Verifying Intent

Even though a given user might have the capability to perform the action you’re checking, they might not have initiated it. Nonces are WordPress’ way of verifying the user actually initiated the action.

Checking Capabilities

To keep sneaky evildoers from making changes to your WordPress site, it’s important to check that a given user has permission to make the change they want to make.

Securing Input

Any time you’re using potentially unsafe data, it never hurts to validate and sanitize it. Validating is confirming the data is what you expect it to be. Sanitization is a more liberal approach to cleaning your data.

Escaping Output

Whenever you’re rendering data from the database, you’ll want to make sure it’s properly escaped. Escaping helps prevent issues like cross-site scripting.