WordPress Security
6 min read Quiz at the end
Nonces for CSRF, sanitise all inputs, escape all outputs, check capabilities — security fundamentals.
WordPress Security
// 1. Nonces (CSRF protection)
wp_nonce_field('save_post_data', 'my_nonce');
if (!wp_verify_nonce($_POST['my_nonce'] ?? '', 'save_post_data'))
return;
// 2. Sanitise ALL inputs
$text = sanitize_text_field($_POST['title']);
$email = sanitize_email($_POST['email']);
$url = sanitize_url($_POST['url']);
$int = absint($_POST['count']);
$html = wp_kses_post($_POST['content']); // safe HTML only
// 3. Escape ALL outputs
echo esc_html($title);
echo esc_attr($attribute);
echo esc_url($url);
echo esc_js($js_var);
echo wp_kses_post($html_content);
// 4. Check capabilities
if (!current_user_can('manage_options')) {
wp_die('Access denied', 403);
}
// 5. Prepared statements (never interpolate!)
$wpdb->prepare(
"SELECT * FROM table WHERE id = %d",
$id
);
Topic Quiz · 2 questions
Test your understanding before moving on
1. What is the purpose of wp_nonce_field() in WordPress?
💡 Nonces (Number Used Once) prevent CSRF attacks by verifying that form submissions came from your site.
2. Which function correctly escapes a URL for output in WordPress?
💡 esc_url() is the correct WordPress function to escape URLs for safe HTML output.