What Is A WordPress Nonce?
A nonce (number used once) is a security feature by which a website can protect itself from various kinds of hostile actions such as CSRF (Cross Site Request Forgery), MITM (Man In The Middle), and others. Using nonces consists of generating random values which are intended to vary with each request.
Where possible, WordPress nonces consist of three parts: “action”, “key” and a number generator to create unique values.
Action – A string that identifies the purpose of the nonce.
Key – A long random value required by some data validation schemes to create secure tokens. Other types of validation, such as checking the current timestamp against values stored in session variables or hitting an incrementing sequence number can use a constant key.
Number Generator – A function that is used to create unique hashes for each request. It must accept two values, usually named “salt” and “count”. Salt prevents various types of attacks on the key, while the count value is usually incremented for each request to further randomize the hash.
What Is A CSRF (Cross Site Request Forgery)?
A cross-site request forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.
How To Create A WordPress Nonce?
Nonces are very simple to create. In order to do so, you need to use the wp_create_nonce function. Here is how it works:
<?php
$nonce = wp_create_nonce('my-action');
How To Use A WordPress Nonce
WordPress nonces are usually used in forms and in ajax requests to make sure that the action is not being triggered from an unauthorized place.
In order to add a WordPress nonce to an html form, here is what we need to use the wp_nonce_field function:
<form method="post">
<?php wp_nonce_field('my-action', '_nonce' ); ?>
<!-- other inputs here ... -->
</form>
The wp_nonce_field function accepts 4 parameters:
- $action – name of the action
- $name – name of the nonce
- $referer – whether to set the referer field for validation
- $echo – whether to display or return the hidden nonce form field
In most cases, we only need to use the first 2 parameters: $action and $name, which is what we did in the example above.
How To Verify A WordPress Nonce
In order to verify the WordPress nonce, we need to use the wp_verify_nonce function, which accepts 2 parameters:
- $nonce – Nonce value that needs to be verified
- $action – Name of the action. Should give context to what is taking place and be the same when nonce was created.
Now let’s say we want to verify the nonce that comes to us via ajax:
<?php
add_action('wp_ajax_myform_action', 'process_data');
function process_data() {
// Take the nonce value
$nonce = $_POST['_nonce'];
if (! empty($nonce) && wp_verify_nonce($nonce, 'my-action')) {
// Nonce is valid. Process the data
}
else {
die('Nonce is invalid');
}
}
Conclusion
WordPress nonces are a crucial part of any WordPress application that every WordPress developer needs to master.
I hope this article was helpful in getting you to better understand how this concept works.