We’re big fans of the popular WordPress plugin Gravity Forms. It’s well maintained and has a plethora of great add-ons to extend its functionality. We use it on dozens of sites to provide reliable and feature-rich form functionality.

One thing Gravity Forms doesn’t do a great job of is telling you where people came from before filling out your form. We’ve been working to create an add-on plugin that will do just that, and while we were testing it we noticed a few things that looked odd. After reviewing entry data we noticed duplicated Source URLs and data in other fields that should always have been unique.

That raised red flags. We started digging and discovered that Gravity Forms has a history of not playing nicely with caching utilities. Upon further investigation, we found that if the page containing your form is being cached statically, then dynamic fields will not always populate accurate data for the current user and can even show data from previous users.

Simply put, if your site has a Gravity Form setup using dynamic fields and you’re running a caching plugin or have server-side caching enabled, you should check your entry data now.


What Is Caching, & How Can I Tell If I’m Running It?

If you don’t know what caching is or you’re not sure if caching is enabled on your site, check with your web developer or server host. You can also use this tool to find out if your page is cached by a popular utility.

When caching is enabled, it typically creates a static copy of the page. This is then served up to the next user so the server doesn’t have to completely regenerate it, thus improving page load times. Some elements of the page are set to not be cached because they need to always be served dynamically, but for reasons we don’t agree with (more on that later), Gravity Forms doesn’t do this. Instead, they allow their forms to be statically cached and thus create a scenario which can cause collected data to be inaccurate or possibly display private data from previous visitors to others.

How Can I Tell if My Data is Affected?

Export your entries from Gravity Forms and look at the data in your dynamic fields. If it’s duplicated when it shouldn’t be, you’re affected.

This issue extends beyond custom dynamic fields. When you review your data export, you’ll notice a column labeled “Source URL”. This data is captured each time a form is submitted and it’s meant to show you what page the user was on when they submitted the form. This is often used in reporting to get a sense of where your forms are being used the most.

The same caching issue can affect the Source URL data as well, compounding the problem and making that data unreliable at best.

Gravity Forms’ Response

We reached out to Gravity Forms and let them know what we found, along with the access to a demo site we’d setup to illustrate the problem. They replied that they “understand how this can be an issue.” Then they recommended that customers exclude pages with forms from caching.

The problem with this answer is that it requires customers to know they have caching enabled, understand how it works, and be able to manually exclude every page with a Gravity Form.

Gravity Forms doesn’t think they should make their plugin load dynamically because some people use forms on every page of their site, which might mean disabling caching on each page. They recommended the Fresh Forms for Gravity plugin which essentially does what they said they won’t do in the core plugin – automatically disabling caching on any page with a Gravity Form.

The irony here is that Fresh Forms is written by Samuel Aguilera, who works for Gravity Forms. This means that they understand the issue, have devoted time to solve it, but rather than documenting it or addressing it in any way in the core plugin, they have simply released a separate plugin that does what the core plugin should do natively.

Fresh Forms was released five months ago, but the history of this issue doesn’t begin there. Three years ago, in April 2017, the first version of the Gravity Forms Cache Buster code was released on Github by another Gravity Forms employee, David Smith. That means that someone in Gravity Forms’ inner circle knew this issue existed on some level as far back as three years ago. It’s worth noting that Fresh Forms doesn’t work with recent versions of LiteSpeed and the Cache Buster code hasn’t been updated since December 2017 and breaks dynamic fields completely.

Yet, despite several attempts by employees to provide solutions over the past three years, Gravity Forms downplayed the severity of the issue in their responses to our emails.

“We’re acutely aware of the impact that caching can have on sites and we do our best to help customers understand how they can mitigate the issue by giving support tailored to each specific environment.” – Gravity Forms

Where We Stand

We don’t believe that simply helping customers who actually know the issue exists is enough. Gravity Forms needs to make it clear, both in the documentation and within the core plugin itself, that if you use dynamic fields in Gravity Forms and your server or website has caching enabled, you must exclude those pages from being cached in order to receive accurate data from form submissions.

After we reported the issue to Gravity Forms, they updated their Dynamic Fields documentation to include a brief note about caching at the bottom of the article. They have since added in more prominent notices within the article, but they don’t bother to give you a solution to resolve the issue; you’re on your own. There are no warnings within the plugin itself. We never would have found this issue had we not been working on an add-on and looking carefully at the data we were collecting.

We also believe that Gravity Forms should be transparent about this issue and notify existing customers of the potential for private data to be made public, even if those situations would be rare, and that other data collected, such as the Source URLs, may not be reliable when it comes from forms on pages that are being cached.

By doing this, Gravity Forms would be taking responsible action to ensure that its customers can take whatever steps are necessary to ensure their valuable data is both reliable and secure.

Would love your thoughts, please comment.x