Security and your website
To learn more about web forms and other web technologies, try our Tutorials.
Web forms work by sending data to a software program (generically called a "form processor") on a server computer. The server computer is usually the same one that hosts the website that provided the form.
The form processor is tasked with the job of collecting the data that was submitted on the form and doing something with it.
That "something" usually involves emailing information to the owner of the website.
What are the dangers?
The fundamental danger with form processing is that the server is sending email on behalf of any person or computer connected to the internet.
So, if there are bugs or flaws in the form processor, you can see how it's possible for bad things to happen.
Have these things ever happened?
Yes! In the early days of the World Wide Web and into the beginning of the 21st century a lot of scripts, especially form processors, were written by unskilled and inexperience people.
In many cases, they were relying on assumed expertise written into other software components - expertise that sometimes turned out to be non-existent.
And to be fair, in the early days of the World Wide Web most people were cooperative and had good intentions. So, it was only when some unscrupulous people started to find ways of exploiting the good will of the vast majority that the security holes became evident.
Historically, these bad things have included:
- complete compromise of the server by evil hackers (allowing them to do anything they want with the server)
- defacing or replacing the website that contained the form obtaining access to secret information stored on the server (e.g. credit card details)
- sending spam to thousands of email addresses
- sending viruses and other malware to thousands of internet users
- sending viruses and other malware to the owner of the website that hosts the form processor
- sending spam to the owner of the website that hosts the form processor
All except the last one are very serious security breaches that can have serious consequences.
The last one is annoying but, in general, a website owner who receives a couple of spam submissions a week isn't going to be too upset.
The fact is, if you have a way for your website to send you information, it's impossible to completely eliminate all spam. Why? Well, spammers can hire real human beings very cheaply for the sole purpose of sending spam. Even with the best anti-spam measures, some spam will get through.
On the other hand, if you're in business, you really want to ensure that you receive all legitimate contacts, whether these are by email or by people filling in your forms.
And, just digressing from the issue of form processing for a moment, this is one reason many email spam filters are such a bad idea for business.
The problem with most email spam filters is that they can filter out legitimate email. This means a small business owner can lose vital contacts from prospects.
So, it's really important that small business website owners aim for two things:
- email spam filters that work but don't lose legitimate email, and,
- secure and reliable form processing for their website contact forms.
How can you be sure you have a good spam filter? Only experience can determine this. Use other business owners' recommendations and make sure you ask: have you ever lost a legitimate contact?
Now, let's get back to form processing...
How can you get a secure form processor?
As I've illustrated above, security is the primary concern and 100% protection from spam is the least of your concerns.
There are two ways to have your contact form (or any form) processed:
- By using a form processor installed on your website, or
- by using a form processor hosted on someone else's website.
#2 immediately protects you from many security problems, because if there is a security issue in the form processor, your website is separate from it and therefore protected from an attack.
But, you are dependent on the hosting service providing you with a reliable service.
#1 is often the method selected by businesses. So, to find a secure form processor, you need to review its history. Some suppliers will publish their security history. If they have a long security history with no major flaws, then these are the form processors you should consider.
You can also use a search engine to do some research. For example, search for "formmail security vulnerability". "FormMail" is a typical name for form processors, as it was the name of the very first one ever published (which, by the way, is also the one with the worst security history!)
Your search will reveal many pages that talk about FormMail scripts to avoid and reports of problems with them.
You'll also find references to scripts that are secure. So, you need to read the pages in the search results to understand the information being reported.
The key point here is that it is possible to create a secure form processor, provided the author understands the technologies of the Web and plans security into the design of the product from the beginning.
Hosted form processing is often a more reliable way to keep your contact forms working; especially if you use shared hosting for your website.
Form processing involves more complex operations than serving normal web pages.
Experience has shown that many general web hosting services consider form processing and form-to-email services as a low priority in their service supply.
Some web hosts even refuse to support the installation of secure form processing scripts.
Computer software that works will continue to work unless the environment in which it is operating is changed in a way that breaks its operation.
Computers are inherently reliable machines.
Shared hosting is an inexpensive way for many small businesses to achieve a web presence.
But, the problem with shared hosting is that the hosting provider may alter (update or change) the underlying systems without telling the owners of the websites being hosted.
These changes can break the operation of form processing scripts, and the website owner often doesn't find out for a long time.
This is another reason to use a form processing service - in this case the supplier of the service is dedicated to the reliable operation of the form processing service they supply.
Why bother with forms at all?
Well, email is often an unreliable mechanism for contacts. Plus, you have to reveal your email address to the world in order for people to be able to contact you.
By using a contact form on your website, you can avoid the problems with email.
The key issue, of course, is you don't want your server or your spam filter blocking any submissions from your contact form. If someone fills in your website's contact form, you want to receive that contact!
Therefore, it's important to use a website hosting service that is friendly to form processors.
And, if you can't be sure of that, use a form hosting service that will provide reliable form processing.
What about form spam?
As mentioned above, you might not be able to get rid of 100% of it, but you don't want to receive hundreds of spam form submissions a day, either!
There are form processors available, for free, that have many strong anti-spam features. Some of these features may be automatic, and some may need you to configure them for your particular requirements.
For example, spammers are trying to sell something and get you to visit their website. This means they try to send you URLs to their website.
If you don't normally want URLs from your prospects, you can use a form processor that allows you to block form submissions containing URLs. That one anti-spam feature can block almost 100% of spam form submissions!
What about CAPTCHA?
Reverse CAPTCHA is a technology that tricks automated spam "bots" into revealing they are not human.
The great thing about Reverse CAPTCHA is it doesn't annoy humans - the very people you're trying to win as customers!
CAPTCHA is a technology that attempts to protect against automated spam by forcing humans to prove they are human.
If you've been using the Web for a while, you've almost certainly had to solve a CAPTCHA puzzle at some time. They are usually difficult-to-read words in an image, that you have to type into a box.
CAPTCHA is becoming less effective due to advances in computer technology, but also because spammers can hire people cheaply to solve CAPTCHA puzzles (and there are other means that spammers use to get people to solve CAPTCHA for them).
If you find you are receiving too much form spam, then you might consider adding CAPTCHA to your forms. However, it's also worth trying Reverse CAPTCHA first.
In summary, you should choose a form processor that:
- has a long secure history
- is being actively developed
- that has a number of anti-spam measures available
- provides a support service.
And, if you don't want to be bothered installing a form processor on your website, consider a form hosting service that meets the above criteria.
Why not view the instructional videos for our Hosted Forms service? Learn how to get a working contact form on your website in under 90 seconds, for free.
Or, try our FormMail Configuration Wizard and see how to get a working form processor and contact form configured for your website, ready to upload.