21 February, 2019 steades

The Importance of Data Validation for Security in WordPress

It is impossible to guarantee security for WordPress without proper dealings on the validation of data obtained from users. The issue is of utmost importance and developers in general need to take the matter most seriously.


Data validation is important and has some simple and objective rules to be followed:

  1. Do not rely on users and data that are delivered;
  2. Your code in addition to functional needs to be safe;
  3. Validate input data and output data;
  4. Make use of the native WordPress functions for data validation.

Do not rely on users and data that are delivered

Even in an environment that requires the authentication of its users, should not trust the people behind the screens that are using the interface. If a data entry requires a number and nothing else, ignore any other type of data received. Accept and move on only with the expected data.

Users can have their accounts hacked and attackers can make misuse of the system if the data is not validated as it should be. Moreover, data has different sources, each data source specific context require dealings. For example, there is data from the input of users, data captured on third party sites, data captured in the database.

Your code in addition to functional needs to be safe

Having a functional code in the theme and plugins developed for a project in WordPress is more than an obligation to any developer. Good people go further and ensure greater safety for all ecosystem through validation of consistent data.

Validate input data and output data

The validation data must be considered in two extremes: The input and output data. The type of validation to each scenario to be in accordance with context information.

Data entries in WordPress happen in different scenarios, such as themes and plugins configuration interfaces, configuration screens of WordPress users’ login, shortcode parameters, meta posts, pages and several other sources.

The data outputs need much attention as inputs, since they contribute to the XSS vulnerabilities, poorly formatted HTML tags, for example. Moreover, even if an output of information to be extracted from a database also needs to be validated, we cannot trust or ensure that they were properly validated for their input.

Make use of the native WordPress functions for data validation

WordPress and PHP provide specific functions for the validation of all kinds of data and its various contexts. It is important to know all of them and their ways of use to ensure security in their codes of plugins and themes.

The types of data that need to be validated:

  • Markings HTML / XML;
  • Texts and tag values;
  • Tag attributes;
  • JavaScript code;
  • URLs;
  • SQL statements;
  • System Files;
  • HTTP headers;
  • In general all the information of inputs and outputs.

Get Connected.

We are always looking for new exciting projects and collaborations. Feel free to contact us.