In cryptography, a nonce refers to a “number used once” and generated to protect forms and URLs from malicious hacking attacks. It generally consists of random letters and numbers and has a default lifetime of one day, serving as an authentication tool for certain actions and inputs.
WordPress is among many platforms that adopt this security feature, albeit modifying it a bit. Whether you’re a site owner looking to improve your platform’s security or a WordPress developer wanting to protect your plugins from malicious users, this article will help you to understand a nonce better.
Keep reading as we explore WordPress nonce’s advantages and how to create and verify nonces on WordPress sites.
What Is a Nonce in WordPress?
A WordPress nonce is a “number used once” security token to protect URLs and forms from malicious attacks. It helps WordPress to determine whether a request is valid, preventing unauthorized actions and inputs.
Why Use WordPress Nonces
WordPress nonces protect the platform against various malicious attacks, particularly cross-site request forgery (CSRF). This cyber attack exploits WordPress security vulnerabilities to trick users into submitting unwanted requests, from changing users’ login details to deleting user accounts.
Here’s an example of a URL generated by WordPress when a user wants to delete posts.
http://yourwebsite.com/wp-admin/post.php?post=123&action=trash
If you execute this URL, WordPress will check its authentication cookie to verify the deletion request for the “123” post.
The problem is that a CSRF attack can easily disguise this request link as something else. When a user clicks on it, the browser will attach the authentication cookie and make it look like a valid request. As a result, the WordPress site will execute the rogue HTTP request, jeopardizing the site’s content.
Nonces prevent CSRF attacks by adding an extra layer of protection to the URL. Here’s an example of a URL generated by a WordPress website with a nonce verification.
http://yourwebsite.com/wp-admin/post.php?post=123&action=trash&_wpnonce=b192fc4204
If you try to go to that URL without having the correct nonce generated by WordPress, you will see a 403 Forbidden accompanied with the “Are you sure you want to do this?” error message.
Keep in mind that WordPress nonces, unlike true nonces, can be used more than once as long as they’re still valid. WordPress nonces are also specifically generated for every session, meaning their value will no longer be valid once a user logs in or out of the page.
How to Create a Nonce in WordPress
Creating nonces in WordPress requires adding the code to the functions.php file. You can edit the file using your hosting provider’s File Manager. Alternatively, use an FTP client like FileZilla to make the modifications.
To create a nonce for an URL, call the wp_nonce_url() function. Specify the bare URL and the string representing a nonce action inside the brackets. Here’s an example of a nonce for deleting a user account.
$nonce = wp_nonce_url( $bare_url, ’delete-user_’.$user->ID );
You can add a nonce to a form by calling the wp_nonce_field() function while specifying the string for its user action. The function creates two hidden fields by default ‒ the first hidden field contains the nonce value while the second holds the current URL. Here’s an example of a nonce for deleting a comment.
$nonce= wp_nonce_field( 'delete-comment_'.$comment_id );
To add nonces in other contexts, use the wp_create_nonce() function. Like with the previous functions, don’t forget to specify the string representing a particular action.
$nonce = wp_create_nonce( 'my-action_'.$post->ID );
The default lifespan of a nonce is 24 hours. Use the nonce_life filter to modify the nonce lifetime in seconds.
$nonce_life = apply_filters( 'nonce_life', DAY_IN_SECONDS );
How to Verify a Nonce in WordPress
You can call for WordPress checks on nonces embedded in URLs, forms, AJAX requests, or other contexts. WordPress will terminate the script execution and send back the 403 Forbidden response if the check fails.
Use the check_admin_referer() function for verifying nonces passed from a form in an admin screen. Specify the nonce field name for maximum protection, particularly if you don’t use the default _wpnonce field name.
Here’s a quick example of a nonce verifying a request to delete a comment.
check_admin_referer( 'delete-comment_'.$comment_id );
To verify a nonce passed in an AJAX request, call the check_ajax_referer() function and specify the string representing the action.
check_ajax_referer( 'process-comment' );
To call for nonce checks in another context, use the wp_verify_nonce() function and specify the string for a user action.
wp_verify_nonce( $_REQUEST['my_nonce'], 'process-comment'.$comment_id );
Important! Never share a nonce with other users for security reasons. Remember that WordPress nonces can be used multiple times for authentication and authorization as long as they’re still valid.
Conclusion
WordPress nonces protect sites from malicious users seeking to execute unauthorized user actions. In short, nonces work by embedding a query string to URLs and forms in admin screens, ensuring that the requests are valid and come from a legitimate user.
Nonces may help protect WordPress sites from CSRF attacks. However, other types of attacks require different security measures. We recommend implementing the best WordPress security practices into your site for maximum protection.
We hope this article answers your questions about WordPress nonces. Good luck!