Input and Output Security


Handling data securely is an essential component of web application development. The general approach to WordPress data security can be summarized and illustrated as follows:

  • Input should be sanitized before it is persisted to the WordPress database or passed to another API; and
  • Output from WordPress should be escaped before it is delivered to the client.
Diagram of WordPress input/output security schema.
Good WordPress security involves a combination of input sanitization and output escaping.

Securing Input

Input can come from many different sources:

  • direct text input from the user from a field on a form;
  • files uploaded to the server from web forms;
  • external APIs;
  • JavaScript functions which fetch remote data or page fragments;
  • Other WordPress sites via the REST API, RSS feeds or other interfaces;

Securing input in WordPress is handled via two main function families:

  • General Input Sanitization - A collection of functions for sanitizing various types of input. These functions are oriented around specific high-level data types, such as URLs, colors, email addresses, MIME types, etc. They should be used when handling data supplied by the user, or data from external sources such as APIs, remote feeds, etc. Most of these functions begin with the sanitize_ prefix.
  • HTML Input Sanitization - A special collection of functions for sanitizing HTML input from the user or from external data sources. Most of these functions begin with the wp_kses_ prefix.

External input should never be trusted, regardless of whether or not it arrives from a trustworthy source.

Handling Output

Even when measures are taken to secu input, it is still necessary to take protective steps to secure output from WordPress. Securing output in WordPress is handled via a collection of output escape functions. Most of these functions begin with the esc_ prefix.

WordPress Developer Newsletter

Stay informed of new chapter releases, important WordPress API updates and more.