If you’re a WordPress developer and want to take some important steps to keep your website secure, then this article is for you. 

First, let’s start by defining what input and output refer to in the context of a website or web application. 

Input is not limited to content entered by the user. This can also apply to other scenarios like reading from configuration and system files, retrieving information from a database, or from 3rd party APIs. More specifically, filtering is also referred to as validating, securing, cleaning, or sanitizing. All of these synonyms provide you good context for what it means. In a nutshell, it’s the process of “screening” all the data that enters your application to ensure it’s both safe and valid. 

Input (as explained above) can come from many different sources and it can become faulty or present a threat whether on purpose or by accident. You want to make sure it’s valid before performing any actions, so the application works as expected. But also, you want to protect it against malicious attacks and therefore prevent your application/website from getting hacked. According to the PHP Security Consortium, “a whitelist approach is better than a blacklist approach. This means that you should consider all data invalid unless it can be proven valid (rather than considering all data valid unless it can be proven invalid).” 

Output refers to anything that leaves your application such as the HTML content that is displayed by the browser, SQL queries that get sent to your database, a banner advertisement, and writing into files. Filtering your input will ensure that data complies with expectations. For example, in a form, it will ensure that names don’t contain specific characters that are not accepted. However, escaping the output will make sure it contains (or keep it from containing depending on the case) characters that have a special meaning in the medium where it will be used. The name of a user may be accepted through the input filtering but if it contains words specific to SQL that could change the content of your database, that’s when escaping comes out. 

Escaping output means scrapping unwanted data before the application takes an action on it. This could be before rendering it to the user or doing an SQL query. The latter helps prevent storing untrusted, injected bad data while preventing cross-site scripting (XSS). 

How you can apply this in WordPress? 

Now that we’ve clarified what these two concepts mean, why they are important and what they prevent against let’s talk about how you can apply them in WordPress. 

You can filter or sanitize your data by using WordPress built-in functions. These are a series of 15+ sanitize_*() helper functions that require minimum effort on the developer end to implement but will help you keep your data secure. You can read the specifics about each of them by heading to WordPress Codex. 

Another great way to keep information secure is the use of Nonces. This is an acronym for “Number used ONCE”. It’s a unique number that can only be used once and it’s meant to verify the origin and intent of requests, such as submitting a form. Each user will be assigned a nonce each time it tries to submit a form, if WordPress detects subsequent attempts with the same nonce the request will be considered an attack and fail. 

Similarly, you can secure your output by using the built-in escaping helper functions that apply to different types of scenarios. Find more information on them by heading to this link. 

An example of this is the function wp_kses(). As stated on their website, KSES is a recursive acronym that stands for “KSES Strips Evil Scripts”.

What the function does is filter text content and strips out disallowed HTML keeping only allowed HTML element names, attribute names, attribute values, and HTML entities. This one in particular applies to both input and output. 

That being said, PHP also has built-in functions available and you also have the ability to create your custom functions for more specific or complicated scenarios but these predefined options will surely turn this into a more simple process. 

As you can see, filtering input and escaping output are two simple processes to take that will help maintain the security of your website. They should be considered best practices as they keep you from having to be constantly making updates due to security vulnerabilities.

Good measures will guarantee that your filtering mechanism can’t be bypassed, will be able to identify the origin of data, and prevent invalid data to be incorrectly accepted as valid information.