Website security: forms and bots
In this, our third instalment in our series on security, we follow on from the need to keep site code up to date with the need to secure your most obvious possible attack vector: forms.
Forms are where your site becomes interactive. Forms allow users to enter information for processing and data submission for purchases, search, subscription and more.
Unfortunately, forms, like a jar of jam to a wasp, present a juicy target for bad actors and their robot minions: bots.
Bots crawl the internet looking for unprotected forms, which they will attempt to fill in. Typical motives include attempts to add spam links to content, or to upload copyrighted files.
However, their purpose can be darker, including testing stolen credit card numbers, injection of malign code or stealing data.
An evil-doer can attempt to compromise your site if data collected is not properly treated, a process known as "escaping", which leaves them a back door entry to do what they will.
This is serious stuff.
Vigilance is key in the battle against the bots.
Protecting your forms
Drupal is good at form protection out of the box, through its database abstraction layer, but that is only one layer of defence.
Contributed modules such as Honeypot and Antibot will provide barriers to bot activities and, used in combination, they can be quite effective. Another commonly cited option is the CAPTCHA, often manifested as the "I am not a robot" tick box.
Time-based solutions or restrictions on data entry or number of submissions per user can also help.
Each of these methods can be helpful in their own way, but no single solution is a panacea against attacks.
More heavy-handed approaches include IP-based restrictions, optionally closing forms to all actors, good and bad, from certain locations. This can be effective where attacks regularly come from countries where a site has no target audience.
The takeaway here is: forms must be protected or you are inviting trouble. No single method of protection is perfect, but when used in combination they can be effective. Vigilance is key in the battle against the bots.
Forms are usually used as a mechanism for collecting data, be it for a mailing list, or customer preferences, or enquiries or something else. When you collect data, you need to store it.
And when you store it, you need to protect it. Next episode we speak about the deep waters of data protection.
Next episode coming soon: Data Protection
Read the other blogs in our Security Series:
Are you concerned about the security of your Drupal site?
Talk to us about conducting a website security audit.
Anthony Lindsay Director of Managed Services
With decades of experience, Anthony leads the Annertech Managed Services Team, delivering top quality design, development, and, ultimately peace-of-mind services to all of Annertech's wonderful clients.
