When using save_post
you are usually add/updating user-inputted data from a metabox into the database. When do this you should check that your metabox’s nonce is valid.
You should also check permissions as save_post
is triggered inside wp_insert_post()
, and not just when the you create/edit a post admin side.