By default, Gravity Forms uploads files into the uploads folder, so by definition, these are readable by anyone. The file names are obscure, but that isn’t good enough if you are uploading personal information like proof of address.

One solution is to create a ‘safe’ protected by authorisation (e.g. basic auth over SSL ), so only users with this additional user/password can access the documents in the safe.

Note: basic-auth over ssl is not considered ultra secure, so restricting to specific IP addresses or even building a custom end point secured by OAuth may need to be considered depending on the need. With a little bit of engineering you could create an encrypted, low cost secure ‘safe’ restricted to specific users by using Google Cloud Storage – if you are interested in a tutorial please make a comment below.

The following code snippet will make Gravity Forms use the alternative ‘safe’ for all forms’ file uploads. (obviously change values for path and url )

add_filter("gform_upload_path", function ($path_info, $form_id){
   $path_info["path"] = "/home/myaccount/public_html/safe/";
   $path_info["url"] = "http://www.mydomain.com/safe/";
   return $path_info;
} 10, 2);

If you want it to apply to a specific form ( e.g. form id 2 ) you will need check the form id as below:.

add_filter("gform_upload_path", function ($path_info, $form_id){
   if ( 2 === $form_id ) {
       $path_info["path"] = "/home/myaccount/public_html/safe/";
       $path_info["url"] = "http://www.mydomain.com/safe/";
   }
   return $path_info;
} 10, 2);