🎉 Limited-time Pro launch offer — Get 30% off today
Kreebi FormsKreebi Forms

Security

Kreebi Forms is built with security as a first-class concern. Every submission passes through multiple layers of validation and sanitisation before it reaches your database.

Input Sanitization

All user-supplied values are sanitised using WordPress core functions such as sanitize_text_field(), sanitize_email(), and wp_kses_post(). This strips dangerous characters and HTML tags from every field before processing.

CSRF Protection

Every form rendered by Kreebi includes a WordPress nonce field. On submission, the nonce is verified with wp_verify_nonce() to ensure the request originated from your site. Requests with missing or invalid nonces are rejected with a 403 response.

SQL Injection Prevention

Kreebi Forms never concatenates user input into SQL queries. All database operations use the WordPress $wpdb->prepare() method with parameterised placeholders. This makes SQL injection attacks virtually impossible.

XSS Prevention

Output escaping is applied to all dynamic values rendered in the admin and frontend. Functions like esc_html(), esc_attr(), and esc_url() are used consistently to prevent cross-site scripting (XSS) attacks.

File Upload Validation (Pro)

When file upload fields are used, Kreebi Forms Pro enforces multiple checks:

  • •MIME type verification against an allowlist (not just the file extension).
  • •File size limits enforced on both client and server.
  • •Uploaded files are stored outside the web-accessible directory with randomised filenames.
  • •An .htaccess rule prevents direct execution of uploaded files.

Data Storage

Submission data is stored in dedicated tables within your WordPress database (wp_kreebi_submissions and wp_kreebi_submission_meta). No data is sent to external servers. You maintain complete ownership and control over your data at all times.

Privacy Considerations

Kreebi Forms includes several privacy-friendly options to help you comply with data protection regulations:

  • •Disable IP address logging on a per-form or global basis.
  • •Auto-delete submissions after a configurable retention period.
  • •Integration with the WordPress personal data exporter and eraser tools for GDPR compliance.
  • •Optional consent checkbox field that can be required before submission.

Rate Limiting

To protect against spam and abuse, Kreebi Forms includes built-in rate limiting. By default, a single IP address can submit a form a maximum of 5 times per minute. You can adjust this threshold in Kreebi Forms → Settings → Security. Additionally, honeypot fields are added automatically to catch automated bots without requiring user interaction.

For extra protection, you can also enable Google reCAPTCHA v3 or hCaptcha integration from the settings page. Both options work without disrupting the user experience.