WordPress comes with many useful features and those features might be hidden from you. So, nonces are one of the useful feature provided by WordPress. Nonce is kind of security token which allows to protect the site from certain misuses and improves WordPress Security.
What is Nonce in WordPress
Nonces are mostly not used in the frontend but widely used in the admin section of the WordPress. In this article, I am going to share the usage of nonce with an example, also with the logic of creating and working with the nonces.
Nonce stands for Number Used Once. Nonce is one kind of encryption with a combination of certain numbers or hash which is used only once to authenticate the systems from the attacks. Nonce is specially generated for a particular user and actions and will be maintained until life cycle completes. The best thing of Nonces are the token will be changed in every 12 hours.
Let’s understand the nonce with the example. Consider the WordPress admin page which displays a link to delete the ID 1 entry of post. You can check that the nonce is at the end of the address.
1 2 3 |
If someone get the URL and tries to change the URL to delete the entry with the ID 2, the number of a nonce is invalid and attempt to delete another record is not successful.
1 2 3 | http://yourdomain.com/wp-admin/post.php?post=2&action=trash&_wpnonce=2434dfd3423 |
If wrong none will pass in the URL, WordPress will redirect user to the 403 Forbidden page with the error message “Are you sure you want to do this?”.
How to create a number nonce?
To create nonce as an argument to a URL or in a hidden field of the form in the WordPress, there are some basic functions and work to do.Nonce is used in AJAX request are added to the hidden field and access JavaScript. Nonce is unique for the current user session so if you enter or exit asynchronously, nonce on the page will be invalid.
How to Generate nonce?
To generate the nonce, you need ey and salt unique in the WordPress where there are constants NONCE_KEY and NONCE_SALT, so you need to declare those constants in the wp-config.php file.
To generate unique secret constants, you can use the WordPress API to create a private key from here. You just need to replace constants in wp-config.php file with the new one. Also, after you change the constants, all existing users of the WordPress needs to login again.
WordPress system does not store the generated nonce to the database so i is just temporary for every action.
How to use Nonce as a URL argument?
WordPress provides a function wp_nonce_url() function to add a nonce to the URL, where you must pass the URL and a line indicating an action.
Let’s understand the wp_nonce_url function with the example:
1 2 3 | $url = wp_nonce_url ($url, 'trash-post_'. $post-> ID); |
Aboce example contains url and the name of the action with the post ID. It is necessory to pass the action for maximum security. wp_nonce_url () function by default adds to the argument named _wpnonce. You can also change the argument name with a different value when you call the function, passing the third argument.
Let’s see the function again and how you can pass the argument:
1 2 3 | $url_with_wp_nonce = wp_nonce_url($url, 'trash-post_'. $post-> ID, 'wpcrd_nonce'); |
Now, the argument will be called with the wpcrd_nonce.
How to use nonce with a hidden field?
To retrieve or displays the nonce as the hidden form field, wp_nonce_field() function is used. By default, the function displays two hidden fields. The first contains secret number nonce and the second field will have the current URL (referrer).
Let’s see how the function works with the example:
1 2 3 | wp_nonce_field ('delete-comment_'. $comment_id); |
With such a call in the form of hidden fields would display the following:
1 2 3 4 | <input type = "hidden" id = "_ wpnonce" name = "_ wpnonce" value = "a0e6sdfs95" /> |
In addition, you can also use the different name for the field nonce and specify that the result must be returned and not output.
How to create the nonce in WordPress?
This is the non-standard use of the nonce in WordPress. To create a nonce for use in other cases, you can use the wp_create_nonce() function by passing as an argument to the line describing the action.
Let’s understand the example:
1 2 3 | $nonce = wp_create_nonce ('my-action_'. $post-> ID); |
In the above code, wp_create_nonce function is used to create nonce and $nonce variable will have the unique key or nonce.
How to validate nonce?
Now let’s see the function which will be used to check the validity of the nonce in WordPress. WordPress provides the check_admin_referer() function to check the nonce transmitted through the URL or by form of admin panel.
1 2 3 | check_admin_referer ('delete-comment_'. $comment_id); |
The above function will check the nonce and the referrer field and if the nonce is not valid, it will return the 403 response with the error message.
if your nonce is different then the default, you must pass the second argument in the above function:
1 2 3 | check_admin_referer ('delete-comment_'. $comment_id, 'wpcrd_nonce'); |
This function will only works in the admin panel of WordPress and will not work for front section of the site. If you want to validate the code on the front section, you need to use wp_verify_nonce() function.
How to use the nonce with Ajax?
To check the nonce received through AJAX request, check_ajax_referer() function will be used.
Example:
1 2 3 | check_ajax_referer ('process-comment_'. $comment_id); |
The check_ajax_referer() is a great function which will check the nonce and if nonce is valid, complete the execution of the code else generate the error.
How to verify nonce generate with other methods?
WordPress also provide the methods to validate nonce which was produced by other methods including the frontend and backend.
wp_verify_nonce() function will be used to validate the such nonce. This function accepts the two arguments. The first argument contains the value of the received nonce code and second will be the name of the action
Let’s understand the method:
1 2 3 | wp_verify_nonce ($_REQUEST ['my_nonce'], 'process-comment'. $comment_id); |
Events and Filters to change the nonce in WordPress
Let’s understand how to change the WordPress nonce as per requiremtn in WordPress. You can change the nonce using the different events and filters provided by WordPress.
Let me take the example for explanation, To change the validation logic of Ajax request, you can write your own function in the WordPress file.
By default, the validity period for the nonce in WordPress is is one day. After that, the nonce is not valid, even if the name of the action is the same.
How to change the expire time of nonce?
You can use the nonce_life filter to change the expiration time of the nonce. You need to pass the time in seconds.
Let me show the code below which specifies the duration of 4 hours:
1 2 3 4 5 |
Conclusion:
Nonces are very simple to use and also allows you to add a layer of protection to your content in WordPress.If you are developing your own logic for theme or plugins for WordPress, don’t forget to use the nonce as it is useful for your site vulnerability. If you have any queries about the nonce in WordPress, leave a comment.
