◦ Comprehensive security
◦ 24/7 support
WordPress Guide → Security → Nonce
WordPress nonce: What they are and how to use them
Nonces are an important security feature in WordPress that help prevent various types of attacks, such as cross-site request forgery (CSRF). While the term “nonce” might sound technical, understanding how it works and when to use it can help keep your WordPress site secure.
Get fast, reliable hosting for WordPress
Power your site with the industry’s fastest, most optimized WordPress hosting
What is a nonce?
A nonce (“number used once”) is a unique token generated by WordPress to validate user requests. Nonces act as a security measure to ensure that certain actions, like form submissions or AJAX requests, originate from authorized sources. Unlike traditional encryption methods, nonces don’t make data unreadable; they simply verify that a request is legitimate.
How nonces protect a website
Nonces prevent unauthorized actions by ensuring that each request originates from a valid session. If an attacker attempts to trick a user into performing an unintended action—such as changing a site setting or deleting a post—WordPress checks for a valid nonce before processing the request. If the nonce is missing or invalid, the action is blocked.
Use of nonces in WordPress
WordPress integrates nonces into various features automatically. For example, nonces are embedded in URLs, forms, and AJAX calls to verify user actions.
Many built-in WordPress functions, such as wp_nonce_field() and wp_nonce_url(), generate and validate nonces without requiring manual intervention from developers. This ensures that essential WordPress actions, like deleting posts or approving comments, are protected against CSRF attacks.
When to create and use a WordPress nonce
There are several scenarios where developers need to create and use nonces manually:
1. For forms: Add a nonce field using wp_nonce_field().
Example: wp_nonce_field(‘my_action’, ‘my_nonce’);
This generates a hidden field in your form containing the nonce value.
2. For URLs: Append a nonce to a URL using wp_nonce_url().
Example: $url = wp_nonce_url(‘admin.php?page=my_plugin’, ‘my_action’);
This ensures the URL includes a nonce to validate user actions.
3. For AJAX requests: Generate a nonce using wp_create_nonce() and pass it with the request.
Example: $nonce = wp_create_nonce(‘my_ajax_action’);
This can be included as a data attribute in JavaScript for AJAX security.
How to verify a WordPress nonce
Once a nonce is generated and included in a request, it must be verified before processing the action. Use these functions for validation:
1. For forms: Verify the nonce in the form submission handler.
if (!isset($_POST[‘my_nonce’]) || !wp_verify_nonce($_POST[‘my_nonce’], ‘my_action’)) {
die(‘Invalid nonce.’);
}
This prevents unauthorized form submissions.
2. For URLs: Check the nonce before executing an action.
if (!isset($_GET[‘_wpnonce’]) || !wp_verify_nonce($_GET[‘_wpnonce’], ‘my_action’)) {
wp_die(‘Invalid request.’);
}
This ensures only authorized users can trigger URL-based actions.
3. For AJAX requests: Validate the nonce before processing the request in the handler function.
check_ajax_referer(‘my_ajax_action’, ‘security’);
This verifies that the request comes from a legitimate source before executing it.
Additional resources
Comprehensive guide to securing WordPress with ModSecurity
→
This guide provides a comprehensive overview of how to use ModSecurity to enhance the security of your WordPress site.
WordPress security basics: What is an SQL injection attack? →
Learn how to prevent and protect your WordPress site from SQL injection attacks.
Why security matters for WordPress enterprise hosting
→
Use the blog as your guide to attacks to watch out for, security best practices, and steps to improve the WordPress protection you already have.