🔵 WordPress

What good answers include

Core principles: sanitise input (sanitize_text_field, sanitize_email, wp_kses), escape output (esc_html, esc_attr, esc_url, wp_kses_post), and verify intent (wp_nonce_field/wp_verify_nonce for forms, check_ajax_referer for AJAX). Additional practices: use $wpdb->prepare() for custom queries, validate user capabilities before actions, keep WordPress and plugins updated, disable file editing (DISALLOW_FILE_EDIT), use proper file permissions, and implement Content Security Policy headers. Strong candidates distinguish between sanitisation (cleaning input) and escaping (safe output) and know which function to use where.