Posted in WordPress

Understanding and using nonces in WordPress

Understanding and using nonces in WordPress Posted on January 9, 2016Leave a comment

WordPress itself defines nonces as ‘a number used once to help protect URLs and forms from certain types of misuse, malicious or otherwise.’ They are hash values made up of a combination of numbers and letters. Nonces protect WordPress sites against malicious exploits that are based primarily on Cross Site Request Forgery (CSRF). They are used on requests (saving options in admin, Ajax requests,  performing an action, .. etc) and prevent unauthorized access by providing a secret key and checking it each time the code is used.

You can create a nonce and add it to the query string in a URL, you can add it in a hidden field in a form, or you can use it some other way. WordPress nonces work in two parts:

  1. Creating a nonce.
  2. Verifying a nonce.

There are functions to create and add nonces to your URLs and forms in WordPress.

Adding a nonce to a URL

To add a nonce to a URL, call wp_nonce_url function. For example:

wp_nonce_url function takes three parameters.

  1. The first is the URL you wish to add the nonce to.
  2. The second is the nonce action name.
  3. The third is nonce name.

or using wp_create_nonce function:

wp_create_nonce function takes one parameter. It is nonce action name.

Using one of these above functions, the URL might look something like this:

Adding a nonce to a form

Adding nonces to WordPress forms creates hidden fields for you on the form automatically. To add a nonce to a form you can use wp_nonce_field function:

  • $action: (optional) Action name. Should give the context to what is taking place.
  • $name: (optional) Nonce name. This is the name of the nonce hidden form field to be created. Once the form is submitted, you can access the generated nonce via $_POST[$name].
  • $referer: (boolean) (optional) Whether also the referer hidden form field should be created with the wp_referer_field function.
  • $echo: (boolean) (optional) Whether to display or return the nonce hidden form field, and also the referer hidden form field if the $referer argument is set to true.

This function will generate two hidden fields:

  1. The first field’s value is the nonce.
  2. The second field’s value is the current URL (the referer).

For example:

The hidden fields might be something like this:

Verifying WordPress Nonces

To verify a nonce we can simply use following function:

  • $nonce: (string) (required) Nonce to verify.
  • $action: (string/int) (optional) Action name. Should give the context to what is taking place and be the same when the nonce was created.

This function returns false if the nonce that you’re trying to verify is invalid. On the other hand, if the nonce is valid it will return either 1 or 2. A value equal to 1 means that the nonce was created 12 hours (or less) ago whereas 2 means that it was created more than 12 hours but less than 24 hours ago.

In this article, We have understood what WordPress nonce is, and how to use it. Feel free to post a comment if you have any question about it.

Leave a Reply

Your email address will not be published. Required fields are marked *