Serious privacy issue: Files sent through Pro Forms land in Media Library » Search Engines

Hello Bricksforge team,

I noticed that files sent through Pro Forms are stored in the WP Media Library. Since I don’t want to blanket-noindex all file types (the form allows uploading a variety of formats), I can’t think of a way to keep these out of Google.

In my case, Pro Forms is uploading people’s passports, school diplomas and marriage certificates to public folders. This is obviously a colossal pricacy issue.

The options that Pro Forms offers don’t work:

image305×544 47.4 KB

None of these have any effect. Here’s a video about it: https:[double slash]youtu.be[slash]Q_DVmUv_mPY

Affected forms:

https:[double slash]sn-translations[dot]de[slash]uebersetzungen-bestellen
https:[double slash]sn-translations[dot]de[slash]en/order-form-en
https:[double slash]sn-translations[dot]de[slash]uk/order-form-uk
https:[double slash]sn-translations[dot]de[slash]ru/order-form-ru

Related report: https:[double slash]forum[dot]bricksforge[dot]io[slash]t[slash]pro-forms-file-upload-skip-adding-to-media-library-not-working

Sorry about the links, the forum software won’t allow me to post links to “that host” (?) and no more than 2 links total, either.

Anyway, what can we do about this?

Thanks!
Matt.

I wouldn’t use BricksForge Pro Forms for sensitive data until they add server-side form configuration. There’s a good reason Stripe integration isn’t available yet.

Instead, I use Flowmattic to handle Pro Forms submissions and route everything exactly where I want without files sitting in public folders.

Here’s my setup:

Create your Pro Form with a hidden field called “form-type” (set it to something like “order-form-en”). You don’t need form submissions enabled. I just use Confetti + Redirect as actions.

In Flowmattic, create a workflow that triggers on BricksForge submissions. Add a condition so it only runs when form-type matches your value (as shown below).

Then build your workflow how you want:

1. Add data to Google Sheets (or create a post/entry)
2. Upload files to somewhere secure like Google Drive
3. Update your API or create WordPress content
4. Delete the temp uploaded files using the Delete Media node
5. Optionally send a confirmation email

image2216×2192 338 KB

Pro Forms is honestly one of the best frontend form builders, but it’s lacking compared to dedicated form solutions. I love using it for complex frontend forms, then handling the backend stuff with workflow tools.

I agree that being able to set custom media paths would be great, but it needs to be backend-configured so it can’t be hijacked from the frontend. Plus you’d have compatibility issues with plugins expecting standard WordPress media locations.

*Side note: I built my own secure file storage plugin that keeps files private behind PHP auth, then updates JetEngine Custom Content Types with secure URLs displayed via BricksExtras Modal. Random people can’t access the files unless they’re the actual user who uploaded them.

Hope this helps!

Hey Matt!

Could you try to toggle “Direct Server Upload” and check if it makes a difference?

Hey @Daniele, so sorry for not responding sooner. The notification landed in my spam folder. I will look into this asap and respond here. Much appreciated.