WordPress Security & Data Validation

Version: 1.0.0 Target: WordPress 6.7+ | PHP 8.3+ Skill Level: Intermediate to Advanced

Overview

Security is not optional in WordPress development—it's fundamental. This skill teaches the three-layer security model that prevents XSS, CSRF, SQL injection, and other common web vulnerabilities through proper input sanitization, business logic validation, and output escaping.

The Golden Rule: "Sanitize on input, validate for logic, escape on output."

Why This Matters

Every year, thousands of WordPress sites are compromised due to security vulnerabilities in plugins and themes. Most of these attacks exploit one of three weaknesses:

1. XSS (Cross-Site Scripting): Malicious JavaScript injected through unsanitized output
2. CSRF (Cross-Site Request Forgery): Unauthorized actions performed on behalf of authenticated users
3. SQL Injection: Database manipulation through unsanitized database queries

This skill provides complete, production-ready patterns for preventing all three attack vectors.

The Three-Layer Security Model

WordPress security follows a defense-in-depth strategy with three distinct layers:

User Input → [1. SANITIZE] → [2. VALIDATE] → Process → [3. ESCAPE] → Output

Layer 1: Sanitization (Input Cleaning)

Purpose: Remove dangerous characters and normalize data format When: Immediately upon receiving user input Example: sanitize_text_field($_POST['username'])

Layer 2: Validation (Logic Checks)

Purpose: Ensure data meets business requirements When: After sanitization, before processing Example: if (!is_email($email)) { /* error */ }

Layer 3: Escaping (Output Protection)

Purpose: Prevent XSS by encoding special characters When: Every time you output data to browser Example: echo esc_html($user_input);

Critical Distinction:

• Sanitization removes/transforms invalid data (changes the value)
• Validation checks if data is acceptable (returns true/false)
• Escaping makes data safe for display (context-specific encoding)

1. Nonces: CSRF Protection

What Are Nonces?

Nonces (Numbers Used Once) are cryptographic tokens that verify a request originated from your site, not a malicious external source. They prevent Cross-Site Request Forgery (CSRF) attacks.

How CSRF Attacks Work:

<!-- Attacker's malicious site: evil.com -->
<img src="https://yoursite.com/wp-admin/admin.php?action=delete_user&id=1">
<!-- If user is logged into yoursite.com, this executes! -->

How Nonces Prevent CSRF:

<!-- Legitimate request with nonce -->
<form action="admin.php?action=delete_user&id=1" method="POST">
    <?php wp_nonce_field('delete_user_1', 'delete_nonce'); ?>
    <button>Delete User</button>
</form>

<!-- Attacker cannot generate valid nonce (tied to user session) -->

Nonce Implementation Patterns

Pattern 1: Form Nonces (Most Common)

BEFORE (Vulnerable):

// Vulnerable form processing
if (isset($_POST['submit'])) {
    $user_id = absint($_POST['user_id']);
    delete_user($user_id); // ⚠️ CSRF vulnerable!
}

AFTER (Secure):

// Generate nonce in form
<form method="post" action="">
    <?php wp_nonce_field('delete_user_action', 'delete_user_nonce'); ?>
    <input type="hidden" name="user_id" value="42">
    <button type="submit" name="submit">Delete User</button>
</form>

// Verify nonce on submission
if (isset($_POST['submit'])) {
    // Security check #1: Verify nonce
    if (!isset($_POST['delete_user_nonce']) ||
        !wp_verify_nonce($_POST['delete_user_nonce'], 'delete_user_action')) {
        wp_die('Security check failed: Invalid nonce');
    }

    // Security check #2: Capability check
    if (!current_user_can('delete_users')) {
        wp_die('You do not have permission to delete users');
    }

    // Now safe to process
    $user_id = absint($_POST['user_id']);
    wp_delete_user($user_id);
}

Key Functions:

• wp_nonce_field($action, $name) - Generates hidden nonce field
• wp_verify_nonce($nonce, $action) - Verifies nonce validity

Pattern 2: URL Nonces

Use Case: Delete/trash links, admin actions

// Generate nonce URL
$delete_url = wp_nonce_url(
    admin_url('admin.php?action=delete_post&post_id=123'),
    'delete_post_123',  // Action (must be unique)
    'delete_nonce'      // Query parameter name
);

echo '<a href="' . esc_url($delete_url) . '">Delete Post</a>';

// Verify nonce in handler
add_action('admin_action_delete_post', 'handle_delete_post');
function handle_delete_post() {
    // Verify nonce from URL
    if (!isset($_GET['delete_nonce']) ||
        !wp_verify_nonce($_GET['delete_nonce'], 'delete_post_123')) {
        wp_die('Invalid security token');
    }

    // Verify capability
    $post_id = absint($_GET['post_id']);
    if (!current_user_can('delete_post', $post_id)) {
        wp_die('You cannot delete this post');
    }

    // Delete post
    wp_delete_post($post_id, true); // true = force delete

    // Redirect with success message
    wp_redirect(add_query_arg('message', 'deleted', wp_get_referer()));
    exit;
}

Pattern 3: AJAX Nonces

Use Case: Frontend AJAX requests

BEFORE (Vulnerable):

// ⚠️ Vulnerable AJAX request
jQuery.post(ajaxurl, {
    action: 'update_user_meta',
    user_id: 42,
    meta_key: 'favorite_color',
    meta_value: 'blue'
}, function(response) {
    console.log(response);
});

AFTER (Secure):

PHP (Enqueue script with nonce):

add_action('wp_enqueue_scripts', 'enqueue_ajax_script');
function enqueue_ajax_script() {
    wp_enqueue_script('my-ajax-script',
        plugin_dir_url(__FILE__) . 'js/ajax.js',
        ['jquery'],
        '1.0.0',
        true
    );

    // Pass nonce and AJAX URL to JavaScript
    wp_localize_script('my-ajax-script', 'myAjax', [
        'ajaxurl' => admin_url('admin-ajax.php'),
        
how to use wordpress-security-validation
CursorClaude CodeClineCodexWindsurfGooseGitHub CopilotVS CodeGemini CLIKiloOpencodeKimi CLIRoo ClineAiderContinueZedBolt.newLovablev0Replit AgentSweepSmol DeveloperDevinCavemanAmpAntigravity
How to use wordpress-security-validation on Cursor
AI-first code editor with Composer
1
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
›Cursor installed and configured on your development machine
›Node.js version 16.0+ with npm package manager (verify with node --version)
›Active project directory or workspace where you want to add wordpress-security-validation
2
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
$npx skills add https://github.com/bobmatnyc/claude-mpm-skills --skill wordpress-security-validationcopy
The skills CLI fetches wordpress-security-validation from GitHub repository bobmatnyc/claude-mpm-skills and configures it for Cursor.
3
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
◆ Which agents do you want to install to?
│
│ ── Universal (.agents/skills) ── always included ────
│   • Amp
│   • Antigravity
│   • Cline
│   • Codex
│ ●Cursor(selected)
│   • Cursor
│   • Windsurf
4
Verify installation
Confirm successful installation by checking the skill directory location:
.cursor/skills/wordpress-security-validation
Reload or restart Cursor to activate wordpress-security-validation. Access the skill through slash commands (e.g., /wordpress-security-validation) or your agent's skill management interface.
⚠
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
Additional Resources
›View source code on GitHub›Skills CLI documentation›Learn more about Cursor›What are agent skills?