this?

Can an individual use the ability of creating post drafts to compromise a site? Can some hack my site or exploit this feature in any way?

And what kind of measures should I take in order to make sure doing this is safe?


  • Michelle Shull

    Hi, RB!

    Ultimately, if you're opening up the ability to visitors to freely create posts, you're creating a vulnerable spot. There are certainly things you can do to increase your security; adding a CAPTCHA or other human-verification tool, using a service like Akismet to try to filter out spam attempts, and utilizing other WordPress security measures via security plugin or custom code are all options to create layers of security, but you're still giving users quite a bit of power, and there's room for exploitation in creating a draft. There's no real automagic substitute for an eagle-eyed admin who's paying attention to what's happening on your site on a daily basis, who can notice and stop an issue (if it occurs) before it becomes a problem.

    My advice would be to use a combination of all of the above, a CAPTCHA-type field on the submit form, a good security plugin, and good site management.

    Hope this helps!

  • RB

    Thanks. One thing that I forgot to mention is that the users won't necessarily be aware that the form is directly creating posts. Also, we're using a security plugin, coupled with a firewall, and constant editorial monitoring. The posts that will be created will be drafts and won't be published directly.

    This makes me wonder if there is any code that can be added to the site that shall prevent any executable content being executed within the post editor? Just as a fail-safe?

  • Michelle Shull

    Hi there, RB!

    If you're running a reputable security plugin, you should be as safe as you can be from unwanted code here. The WordPress post editor itself is already fairly secure in terms of what will render and what won't. It sounds like you've got your bases covered.

    It's important to remember that there's no 100% effective way to prevent bad people from doing bad things. Recent WordPress announcements about a tiny security issue that's currently effecting a surprisingly large number of popular plugins are a reminder that even the best built systems can still be vulnerable to highly motivated people with ill-intentions. Again, this isn't to frighten you or dissuade you, just a reminder to stay aware.

    Thanks for your question, and good luck with your project.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.