diff --git a/wp-plugin/oauth.php b/wp-plugin/oauth.php
index 1c902278..45da5e48 100644
--- a/wp-plugin/oauth.php
+++ b/wp-plugin/oauth.php
@@ -4,16 +4,15 @@ defined( 'ABSPATH' ) or die( 'Nope, not accessing this' );
 // eventorganizer / triggered after an event has been updated
 // http://codex.wp-event-organiser.com/hook-eventorganiser_save_event.html
 add_action('eventorganiser_save_event', 'wpgancio_save_event', 15);
-add_action('wp_trash_post', 'delete_post', 15);
+add_action('wp_trash_post', 'wpgancio_delete_post', 15);
 
-function delete_post ($post_id) {
+function wpgancio_delete_post ($post_id) {
   $post = get_post($post_id);
   $instance_url = get_option('wpgancio_instance_url');
 
   if ($post->post_type == 'event') {
-    $gancio_id = get_post_meta($post_id, 'gancio_id', TRUE);
+    $gancio_id = get_post_meta($post_id, 'wpgancio_gancio_id', TRUE);
     if ($gancio_id) {
-      $body['id'] = $gancio_id;
       $http = _wp_http_get_object();
       $response = $http->request( "${instance_url}/api/event/${gancio_id}", array(
         'method' => 'DELETE',
@@ -28,7 +27,7 @@ function wpgancio_save_event ($post_id) {
   $event = get_post( $post_id );
 
   function tagName ($tag) {
-    return $tag->name;
+    return sanitize_title($tag->name);
   }
 
   $tmp_tags = get_the_terms( $event, 'event-tag' );
@@ -39,9 +38,9 @@ function wpgancio_save_event ($post_id) {
     return;
   }
 
-  $gancio_id = get_post_meta($post_id, 'gancio_id', TRUE);
+  $gancio_id = get_post_meta($post_id, 'wpgancio_gancio_id', TRUE);
 
-  // image_path
+  // when
   $date = eo_get_schedule_start( 'U', $post_id );
 
   // get place details
@@ -62,7 +61,7 @@ function wpgancio_save_event ($post_id) {
   // add image if specified
   $image_url = get_the_post_thumbnail_url($post_id);
   if ($image_url) {
-    $body['image_url'] = $image_url;
+    $body['image_url'] = esc_url($image_url);
   }
 
   // update
@@ -84,10 +83,10 @@ function wpgancio_save_event ($post_id) {
   }
 
   if ( is_wp_error( $response ) ) {
-    $error_message = $response->get_error_message();
+    $error_message = esc_html($response->get_error_message());
     echo "<div class='error notice'><p>${error_message}</p></div>";
     return;
   }
   $data = json_decode(wp_remote_retrieve_body($response));
-  update_post_meta($post_id, 'gancio_id', $data->id);
+  update_post_meta($post_id, 'wpgancio_gancio_id', intval($data->id));
 }
diff --git a/wp-plugin/settings.php b/wp-plugin/settings.php
index 55e57712..d0900540 100644
--- a/wp-plugin/settings.php
+++ b/wp-plugin/settings.php
@@ -22,7 +22,7 @@ function wpgancio_update_options ($old_value, $instance_url) {
   $redirect_uri = get_site_url(null, '/wp-admin/options-general.php?page=wpgancio' );
   $query = join('&', array(
     'response_type=code',
-    'redirect_uri=' . esc_html($redirect_uri),
+    'redirect_uri=' . esc_url($redirect_uri),
     'scope=event:write',
     'client_id=' . get_option('wpgancio_client_id'),
   ));
@@ -53,8 +53,8 @@ function wpgancio_instance_url_validate ($instance_url) {
       $response->get_error_message());
   } else {
     $data = json_decode( wp_remote_retrieve_body($response), true);
-    update_option('wpgancio_client_secret', $data['client_secret']);
-    update_option('wpgancio_client_id', $data['client_id']);
+    update_option('wpgancio_client_secret', sanitize_key($data['client_secret']));
+    update_option('wpgancio_client_id', sanitize_key($data['client_id']));
     return $instance_url;
   }
 }
@@ -88,7 +88,7 @@ function wpgancio_instance_url_cb( $args ) {
     name="wpgancio_instance_url">
 
   <p class="description">
-    <?php esc_html_e( 'Insert your gancio instance URL', 'wpgancio' ); ?>
+    <?php esc_html( 'Insert your gancio instance URL', 'wpgancio' ); ?>
   </p>
 
   <?php
@@ -104,9 +104,7 @@ function wpgancio_options_page_html() {
   if ( ! current_user_can( 'manage_options' ) ) { return; }
 
   // show error/update messages
-  //settings_errors( 'wpgancio_messages' );
-
-  $code = $_GET['code'];
+  $code = sanitize_key($_GET['code']);
   if ( $code ) {
     update_option('wpgancio_code', $code);
     $instance_url = get_option( 'wpgancio_instance_url' );
@@ -127,8 +125,8 @@ function wpgancio_options_page_html() {
       settings_errors( 'wpgancio_messages' );
     } else {
       $data = json_decode( wp_remote_retrieve_body($response), true);
-      update_option('wpgancio_token', $data['access_token']);
-      update_option('wpgancio_refresh', $data['refresh_token']);
+      update_option('wpgancio_token', sanitize_key($data['access_token']));
+      update_option('wpgancio_refresh', sanitize_key($data['refresh_token']));
       add_settings_error('wpgancio_messages', 'wpgancio_messages', 'Association completed!', 'success');
       settings_errors( 'wpgancio_messages' );
     }
@@ -141,11 +139,14 @@ function wpgancio_options_page_html() {
  <h1><?php echo esc_html( get_admin_page_title() ); ?></h1>
  <form action="options.php" method="post">
  <?php
+
   // output security fields for the registered setting "wpgancio"
   settings_fields( 'wpgancio' );
+
   // output setting sections and their fields
   // (sections are registered for "wpgancio", each field is registered to a specific section)
   do_settings_sections( 'wpgancio' );
+
   // output save settings button
   submit_button( 'Save Settings' );
  ?>