Use the Valitron Library in WordPress to Validate Form Submissions

Whenever a WordPress theme or plugin needs to handle user-submitted data, we should validate that data on the server before saving it to the database. Required fields, format checks, and value constraints all matter, even if we already performed client-side validation with JavaScript.

One of the most popular PHP validation libraries for this job is Valitron. It is small, elegant, standalone, and does not depend on other heavy packages. The API is simple enough that it fits very comfortably into WordPress development.

Install the Valitron validation library

Like most popular PHP libraries, Valitron can be installed and managed directly through Composer.

php composer.phar require vlucas/valitron

Validate data with Valitron

Valitron validates whatever data array we pass into the validator. In the following example, an array is passed to the Validator class and then a required rule is added for the name field. If validation fails, the error messages can be read through $v->errors().

$v = new ValitronValidator( array('name' => '来呀，来验证我呀，肯定会通过验证的。') );
$v->rule('required', 'name');

if($v->validate()) {
    echo "早告诉你了，肯定会验证通过的。";
} else {
    // Print errors
    print_r($v->errors());
}

In a real form handler, it is common to pass $_POST directly into the validator. Multiple fields can share the same rule, which keeps the code compact.

$v = new ValitronValidator($_POST);

$v->rule('required', ['name', 'email']);
$v->rule('email', 'email');

if($v->validate()) {
    echo "Whether validation passes depends on whether the user entered a name and email.";
} else {
    // Print errors
    print_r($v->errors());
}

Built-in validation rules

Valitron includes a large set of built-in rules that already cover most of what a WordPress application needs. If they are still not enough, custom rules can be added later.

required – required field
equals – must equal another field
different – must differ from another field
accepted – checkbox or radio must be accepted
numeric – must be numeric
integer – must be an integer
array – must be an array
length – exact length
lengthBetween – length between two values
lengthMin – minimum length
lengthMax – maximum length
min – minimum numeric value
max – maximum numeric value
in – must be in a given array
notIn – must not be in a given array
ip – valid IP address
email – valid email address
url – valid URL
urlActive – URL that can actually be reached
alpha – letters only
alphaNum – letters and numbers only
slug – URL-safe slug string
regex – match a regular expression
date – valid date
dateFormat – date in a specific format
dateBefore – valid date before another date
dateAfter – valid date after another date
contains – must contain a specific string
creditCard – valid credit card number
instanceOf – must be an instance of a given PHP class
optional – field may be omitted, but if present it must pass validation

One useful note from the original article: if you need accurate min/max validation for floating-point values, installing the PHP BCMath extension is recommended because Valitron uses it when available.

Customize validation failure messages

If Valitron’s default validation messages do not match your project, you can point the library at your own language directory and load a custom language set.

use ValitronValidator as V;

V::langDir(__DIR__.'/validator_lang');
V::lang('zh-cn');

Using Valitron makes it much less tempting to skip validation entirely. Better validation means fewer bugs, more stable application behavior, and safer handling of user-submitted content.