How to sanitize user password information in WordPress?

I’m capturing username, email and password in a custom registration form on my WordPress site. I’m sanitising the username using sanitize_user() and sanitize_email() sanitises the email address.

For example:

Read More
$username = sanitize_user( $username );
$email = sanitize_email( $email );

How should I sanitise the password entered by the user? All I can think of is sanitize_text_field( $pass ) but I’m sure that isn’t the right way to do it.

Ref:

Related posts

Leave a Reply

3 comments

  1. Sanitizing won’t necessarily protect you from injection. To protect against that you need to use prepared statements – or in the case of WordPress, use the $wpdb class.

    Sanitization simply strips invalid characters, in the cases you’ve given above, it removes characters not allowed in usernames, or are not allowed in a valid email address. Passwords allow lots of different character types because that’s what makes them ‘strong’ so you don’t want to strip them out.

    If you’re using wp_insert_user() to create a WP User, then you don’t need to sanitize any of it anyway, the function will take care of it all for you.

  2. wp_insert_user() state of sanitization and filters as off (2021) WordPress 5.7


    wp_insert_user() and user_pass by default:

    Should NOT be sanitized.


    wp_insert_user() and user_login by default:


    wp_insert_user() and user_nicename by default:


    wp_insert_user() and user_email by default:


    wp_insert_user() and user_url, display_name, nickname, first_name, last_name, last_name, description, by default:

    • No distinct sanitization.
    • No distinct filters.
    • No distinct comparison.

    Sources

  3. As mentioned you can use the sanitize_text_field() function. It may cause some issues on some crazy passwords with special characters etc.

    But it should be okay.