This article explains the mandatory requirements that WordPress site owners and administrators must follow to keep their Gravity Forms secure and compliant.
All site owners must follow the
retention policy and
mandatory standards to prevent spam, maintain site performance, secure WordPress networks, protect form data, minimize unnecessary data collection, and ensure compliance with
UNC data governance principles.
This article does not teach basic tasks like accessing or installing the Gravity Forms plugin, or creating and editing forms. We assume you already know these basics.
In This Article:
Retention Policy
To lower security risks and boost site speed, ITS Digital Services sets a 90-day retention limit on all WordPress networks.
- The system deletes all Gravity Forms entries and uploaded files after 90 days.
- We will manually phase out entries and files uploaded before this policy started.
- Once items hit the 90-day limit, the system removes them forever. You cannot get them back.
WordPress sites are not for long-term storage. Check and export any entries you need before the 90-day deadline.
Form Configuration Standards
You must set up these options to secure forms, stop spam, prevent slow performance, and avoid breaking rules.
Add CAPTCHA
Add Google reCAPTCHA to every form.
Steps:
- Go to Forms > Settings > reCAPTCHA.
- Choose the reCAPTCHA type set up by ITS Digital Services.
- Save your settings.
- Open your form and add the CAPTCHA field.
- Save the form before you publish it.
Enable Honeypot
Turn on the built-in Honeypot anti-spam feature.
Steps:
- Edit your form.
- Go to Form Settings > Form Options.
- Check the box for Enable Anti-Spam Honeypot.
- Save the form.
Limit File Upload Fields
Use file upload fields only when you truly need them.
If you must add a file upload field, follow these rules:
- Limit file types (for example, .pdf, .jpg, .png).
- Block unsafe file types (for example, .exe).
- Set the maximum file size to under 5 MB.
Delete unneeded uploaded files right after you review them.
Require Login for Internal or Uploaded Forms
Use the UNC Permission plugin to protect restricted forms with Onyen login.
Steps:
- Go to Plugins > UNC Permissions Plugin > Activate.
- Open the page with the Gravity Form.
- In the Onyen Restricted Content box, check Require Onyen Authentication.
- Test it: Log out (or use a private or incognito browser window) to make sure only logged-in users can access the form.
Keep forms short to make them easier to use.
Data Handling Standards
These rules guide how you manage data to ensure security, reduce risks, and follow university policies.
Export Data Before the 90-day Deadline
Export any data you want to keep before the retention policy deletes it.
Steps:
- Go to Forms > Entries.
- Select the form you want to export.
- Click Export.
- Choose the fields you need and click Download Export File.
- Save the CSV file securely in an approved storage system, such as SharePoint or OneDrive.
Export entries each month to prevent data loss at the last minute.
Prohibit Sensitive Data
Do not collect sensitive data in Gravity Forms.
Examples of prohibited data include:
- Social Security numbers
- Driver’s licenses or government IDs
- Credit card or banking information
- Health or medical records
- Student transcripts, grades, or other personally identifiable information (PII). PII is data that can identify a person.
If you must collect sensitive or regulated information, use these approved tools:
- Qualtrics: For surveys
- SharePoint or OneDrive: For document storage.
If someone submits sensitive data by mistake:
Collect Only Necessary Data
Limit your form to fields you truly need for your process.
Keep forms short to make them easier to use.
Steps:
- Review all fields before you publish.
- Remove optional or unrelated questions.
- Keep forms short to lower drop-off rates and reduce stored data.
Site Owner Responsibilities
Site owners must make sure their site and all collaborators (administrators, editors, contributors) follow these rules:
Follow Core Rules
- Add CAPTCHA and Honeypot to every form.
- Export entries before the 90-day deadline.
- Monitor for sensitive data and report issues right away.
- Avoid file uploads unless you truly need them.
- Use approved tools (like Qualtrics, Teams, or SharePoint) for sensitive data.
- Use the UNC Permissions plugin to require Onyen login for restricted forms.
- Collect only the minimum data needed.
- Check submissions often for misuse or errors.
Perform the Pre-Publication Checklist
Before you publish a form, confirm that you have:
- Added CAPTCHA
- Enabled Honeypot
- Avoided or restricted file uploads
- Excluded sensitive data fields
- Set up a process to export data before 90 days
- Restricted internal forms with the UNC Permissions plugin
- Limited fields to only what you need
Perform the Pre-Retention Checklist
Before entries hit the 90-day limit, confirm that you have:
- Reviewed entries for relevance
- Exported and securely stored any needed data
- Verified that no sensitive data remains in the system
Site Owner Attestation of Compliance
When you use Gravity Forms, you accept this attestation.
"By using Gravity Forms, I attest that:
- As a site owner, I take responsibility for my site and all form managers (administrators, editors, and contributors).
- I will not collect sensitive or regulated data through Gravity Forms.
- I will ensure all administrators, editors, and contributors on my site follow this policy.
- I understand that violations may lead to suspension or permanent removal from the WordPress network.
- I will tell all collaborators about this policy and require them to follow it."