Overview
This article covers the security considerations for the File Upload field in Gravity Forms, including upload restrictions, file storage, download access control, and alternatives to storing files on your server. For a broader overview of Gravity Forms security, see the Security Best Practices article.
Limiting File Uploads to Authenticated Users
Files can only be uploaded to the server if there is a file upload field on an active form. If no active forms have a file upload field, no files can be uploaded to the server.
If possible, set your form to require login. This ensures that file uploads are only performed by authenticated users. If requiring a login is not an option, read the rest of this article carefully.
Allowed File Extensions
When a file upload field is added to a form, set the allowed extensions to the most restrictive setting possible. Gravity Forms will always block certain extensions to protect against attacks, but it is good practice to limit uploads to only the file types you expect to receive.
The Gravity Forms Uploads Folder
Gravity Forms creates a subfolder structure in the WordPress uploads root to save uploaded files. Files are stored in folders with unique names generated using the same algorithm WordPress uses (salted HMAC-MD5) to make brute-force attacks difficult. A folder containing files for a form will have a path similar to this:
/path/to/wordpress/wp-content/uploads/gravity_forms/82-ea1cf844318d032fd7e8fa8w1dacdfbe
Empty index.html files are placed in all subfolders to prevent directory listings from appearing in search engines on poorly configured web servers. Do not remove these files.
Merge Tags and File URLs
Files are safe as long as the folder name for that form is not shared publicly. Merge tags can be used in notifications to administrators, but if files are confidential, do not use file upload merge tags in confirmations or notifications sent to non-administrative users.
Secure Download Locations
By default, file download URLs are obscured so that the file’s server storage location cannot be determined from the URL alone. It is not recommended to disable this.
The following filters give you control over who can access download URLs:
gform_require_login_pre_download
Use this filter to require that the user be logged in before the download URL allows access to the file.
gform_permission_granted_pre_download
Use this filter to perform custom logic, such as capability checks, to determine whether a download URL allows access to the file. For a worked example, see How to Restrict Download URLs to the Entry Creator.
gform_secure_file_download_location
Use this filter to disable secure download locations. This is not recommended.
If you run into issues with download links, see Troubleshooting Issues with Download Links.
For a full list of filters available for file upload fields, see the File Upload Field Filters category.
Changing the Upload Path
To increase security, you can move uploaded files to a different location on the server using the gform_upload_path filter. If you do this, ensure the web server has the appropriate permissions to read and write to that folder. Files can also be moved to a different server entirely using the gform_after_submission filter.
The .htaccess File
An .htaccess The file is generated in the root of the Gravity Forms uploads folder, which, for most servers, disables PHP from being parsed within the subfolder structure. This file is written with the most common server configurations in mind, but may need to be adjusted using the gform_upload_root_htaccess_rules filter. To prevent the file from being written entirely:
add_filter( 'gform_upload_root_htaccess_rules', '__return_false' );
This filter should only be used if you are seeing an error. The .htaccess file is there to protect your server — consult your server administrator or contact support before using it.
Removing the File Upload Field from the Form Editor
Gravity Forms allows any user with form editing permissions to add a File Upload field to a form. To remove the field from the field library, see the gform_add_field_buttons filter.
Storing Files Off-Server
If keeping uploaded files on your web server is not suitable for your use case, there are a few alternatives worth considering.
The Gravity Forms Dropbox Add-On can send uploaded files directly to Dropbox, either instead of or in addition to storing them on your server. When an entry is submitted, the file is uploaded to your server, and the entry initially links to the local file. The add-on then processes the upload asynchronously via a feed. Once the feed has been processed and the transfer to Dropbox is confirmed, the entry URL is updated to point to the Dropbox file, and the local file is deleted.
With asynchronous processing, this can take several minutes. If background processing breaks or fails, the feed may never process, leaving the file on your server indefinitely. This is a security warning in shared hosting environments or servers without proper certification. For details on how this process works, see the Dropbox Upload Field documentation.
If you need to avoid server storage entirely, you can use the Dropbox custom app connection option, which transfers files directly from your customer’s Dropbox account to your Dropbox account without storing them on your server.
Using a third-party integration such as Zapier, you can route uploaded files to Google Drive or another cloud storage provider and automatically delete the originals from your web server after transfer.