WordPress Security

This section covers how we programmatically secure our WordPress code. It covers sanitization, validation, escaping, and nonces.

Official Handbooks

  • See the Plugin Security section in the Official WordPress Plugin Handbook.
    • Checking User Capabilities
    • Data Validation
      • Discusses built-in PHP functions: isset, empty, mb_strlen, strlen, preg_match, strpos, count, and in_array.
      • Discusses WP core functions: is_email, term_exists, username_exists, and validate_file.
        • Recommends checking the Code Reference for more functions named like *_exists, *_validate, and is_*.
    • Securing Input
    • Securing Ouput
    • Nonces
  • See the Theme Security section in the Official WordPress Theme Handbook.
    • Data Sanitization/Escaping
      • Covers built-in WP sanitization functions including: sanitize_email, sanitize_file_name, sanitize_html_class, sanitize_key, sanitize_meta, sanitize_mime_type, sanitize_option, sanitize_sql_orderby, sanitize_text_field, sanitize_title, sanitize_title_for_query, sanitize_title_with_dashes, sanitize_user, esc_url_raw, wp_filter_post_kses, wp_filter_nohtml_kses.
      • Covers built-in WP escaping functions including: esc_html, esc_url, esc_js, esc_attr, esc_textarea. Including those with localization: _e, __, esc_html__, esc_html_e, esc_html_x, esc_attr__, esc_attr_e, esc_attr_x.
      • Also covers custom escaping using wp_kses including the wrapper wp_kses_post.
      • And for escaping data for the database.
    • Data Validation
    • Using Nonces
      • Covers creating a nonce: wp_nonce_url, wp_nonce_field, wp_create_nonce as well as verifying a nonce: check_admin_referer, check_ajax_referer, wp_verify_nonce.
    • Common Vulnerabilities


Sanitization / Validation / Escaping