Save data in WordPress in a secure way to reduce SQL injections chances and increase the stability of your project.

Using few techniques we can make our WordPress plugin development very secure which we use in our every plugin development project at flippercode.

Essential Checklist for Data Validation

A checklist can be applied whenever you take one of the following action on your WordPress project.

  • Use of add_post_meta or update_post_meta.
  • Creating your own form to take input from users.
  • Creating an options page for theme development.
  • Adding a setting page for your plugin.

Mainly 3 steps we take before saving data in WordPress which are described in details below.

  1. Use of Nonce
  2. Check User Permission
  3. Sanitize user input.

Why and How to Use Nonce in WordPress

I’d like to explain you using an example why we need to use nonce in WordPress to understand it clearly.

Suppose you have a table with user data in each row and a delete button to remove the user. Most probably delete button will generate a URL like “index.php/action=delete&userid=2” and will delete user which has user id=2.

What will happen if someone attempts to modify URL to delete user id 3 without clicking on delete button? if you didn’t use nonce, it’ll work and will delete the user.

So the solution is ‘NONCE’ which means ‘Number Used Once’.

A nonce can be created in 3 ways according to the purpose of it. Below are 3 examples to explain each of one.

  • Adding a nonce to URL – Suppose we’re creating a delete button as below.
    Delete Me

    The following code will add a nonce field in the URL which makes it sure that someone must click on delete button to trash a user.

    <!--?php
    
    $delete_url = wp_nonce_url('index.php?action=delete&userid=2', 'delete-user-2');
    
    // here 'delete-user-2' will be used to verify this nonce.
    
    echo "Delete";
    
    ?>

    So using wp_nonce_url(), we added a nonce parameter is the URL. Your new URL will look like as below.

    Delete Me

    To verify the nonce on action URL, use check_admin_referer function as below.

    if($_GET['action']=='delete')
    {
      check_admin_referer('delete-user-2') 
      // To Do
    }

    If nonce verification failed, it gives 403 forbidden error and terminates the script.

  • Adding a nonce in Form : Using wp_nonce_field() function, we add a hidden field in the form. If we’re creating a custom login form, we can use wp_nonce_field as below.

    check_admin_referer is used here to verify the nonce as mention above.

  • Use Nonce in Ajax Requests: You can use wp_create_nonce() function to create a nonce and pass that as a variable in Ajax.

Check User Permission in WordPress

Each user has own permission in WordPress. It’s always a best practice to check user permission who is handling data. Below is code to check if the user has edit permission.

if ( 'page' == $_POST['post_type'] ) {

    if ( ! current_user_can( 'edit_page', $post_id ) )
        return $post_id;

  } else {

    if ( ! current_user_can( 'edit_post', $post_id ) )
        return $post_id;
  }

Importance of Sanitization in WordPress

Sanitization is a technique which used to make sure user input is absolutely safe to be saved in database or display on a web page. A form in WordPress can be safe from Cross-Site Scripting with help of sanitization.

Use sanitize_text_field() function to sanitize a text field input before send to database.

 $txt_field = sanitize_text_field( $_POST['custom_txt_field'] );

Conclusion

It’s a best practice to always keep your objects in a valid state before save in database or display on the webpage. It’s not necessary to check validations when you’re going to display a data on the web page which already saved in database but don’t forget to do so when data is going into a database.