Essential Checklists Before Save Data in WordPress

You are here : Home / Essential Checklists Before Save Data in WordPress

Save data in wordpress in a secure way to reduce SQL injections chances and increase stability of your project.

Using few techniques we can make our wordpress plugin development very secure which we use in our every plugin development project at flippercode.

Essential Checklist for Data Validation

A checklist can be applied whenever you takes one of the following action in your wordpress project.

  • Use of add_post_meta or update_post_meta.
  • Creating your own form to take input from users.
  • Creating an option page for theme development.
  • Adding a setting page for your plugin.

Mainly 3 steps we take before save data in wordpress which are described in details below.

  1. Use of Nonce
  2. Check User Permission
  3. Sanitize user input.

Why and How to Use Nonce in WordPress

I’d like to explain you using an example why we need to use nonce in wordpress to understand it clearly.

Suppose you have a table with user data in each row and a delete button to remove the user. Most probably delete button will generate a url like “index.php/action=delete&userid=2″ and will delete user which has user id=2.

What will happen if someone attempts to modify url to delete user id 3 without clicking on delete button? if you didn’t use nonce, it’ll work and will delete the user.

So solution is ‘NONCE’ which means ‘Number Used Once’.

A nonce can be created in 3 ways according to purpose of it. Below are 3 examples to explain each of one.

  • Adding a nonce to url – Suppose we’re creating a delete button as below.

    Following code will add a nonce field in the url which make it sure that someone must click on delete button to trash a user.

    So using wp_nonce_url(), we added a nonce parameter is the url. Your new url will be look like as below.

    To verify the nonce on action url, use check_admin_referer function as below.

    If nonce verification failed, it gives 403 forbidden error and terminate the script.
  • Adding a nonce in Form : Using wp_nonce_field() function, we add a hidden field in the form. If we’re creating a custom login form, we can use wp_nonce_field as below.

    check_admin_referer is used here to verify the nonce as mention above.

  • Use Nonce in Ajax Requests : You can use wp_create_nonce() function to create a nonce and pass that as variable in ajax.

Check User Permission in WordPress

Each user has own permission in wordpress. It’s always a best practice to check user permission who is handling data. Below is code to check if use has edit permission.

Importance of Sanitization in WordPress

Sanitization is a technique which used to make sure user input is absolutely safe to be saved in database or display on a web page. A form in wordpress can be safe from Cross-Site Scripting with help of sanitization.

Use sanitize_text_field() function to sanitize a text field input before send to database.


It’s a best practice to always keep your objects in a valid state before save in database or display on webpage. It’s not necessary to check validations when you’re going to display a data on web page which already saved in database but don’t forget to do so when data is going into database.

 Essential Checklists Before Save Data in WordPress

Flipper Code

We have been building WordPress Plugins at flipper code since 2008. We follow wordpress coding standard that ensures we deliver the excellent wordpress plugins and services.

More Posts - Website

Follow Me:
twitter Essential Checklists Before Save Data in WordPressfacebook Essential Checklists Before Save Data in WordPressgoogleplus Essential Checklists Before Save Data in WordPress

Customize Product according to your requirements?

We will be glad to discuss any of your needs related to our wordpress plugins . if any of functionality you'd like to see in products, you can reach us by via email