How to prevend malicious files from being uploaded

Hi there,

We are using gravity forms for in depth application forms including several file uploads on WordPress. How can we pre-secure the images applicants are uploading and potentiall videos and PDFs are not malicious and do not contain any malware?

I have googled quite a lot and also found the links in the Gravity Forms Knowledge base to some third party providers but I dont quite get it.

An old website from 2015 shows that it may be possible to use ClamAV for this but is there no proper easy way?

Thanks a lot,

Hi Stefan. I don’t know of a way to integrate a virus scanner with Gravity Forms specifically. However, you can read here about the security that is built around the Gravity Forms file upload fields currently:

Additionally, you may be able to add a plugin like WordFence to secure your site. That’s not specific to Gravity Forms, just WordPress in general.

I will leave this open in case someone can add anything to the discussion.

1 Like


There is no foolproof method to prevent any type of file from injecting itself into a website.

If you detect or suspect one or several files have been uploaded into your website, treat them as you would treat mysterious attachments emailed to your business or personal accounts.

In short, this is what we recommend: (you probably know most of this already)


(1) First and foremost, NEVER use NULLED plugins or themes. Trying to save $50.00 on a plugin or theme, could cost you $250.00+ later on to clean your site.

(2) As @chrishajer mentioned above, read this well-written Gravity Forms article on web security.

(3) Perform a backend malware scan of your website using iThemes Security, Wordfence, or Sucuri. We use iThemes Security Pro.

(4) Go to then perform a website scan for Code Base64 malware. It’s pretty good at detecting it. Caution: It may report false positives.

(5) Download the files to your desktop and perform a malware scan using Norton Security Power Eraser and Malwarebytes (both free). Scan the files with BOTH scanners.

(6) Go to then upload the files for a malware scan.

(7) Contact your host and ask them to perform a malware scan of your website soon after you suspect unknown files have been uploaded into your website. SiteGround, for example, will perform a courtesy malware scan of your website (or files) upon request and tell you immediately if your website has been compromised.

(8) Last, but not the least, you can limit the file types allowed to be uploaded into your website. For example, you can limit uploads to pdf files only, which are usually safe (the file type is hard to mask). We use File Upload Types by WPForms. It’s pretty good. You can also limit the file types via your .htaccess file.

(9) If any of the above methods reveal you have a malicious file, you know what to do. If you know the person or entity that uploaded the file, I would notify them as well.

Above procedure may seem lengthy but, if you follow it, will certainly save you valuable time and money down the road.

Hope this helps a bit.


1 Like

@AeroStar suggestions are very good! Integrating API based virus scanning to the file upload during form submission would likely involve some of the upload field filters. Even in that, there may be periods of time where the potential malicious file needs to exist on your server before the check completes.

If you want to automate the #6 step he describes in a less code-intensive approach you could leverage Gravity Flow’s outgoing webhook and conditional step logic (workflow branches) to determine what to do with the file/entry when a malicious file is detected. Based on the docs from virustotal’s api v2, that might look like:

  • An outgoing webhook call to POST to their /vtapi/v2/file/scan endpoint providing the file.
  • An outgoing webhook call to GET to their /vtapi/v2/file/report endpoint to retrieve scan status. Perhaps adding a schedule delay of a few seconds/minute to ensure their scanning process completes. Using the response mapping feature to store response_code into a text/administrative field on your form.
  • By comparing that response_code field value in step conditions (like field conditions to show/hide based on other fields) you could route the workflow on to your happy path cases of non-malicious files or determine what the next step for malicious files is. That might include an approval or user input step to allow your staff to re-verify or modify the entry, or the Form Connector - Delete an Entry step.

Hope this helps!


Hi Jamie,

Wow, great info. Thank you.

Did you know? You just laid out the foundation for developing a Gravity Forms Security Add-On :slight_smile: I bet you can get users to pay $50+ for it. The add-on documentation, of course, will have to contain a disclaimer or two.

We’ll see what we can do at our end.



Hi there,

thanks for all the replies.

Virus Total API is a fantastic solution but their commercial usage starts from 10k/year.

Is there any similiar provider I could use via API for this?


:grinning: Gravity Flow does enable a wide range of possibilities for businesses to automate and/or reduce bottlenecks in their processes.

I look forward to reading (and sharing) a testimonial or case study if you do build upon that foundation.


@JamieO any idea about another service like Total Virus?

Not specifically sorry. I looked for the API docs of it based on Jonathan’s example/recommend.

Curation sites like programmableweb or may give you some good starting points to evaluate.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

© 2008 - 2021. Gravity Forms is a project by Rocketgenius Inc.