New to the community? Start here

[Forminator Pro] Encrypt Form Data

I would like to see Forminator forms become HIPAA compliant, or at the least, have a way for encryption. I am looking to collect site logins from my clients and want to make sure they’re encrypted and not stored plaintext.

Fri, 17 Nov 2023 20:58:51

David Baker
- WPMU DEV Initiate
- 95 pts: Hero points 13 pts: Rep. points LEVEL 1
I have some of my clients share their passwords via LastPass. I would always advise them against putting them in a web form for security. Also once it encrypts it, how would you decrypt it.
Catalin I.
- The Incredible Code Injector
- 2,943 pts: Hero points 379 pts: Rep. points LEVEL 5
HIPAA compliance is about more than the software used. You can use Forminator in a HIPAA compliant environment. But your server needs to be HIPAA compliant, you need to make sure your data transfer protocol is HIPAA compliant, your DB and storage are HIPAA compliant, and so on. Then you need to have signed HIPAA compliance documents from your host and your company representative. Simply encrypting the form submission is not enough to achieve HIPAA compliance. In short, is the final solution that has to be HIPAA compliant, not every piece of software you use. Forminator, as is, it’s not ( and it can never be) HIPAA compliant, but can be used to develop a HIPAA compliant application if all other conditions are met. A quicker solution would be to use services like FormCan or JotForms that provide HIPAA compliant environments and the form builder but you still need to sign the BA with them if you need your company to be covered by the HIPAA compliance.
Alfredo Galano Loyola
- Staff
- 322 pts: Hero points 1,004 pts: Rep. points LEVEL 8
Hello Blake Whittle
I hope you are doing well today.

Thanks for reaching us.

I would like to see Forminator forms become HIPAA compliant

The main goal of Forminator Pro is to allow the creation of forms in an easy way for WordPress sites with access to the submissions and the option to get email notifications.

As Catalin I. said, the

HIPAA compliance is about more than the software used.

If you analyze FormCan or JotForms they technically embed the forms on the WordPress pages or allow the use of custom domains for the forms they serve from their servers, so, the HIPAA compliance is completely on their end.
All the Data is saved on their servers and not on the server hosting the site, that’s the key to HIPAA compliance.

To make Forminator Pro HIPAA compliant will need to completely change the logic and way it is made, and add extra servers to handle the data related to it, In the end, it will be a completely different product even if looks the same.

It’s something that needs to be carefully analyzed, the pros and cons of making it HIPAA compliant.

or at the least, have a way for encryption.

That’s something that could be possible to achieve with some custom code, using for example
PHP openssl_encrypt and openssl_decrypt functions, but if your site is hacked and the hacker gets access to the Forminator Pro -> Submissions page will be capable of seeing the data decrypted(plain text).

Please, consider not saving your client’s site login credentials on a WordPress site, you could try as
David Baker use a tool like Last Pass or a plugin that allows login on sites using a URL.

Some time ago I asked myself a question like that and I was able to create this custom code:
https://gist.github.com/alfredo-wpmudev/4a22f3c4a05bc054aecc00b74f874084

It’s a basic encryption/decryption feature that could be used on Forminator Pro forms, I made it as an experiment and don’t recommend the use of it on production, could be possible to use it with some customization, and obfuscation to improve the security of the code itself.

You can use it as a point of start and add extra code to obfuscate the logic and the code itself because if someone gets the forminator_fortress.php and the data on the Database could be possible to decrypt just by reading the PHP code.

You are free to test it, improve, and customize it to fit your needs but you need to understand it’s not the most secure way to store data, it will just add an extra layer of security and could break easily if:
1- WordPress site is hacked and hackers get admin access to the site.
2- The hacker gets access to FTP.

Steps to use it:
1- Download the forminator_fortress.php to your PC.
2- Extract the ZIP file and open the forminator_fortress.php file to edit it, using a code editor.
The lines to replace/customize are:
private $include_form_ids = [1047997];
There you need to set the ID or List of IDs of the forms you want to use the encryption/decryption feature.
For example, for with ID 45:
private $include_form_ids = [45];
Forms with IDs: 45, 78 and 100
private $include_form_ids = [45, 78, 100];
The next line to replace is:
private $key = 'PaV;p>-XLw9SL.Z}d@xWOT:ZTlB3M=_atEs:c}a0zW3,nR8Cxf)3g;pW?Flu7{2,';
There you will need to replace PaV;p>-XLw9SL.Z}d@xWOT:ZTlB3M=_atEs:c}a0zW3,nR8Cxf)3g;pW?Flu7{2, with a long passphrase value.
You can use this URL to generate salts and use it as a passphrase:
https://api.wordpress.org/secret-key/1.1/salt/
You will need to select the encryption algorithm:
private $method = 'aes-256-cbc';
Here you could try some of these:
```
   [24] => aes-256-cbc-hmac-sha1
    [25] => aes-256-cbc-hmac-sha256
    [26] => aes-256-ccm
    [27] => aes-256-cfb
    [28] => aes-256-cfb1
    [29] => aes-256-cfb8
    [30] => aes-256-ctr
    [32] => aes-256-gcm
    [33] => aes-256-ocb
    [34] => aes-256-ofb
    [35] => aes-256-xts
```
There are more, so, you can investigate what is the best in performance and security because you need a leverage of those factors.

The last customization will be generate a new Initialization Vector:
//The Initialization Vector.
$this->iv=base64_decode("/E7QzyZETxAC6N00LOWSjA==");
You need to visit this URL https://myblank.tempurl.host/iv.php the last line will be a valid Initialization Vector encoded in base_64, copy it and replace /E7QzyZETxAC6N00LOWSjA==

3-Save and upload the forminator_fortress.php file to the site in the folder /wp-content/mu-plugins/
More information about MU Plugins
Important: It will be good to use a fresh form without submission to start it and once you set the customization in the code you can’t change it because then you will not be able to decrypt the data saved before the changes.

Using that custom code as a point of start, and then adding extra options to obfuscate and improve it could be a good extra option to secure the data a bit more, but need to apply security measures to avoid the site getting hacked.

I will contact the Forminator Pro team to check what could be done here.

Best regards,
Alfredo
- Blake Whittle
  - The Incredible Code Injector
  - 338 pts: Hero points 271 pts: Rep. points LEVEL 5
  Thanks Alfredo & Caitlin. Point taken on HIPAA compliance.
  
  I will test out the code you gave, it seems very useful. LastPass is an option, but many people don’t use password managers, nor do they know how to add me as a wordpress admin (which would be my preferred option). There is also one time secret, but there isn’t enough information for me to deem it safe.
  
  I think that with 2FA enabled on WordPress, on a good hosting platform, using CloudFlare to limit access to /wp-admin and ftp to whitelisted IPs only – it might be enough.
  
  Thanks!
Blake Whittle
- The Incredible Code Injector
- 338 pts: Hero points 271 pts: Rep. points LEVEL 5
I am happy to say that I have solved my own problem by developing an integration for Forminator that solves this problem. My Secure Forms plugin makes Forminator forms HIPAA compliant. Check it out: https://clikitnow.com/secure-forms/

How do you rate me?

Thank you for rating your experience!