Security Protocols
To maintain the integrity and security of the wordpress repository, all contributions and custom implementations must adhere to the following security protocols. These measures ensure that data remains untainted, user intent is verified, and the system is protected against common vulnerabilities like XSS and CSRF.
Data Sanitization
Sanitization is the process of cleaning input data by stripping out unwanted characters or tags. All user-supplied data must be sanitized before being used in a database query or logic operation.
Recommended Functions
| Function | Usage |
| :--- | :--- |
| sanitize_text_field() | Use for standard text inputs (strips tags and line breaks). |
| sanitize_email() | Use for email addresses (removes invalid characters). |
| absint() | Use for ensuring a value is a non-negative integer. |
| sanitize_textarea_field() | Use for multi-line text (preserves line breaks but strips tags). |
Usage Example
/**
* Example: Sanitizing a profile update request
*/
public function handle_profile_update() {
if ( isset( $_POST['user_bio'] ) ) {
// Sanitize the input before processing
$clean_bio = sanitize_textarea_field( $_POST['user_bio'] );
update_user_meta( get_current_user_id(), 'description', $clean_bio );
}
}
Data Validation
Validation ensures that the data provided matches the expected format or type. This should occur before any data processing or sanitization.
Recommended Functions
| Function | Type | Description |
| :--- | :--- | :--- |
| is_email() | Boolean | Checks if a string is a valid email format. |
| is_numeric() | Boolean | Checks if the variable is a number or a numeric string. |
| mb_strlen() | Integer | Verifies the length of a string (useful for password requirements). |
Usage Example
/**
* Example: Validating a submission
*/
function validate_submission( $email, $age ) {
if ( ! is_email( $email ) ) {
return new WP_Error( 'invalid_email', 'Please provide a valid email address.' );
}
if ( ! is_numeric( $age ) || $age < 18 ) {
return new WP_Error( 'invalid_age', 'You must be 18 or older.' );
}
return true;
}
Nonce Verification
Nonces ("numbers used once") are used to protect against Cross-Site Request Forgery (CSRF) attacks. Every form submission or AJAX request must include and verify a nonce to ensure the request originated from the site and was intended by the user.
Generating a Nonce
When creating a form or a link that performs an action, generate a nonce field.
// In your template or form render logic
?>
<form method="post" action="">
<?php wp_nonce_field( 'update_settings_action', 'settings_nonce_field' ); ?>
<input type="text" name="site_notice" />
<input type="submit" value="Save" />
</form>
<?php
Verifying a Nonce
Verify the nonce immediately upon receiving the request before any logic is executed.
/**
* Example: Verifying the nonce on post request
*/
public function save_settings() {
// Check if the nonce is set and valid
if ( ! isset( $_POST['settings_nonce_field'] ) || ! wp_verify_nonce( $_POST['settings_nonce_field'], 'update_settings_action' ) ) {
wp_die( 'Security check failed. Please refresh the page and try again.' );
}
// Proceed with sanitized data
$notice = sanitize_text_field( $_POST['site_notice'] );
update_option( 'site_custom_notice', $notice );
}
Data Escaping (Output Security)
To prevent Cross-Site Scripting (XSS), all data must be escaped at the point of output. Never trust data stored in the database, even if it was sanitized on input.
esc_html(): Use when a HTML element contains a text node.esc_attr(): Use when applying data to an HTML attribute (e.g.,valueortitle).esc_url(): Use for all URLs, including those insrcorhrefattributes.wp_kses_post(): Use when you need to allow safe HTML tags (commonly used for post content).
Usage Example
<!-- Correct escaping on output -->
<div class="user-profile">
<h2 title="<?php echo esc_attr( $user_name ); ?>">
<?php echo esc_html( $user_display_name ); ?>
</h2>
<a href="<?php echo esc_url( $profile_url ); ?>">View Profile</a>
</div>