What Is Sanitization?

WordPress developer documentation page explaining data sanitization, validation, and escaping functions

Sanitization is the process of cleaning user input before your WordPress site stores it in the database. Think of it as a security checkpoint: every piece of data that enters your site gets inspected and scrubbed of anything dangerous before it goes any further.

WordPress developers follow a fundamental principle: sanitize on input, escape on output. Sanitization happens when data comes in (a form submission, an API call, a file upload). Escaping happens when data goes out (displaying content on a page). They are two sides of the same coin, but they are not interchangeable.

Here is how sanitization differs from the two related concepts:

Validation checks whether data matches an expected format. For example, is_email() confirms that a string looks like a valid email address. If it does not match, you reject it entirely.
Sanitization accepts the data but strips out anything dangerous. For example, sanitize_text_field() removes HTML tags, invalid UTF-8 characters, and extra whitespace from a text string.
Escaping encodes data so the browser cannot interpret it as executable code. For example, esc_html() converts characters like < and > into harmless HTML entities before rendering.

WordPress provides dozens of built-in sanitization functions, each designed for a specific data type:

sanitize_text_field() — cleans a plain text string
sanitize_email() — strips invalid characters from an email address
sanitize_url() — cleans a URL
sanitize_title() — cleans a post title for use as a slug
sanitize_file_name() — cleans a filename
wp_kses() — strips all HTML except an explicit allowlist of tags
wp_kses_post() — allows only the HTML tags permitted in post content

A quick example of sanitization in practice:

$title = sanitize_text_field( $_POST["title"] );
update_post_meta( $post->ID, "title", $title );

This one line checks for invalid UTF-8, strips HTML tags, removes line breaks and extra whitespace, and converts stray < characters to HTML entities — all before the value reaches the database.

Sanitization in Practice

Every WordPress plugin and theme that handles user input must sanitize that input. The WordPress.org plugin review team will reject plugins that store unsanitized data. Common scenarios include processing contact form submissions, saving custom settings pages, handling AJAX requests, and importing data from external APIs.

Skipping sanitization opens the door to serious attacks. An attacker could inject a malicious <script> tag through an unprotected text field, leading to a cross-site scripting (XSS) attack that steals session cookies or redirects visitors. Unsanitized data passed directly into a database query can enable SQL injection, giving an attacker full access to your database.

The rule is simple: never trust user input. Always use the appropriate sanitize_* function for the data type you are handling, and always escape that data with the matching esc_* function when you display it.

Why It Matters

Sanitization is your first line of defense against the most common web application attacks. If you install plugins or themes on your WordPress site, the quality of their sanitization practices directly affects your security. When evaluating plugins, look for developers who follow the WordPress Coding Standards and whose code passes the official plugin review process.

Sanitization