PHPackages                             wpdiggerstudio/wpzylos-security - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. wpdiggerstudio/wpzylos-security

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

wpdiggerstudio/wpzylos-security
===============================

Security primitives (Nonce, Gate, Sanitizer, Escaper) for WPZylos framework

v1.0.0(5mo ago)02672MITPHPPHP ^8.0CI failing

Since Feb 1Pushed 2w agoCompare

[ Source](https://github.com/WPDiggerStudio/wpzylos-security)[ Packagist](https://packagist.org/packages/wpdiggerstudio/wpzylos-security)[ Docs](https://github.com/WPDiggerStudio/wpzylos-security)[ Fund](https://www.paypal.com/donate/?hosted_button_id=66U4L3HG4TLCC)[ RSS](/packages/wpdiggerstudio-wpzylos-security/feed)WikiDiscussions main Synced 1mo ago

READMEChangelog (1)Dependencies (5)Versions (2)Used By (2)

WPZylos Security
================

[](#wpzylos-security)

[![PHP Version](https://camo.githubusercontent.com/911a83e2aa6fe73660ab613629a95c76622bf03049a7344e80c5ea72d4ef9c7d/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f7068702d253545382e302d626c7565)](https://php.net)[![License](https://camo.githubusercontent.com/f8df3091bbe1149f398a5369b2c39e896766f9f6efba3477c63e9b4aa940ef14/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4d49542d677265656e)](LICENSE)[![GitHub](https://camo.githubusercontent.com/dbe820b98864e115173c422b9472b725cfa678bee03b66ff2c453dad95a3d20b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4769744875622d575044696767657253747564696f2d3138313731373f6c6f676f3d676974687562)](https://github.com/WPDiggerStudio/wpzylos-security)

Security primitives for the WPZylos framework — Nonce, Gate, Sanitizer, RateLimiter, UploadSecurity, Middleware, and escaping helpers.

📖 **[Full Documentation](https://wpzylos.com)** | 🐛 **[Report Issues](https://github.com/WPDiggerStudio/wpzylos-security/issues)**

---

✨ Features
----------

[](#-features)

- **Nonce** — CSRF protection with plugin-scoped nonce generation and verification
- **Gate** — Capability-based authorization (`can`, `cannot`, `authorize`, `isAdmin`, `canAny`, `canAll`, and more)
- **Sanitizer** — Input sanitization (`text`, `email`, `url`, `int`, `float`, `bool`, `html`, `slug`, `key`, `filename`, `sanitizeMany`, etc.)
- **RateLimiter** — Request throttling using WordPress transients (`hit`, `attempt`, `forUser`, `forIp`)
- **UploadSecurity** — Secure file uploads with nonce/capability checks, MIME validation, and size limits
- **Middleware** — `AuthMiddleware` and `NonceMiddleware` for the request pipeline
- **Escaping Helpers** — Global template helpers (`wpzylos_e`, `wpzylos_ea`, `wpzylos_eu`, `wpzylos_ej`, `wpzylos_kses`, `wpzylos_e_json`)

---

📋 Requirements
--------------

[](#-requirements)

RequirementVersionPHP^8.0WordPress6.0+---

🚀 Installation
--------------

[](#-installation)

```
composer require wpdiggerstudio/wpzylos-security
```

---

⚙️ Service Provider Registration
--------------------------------

[](#️-service-provider-registration)

Register `SecurityServiceProvider` in your plugin's service providers:

```
use WPZylos\Framework\Security\SecurityServiceProvider;

'providers' => [
    SecurityServiceProvider::class,
],
```

This registers **5 services** as singletons, each with a class binding and a string alias:

Class BindingString Alias`Nonce::class``'nonce'``Gate::class``'gate'``Sanitizer::class``'sanitizer'``RateLimiter::class``'rate-limiter'``UploadSecurity::class``'upload-security'`---

📖 Quick Start
-------------

[](#-quick-start)

```
use WPZylos\Framework\Security\Nonce;
use WPZylos\Framework\Security\Gate;
use WPZylos\Framework\Security\Sanitizer;
use WPZylos\Framework\Security\RateLimiter;
use WPZylos\Framework\Security\UploadSecurity;
```

### Nonce (CSRF Protection)

[](#nonce-csrf-protection)

```
$nonce = $app->make(Nonce::class);

// Create a nonce token
$token = $nonce->create('save_settings');

// Verify a nonce
if ($nonce->verify($_POST['_wpnonce'], 'save_settings')) {
    // Valid — proceed
}

// Output nonce field in a form
$nonce->field('save_settings');

// Add nonce to a URL
$url = $nonce->url($actionUrl, 'delete_item');
```

### Gate (Authorization)

[](#gate-authorization)

```
$gate = $app->make(Gate::class);

// Check capabilities
if ($gate->can('edit_posts')) { /* ... */ }
if ($gate->cannot('manage_options')) { /* ... */ }
if ($gate->isAdmin()) { /* ... */ }

// Abort if unauthorized (calls wp_die with 403)
$gate->authorize('manage_options');

// Check specific user
if ($gate->userCan($userId, 'edit_posts')) { /* ... */ }

// Multiple capabilities
if ($gate->canAny(['edit_posts', 'upload_files'])) { /* ... */ }
if ($gate->canAll(['edit_posts', 'publish_posts'])) { /* ... */ }

// User state
if ($gate->isLoggedIn()) {
    $id = $gate->userId();
}
```

### Sanitizer (Input Sanitization)

[](#sanitizer-input-sanitization)

```
$sanitizer = $app->make(Sanitizer::class);

// Individual sanitizers
$title = $sanitizer->text($_POST['title']);
$email = $sanitizer->email($_POST['email']);
$price = $sanitizer->float($_POST['price']);

// Bulk sanitization
$clean = $sanitizer->sanitizeMany($_POST, [
    'title'   => 'text',
    'email'   => 'email',
    'content' => 'html',
    'post_id' => 'absint',
    'active'  => 'bool',
]);
```

### RateLimiter (Throttling)

[](#ratelimiter-throttling)

```
$limiter = $app->make(RateLimiter::class);

// Key scoped to current user (falls back to IP for guests)
$key = $limiter->forUser('api_call');

if ($limiter->tooManyAttempts($key)) {
    $wait = $limiter->availableIn($key);
    wp_die("Rate limited. Try again in {$wait} seconds.");
}
$limiter->hit($key);

// Or use attempt() with callbacks
$result = $limiter->attempt($key, function () {
    return do_expensive_operation();
}, function (int $waitSeconds) {
    wp_send_json_error(['retry_after' => $waitSeconds], 429);
});

// Clear on success (e.g., after login)
$limiter->clear($key);
```

### UploadSecurity (File Uploads)

[](#uploadsecurity-file-uploads)

```
$upload = $app->make(UploadSecurity::class);

// Simple upload
$result = $upload->handle($_FILES['file'], 'upload_action');

if (is_wp_error($result)) {
    echo $result->get_error_message();
} else {
    $url = $result['url'];
}

// With custom MIME types and size limit
$result = $upload
    ->allowMimes(['jpg|jpeg' => 'image/jpeg', 'png' => 'image/png'])
    ->maxSize(2 * 1024 * 1024) // 2 MB
    ->handle($_FILES['avatar'], 'upload_avatar');

// Multiple files
$results = $upload->handleMultiple($_FILES['documents'], 'upload_docs');
```

### Escaping Helpers (Templates)

[](#escaping-helpers-templates)

```
// HTML escape

// Attribute escape
           // post-level tags
