WordPress Developer Resources

Security in Secure Custom Fields

Security is a core principle of Secure Custom Fields. This guide explains our security practices and how to implement them in your projects.

Core Security Principles

Input Validation
- All user input is validated
- Type checking enforced
- Sanitization applied appropriately
Output Escaping
- Context-aware escaping
- HTML, attributes, and URLs handled separately
- Custom escaping functions for specific needs
Capability Checking
- Granular permission system
- Role-based access control
- Custom capability support

Best Practices

When working with SCF:

Always use provided escaping functions
Check user capabilities before operations
Validate all data before saving
Use nonces for form submissions

First published

February 20, 2025

Last updated

February 21, 2025

Edit article

Improve it on GitHub: Security in Secure Custom Fields

Changelog

See list of changes: Security in Secure Custom Fields