How to sanitize user password information in WordPress?

Question

I'm capturing username, email and password in a custom registration form on my WordPress site. I'm sanitising the username using sanitize_user() and sanitize_email() sanitises the email address.

For example:

$username = sanitize_user( $username );
$email = sanitize_email( $email );

How should I sanitise the password entered by the user? All I can think of is sanitize_text_field( $pass ) but I'm sure that isn't the right way to do it.

Ref:

• http://codex.wordpress.org/Function_Reference/sanitize_user
• http://codex.wordpress.org/Function_Reference/sanitize_email

Answer 1

Sanitizing won't necessarily protect you from injection. To protect against that you need to use prepared statements - or in the case of WordPress, use the $wpdb class.

Sanitization simply strips invalid characters, in the cases you've given above, it removes characters not allowed in usernames, or are not allowed in a valid email address. Passwords allow lots of different character types because that's what makes them 'strong' so you don't want to strip them out.

If you're using wp_insert_user() to create a WP User, then you don't need to sanitize any of it anyway, the function will take care of it all for you.

Answer 2

wp_insert_user() state of sanitization and filters as off (2021) WordPress 5.7

---

wp_insert_user() and user_pass by default:

• Hash user_pass via wp_hash_password().

Should NOT be sanitized.

---

wp_insert_user() and user_login by default:

• Sanitize user_login via sanitize_user().
• Filter user_login via empty().
• Filter user_login via mb_strlen. (60 characters maximum).
• Compare user_login via username_exists() to users.
• Compare user_login via illegal_user_logins to illegal user logins.

---

wp_insert_user() and user_nicename by default:

• Sanitize user_nicename via sanitize_user().
• Filter user_nicename via mb_strlen. (50 characters maximum).
• Sanitize user_nicename via sanitize_title().

---

wp_insert_user() and user_email by default:

• No distinct sanitization.
• Filter user_email via empty().
• Compare user_email via strcasecmp to old.
• Compare user_email via email_exists() to old.

---

wp_insert_user() and user_url, display_name, nickname, first_name, last_name, last_name, description, by default:

• No distinct sanitization.
• No distinct filters.
• No distinct comparison.

---

Sources

• user.php @ https://github.com/WordPress/WordPress/blob/master/wp-includes/user.php