What is Plugin security (nonces, sanitization) in Wordpress?

Wordpressframework~5 mins

Plugin security (nonces, sanitization) in Wordpress

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Introduction

Plugin security helps keep your WordPress site safe from bad actions. Nonces and sanitization stop hackers from doing harmful things.

When creating forms that change site data, like settings or posts.

When accepting user input to avoid harmful code or scripts.

When verifying that a request comes from a real user, not a hacker.

When saving or displaying data that users submit.

When building plugins that interact with the database or site files.

Syntax

Wordpress

<?php
// Create a nonce field in a form
wp_nonce_field('action_name', 'nonce_name');

// Check nonce on form submission
if (!isset($_POST['nonce_name']) || !wp_verify_nonce($_POST['nonce_name'], 'action_name')) {
    die('Security check failed');
}

// Sanitize text input
$clean_text = sanitize_text_field($_POST['user_input']);

// Sanitize URL input
$clean_url = esc_url_raw($_POST['user_url']);

Nonces are special tokens to verify requests are safe.

Sanitization cleans user input to remove harmful code.

Examples

This adds a hidden field with a nonce to your form for security.

Wordpress

<?php
// Add nonce field to form
wp_nonce_field('save_settings', 'my_nonce');

This checks the nonce to make sure the form submission is valid.

Wordpress

<?php
// Verify nonce when form is submitted
if (!isset($_POST['my_nonce']) || !wp_verify_nonce($_POST['my_nonce'], 'save_settings')) {
    die('Invalid request');
}

This cleans the text input to remove unwanted tags or scripts.

Wordpress

<?php
// Sanitize a text input
$name = sanitize_text_field($_POST['name']);

This cleans a URL input to make sure it is safe and valid.

Wordpress

<?php
// Sanitize a URL input
$url = esc_url_raw($_POST['website']);

Sample Program

This plugin creates a simple form with a nonce for security. It checks the nonce when the form is submitted and sanitizes the user input before showing it back safely.

Wordpress

<?php
/* Plugin Name: Simple Secure Form */

// Show form with nonce
function ssf_show_form() {
    echo '<form method="POST">';
    wp_nonce_field('ssf_action', 'ssf_nonce');
    echo '<label for="ssf_name">Name:</label>';
    echo '<input type="text" id="ssf_name" name="ssf_name">';
    echo '<input type="submit" value="Submit">';
    echo '</form>';
}

// Handle form submission
function ssf_handle_form() {
    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        if (!isset($_POST['ssf_nonce']) || !wp_verify_nonce($_POST['ssf_nonce'], 'ssf_action')) {
            echo 'Security check failed.';
            return;
        }
        $name = sanitize_text_field($_POST['ssf_name'] ?? '');
        echo 'Hello, ' . esc_html($name) . '! Your form was submitted safely.';
    }
}

// Hook to display form and handle submission
add_shortcode('ssf_form', function() {
    ob_start();
    ssf_handle_form();
    ssf_show_form();
    return ob_get_clean();
});

OutputSuccess

Important Notes

Always check nonces before processing form data to stop attacks.

Sanitize all user inputs before saving or displaying them.

Use esc_html() or similar functions when showing user data to avoid code running in the browser.

Summary

Nonces protect your plugin from fake requests.

Sanitization cleans user input to keep your site safe.

Always use both together when handling user data in plugins.