Theme Security

• Validation
• Escaping
• Sanitization
• Nonces

Validation is checking the input against some rules, an example would be an email address. We want the email address entered to be a valid email, not something gibberish text or numbers.

The client-side validation I think is for the user to let them know that the info they have input is not valid.

From a security perspective, the client-side validation can be overridden easily by just sending the data programmatically instead of inputting from a form.

That is when the server-side validation comes into the picture, server-side validation validates the data after receiving the request and before probably saving it to the database.

Some characters are not printable because they have special meaning, the escaping is the process of printing those as it is.

Example a post data stored in the database may have HTML markup, if we directly echo it then the browser will treat it as markup and render it.

Escaping will change it so that the HTML is printed as it is like a normal string.

• esc_sql(): Escapes data for use in a MySQL query.
• ec_url(): Checks and cleans a URL.
• esc_url_raw(): Sanitizes a URL for database or redirect usage.
• esc_js(): Escapes text strings for echoing in JS.
• esc_html(): Escaping for HTML blocks.
• esc_attr(): Escaping for HTML attributes.
• esc_textarea(): Escaping for textarea values.
• esc_xml(): Escaping for XML blocks.

Sanitizing basically means cleaning, sanitizing is used to remove illegal characters from the data.

As a best practice we should never trust anything the user has entered and should sanitize it.

Nonce stand for Number used Once

So it is a number that is used only once, but the wordpress nonces are not true nonces in that sense, they can be used more than once.

In wordpress, the nonces are valid for up to 24 hours.

For validating the nonce, they use the tick value, which is used when creating the nonce value.

$token = wp_get_session_token();
		$i     = wp_nonce_tick( $action );

		return substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );

$token = wp_get_session_token();
		$i     = wp_nonce_tick( $action );

		// Nonce generated 0-12 hours ago.
		$expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
		if ( hash_equals( $expected, $nonce ) ) {
			return 1;
		}

		// Nonce generated 12-24 hours ago.
		$expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
		if ( hash_equals( $expected, $nonce ) ) {
			return 2;
		

The DAY_IN_SECONDS value is used for nonce expiration, which is 86400 seconds.

The formular used to calculate the tick number is:

 ceil( time() / ( $nonce_life / 2 ) );

So, if current time (POSIX) is 1694632761 then

$tick = ceil (1694632761 / (86400/2));

which results in :- 39228