Sanitizing, Escaping and Validating Data in WordPress

When creating WordPress plugins and themes for or themeforest , which can be used across thousands of websites, you would like to take care about the way to handle each the data coming back into WordPress, and also the data that’s being presented to the user.

In this tutorial, we are planning to explore the native functions that may secure, clean and check data that’s returning in or going out of WordPress. this is often necessary once making a settings page, HTML form, manipulating shortcodes, hook,filtering, echo and so on.

Validating, sanitizing and escaping are techniques that are foundational to the security of your website, application or software product. Learn how WordPress makes it easy for you to secure your code and start writing better code today!

Sanitizing, Escaping and Validating Data in WordPress

What is Sanitizing?

In a nutshell, sanitizing is cleaning user input. It is the process of removing text, characters or code from input that is not allowed.

Gmail Example: Gmail removes <style> tags and their contents from HTML email messages before they are displayed on the Gmail browser client. This is done to prevent email CSS from overwriting Gmail styles.

WordPress Example: Widget titles cannot have HTML tags in them. If you put HTML tags in them, then they are automatically removed before the title is saved.

There are various functions provided by WordPress to sanitize different data into different forms. Here are some of them:


This function strips out all characters that are not allowed in an email address. Code example:

<?php echo sanitize_email("narayan"); //Output ""

Email address don’t allow whitespace characters. Therefore, the whitespace characters were removed from my email address.


This function strips characters from a filename that can cause issues while referencing the file in the command line. This function is used by WordPress Media Uploader to sanitize media file names. Code example:

<?php    echo sanitize_file_name("_profile pic--1_.png"); //Output "profile-pic-1_.png"

Here, the underscore at the beginning of the name was removed and double dashes were replaced by one single dash. And, finally, whitespace was replaced by a single dash.


Meta Data and Transients Keys can only have lowercase alphanumeric characters, dashes and underscores. This function is used to sanitize the keys. Code example:

<?php    echo sanitize_key(""); //Output "httpsitepointcom"

Here, uppercase characters were converted to lowercase characters and other invalid characters were removed.


This function removes invalid UTF-8 characters, converts HTML specific characters to entities, strips all tags, and removes line breaks, tabs and extra whitespace, strip octets.

WordPress uses this to sanitize widget titles.

<?php    echo sanitize_text_field("<b>Bold<</b>"); //Output "Bold&lt;"


This function removes PHP and HTML tags from a string, as well as removing accents. Whitespace characters are converted to dashes.

Note: This function is not used to sanitize titles. For sanitizing titles, you need to use sanitize_text_field. This function is used by WordPress to generate the slug for the posts/pages from the post/page title. Code example:

<?php    echo sanitize_title("Sanítizing, Escaping and Validating Data in WordPress"); //Output "sanitizing-escaping-and-validating-data-in-wordpress"

Here the í character was converted to i and whitespaces were replaced with the -character. And, finally, uppercase characters were converted to lowercase characters.

What is Escaping?

In a shell, sanitizing is cleanup user input. it’s the process of removing text, characters or code from input that’s not allowed..

Escaping converts the special HTML,Js characters to HTML entities so that they are displayed, instead of being executed.

WordPress provides some functions to escape different varieties of data.


This functions escapes HTML specific characters. Example code:

<?php    echo esc_html("<html>HTML</html>"); //Output "&lt;html&gt;HTML&lt;/html&gt;"


Use esc_textarea() instead of esc_html() while displays text in textarea. Because esc_textarea() can double encode entities.


This function encodes the <,>, &, " and ‘ characters. It will never double encode entities. This function is used to escape the value of HTML tags attributes.

<?php    echo esc_html("<html>HTML</html>"); //Output "&lt;html&gt;HTML&lt;/html&gt;"


URLs can also contain JavaScript code in them. So, if you want to display a URL or a complete <a> tag, then you should escape the href attribute or else it can cause an XSS attack.

<?php   $url = "javascript:alert('Hello')";  ?>  <a href="<?php echo esc_url($url);?>">Text</a>


This is used if you want to store a URL in a database or use in URL redirecting. The difference between esc_url and esc_url_raw is that esc_url_raw doesn’t replace ampersands and single quotes.


There are lots of email bots, which are constantly looking for email addresses. We may want to display the email address to the users, but not want it to be recognised by email bots. antispambot allows us to do that exactly.

antispambot converts email address characters to HTML entities to block spam bots. Example code:

<?php    echo antispambot(""); //Output "&#110;&#97;&#114;&#97;y&#97;npr&#117;sty&#64;s&#105;&#116;e&#112;oi&#110;&#116;.&#99;om"

What is Validating?

validating is checking user input. This is done to check if the user has entered a valid value.

If data is not valid, then it is not processed or stored. The user is asked to enter the value again.

Example: While creating an account,finance or any other a site, we are asked to enter the password twice. Both the passwords are validated; they are checked to confirm whether they both are same or not.

You shouldn’t rely on HTML5 validation as it can be easily bypassed. Server side validation is required before sending or storing specific data.

WordPress provides a number of functions to validate only some types of data. Developers usually define their own functions for validate data. Let’s see some WordPress provided validation functions:


Email validation is required while submitting comments, contact forms, and creating an account. is_email() function is provided by WordPress to check if a given is an email address or not. Code example:

<?php    if(is_email(""))  {    echo "Valid Email";  }  else  {   echo "Invalid Email";  }


is_serialized() checks if the passed data is string or not. WordPress uses this function while storing options, meta data and transients. If value associated with a key is not a string then WordPress serializes it before storing in database.

Here is example code on how you can use it:

<?php    $data = array("a", "b", "c");    //while storing    if(!is_serialized($data))   {     //serialize it     $data = maybe_serialize($data);       //or else ask user to re-input the data  }    //while displaying    echo maybe_unserialize($data);


We saw what sanitizing, validating and escaping are, and why it is important for every developer to know the functions associated with them. You can find more reading on the topic at the Codex page on It is always a good idea to include these functions when developing a incredible WordPress theme or plugin. Unfortunately, quite a lot of plugins are poorly developed, and do not escape the output. The result is that they make the website open to potential XSS attacks. Please feel free to include any comments or helpful tips in the section below.

Inspire us with your love!


Art of Awesome Professional WordPress themes & Site templates. Our responsive themes are designed to work seamlessly for all desktop and mobile devices. Modern, Clean & Easy To Use.

You can check also