The Community forums are being phased out in favor of a new Slack group.
Add your email address below to get an invitation to join the community slack group
Hide Preview Form from anyone not logged in
Hi,
I just discovered the the preview of a form is visible to anyone at the url https://domain.com/wp-admin/admin-ajax.php?action=frm_forms_preview&form=XXX
Is there a way to hide this from anyone not logged in?
I am led to believe that spammers have gotten a hold of this URL somehow. The reason I say this is that the form contains the name of the Post it's on by way of a read-only "Post Title" field. The spam has some random words in this field.
Appreciate any suggestions
Daveed
May 15, 2018 at 10:49 am
First thing I would do is use a secure form key. The XXX in your URL example is the form key. Someone would have to know that or guess it to be able to access the form through the preview. If you create like you a would a strong password, it would be hard to hack.
I don't know that you can block the URL entirely because admin-ajax is used by many WordPress and plugin functions. Blocking admin-ajax completely for users that haven't logged in may break your site.
You can also try redirecting the page to your site's main page for people where !is_logged_in() is true, but I'm not sure what the WordPress global $pagenow variable contains when what you want to block is in the query string and not the page name.
Discussion closed.