About WordPress Nonces

Last modified: June 17, 2020
You are here:
Estimated reading time: 3 min

The main objective of the WordPress nonces is to protect the website URLS from malicious or any other malpractices. This is actually a combination of numbers and letters which is not easy to understand. However, the WordPress nonces has a limited time of validity, after which it expires. As soon as the nonce expires it will generate for a given user in a given circumstance. Once the nonce are assigned for a particular user it won’t change until the life cycle of the nonce is completed. The WordPress nonces provides protection against various types of attacks such as Cross-site request forgery, also known as one-click attack or session riding. The nonces are not well known for the replay attacks because of the fact that it is not used for one-time use. The functions can be protected using current_user_can(). The nonces cannot be dependent upon authentication or authorization, access control.

Example of using WordPress nonce:

http://example.com/wp-admin/post.php?post=789&action=trash&_wpnonce=c654cg4924

Any attempt to modify the URL will cause the nonce to be invalid and attempts to fail

http://example.com/wp-admin/post.php?post=256&action=trash&_wpnonce=f789nm6478

In case of invalid nonce “403 Forbidden” response to the browser, with the error message: “Are you sure you want to do this?”

 

Creating a nonce

There are various methods to create nonce such as adding the query string to the URL or can be added in a filed which is hidden.  Nonces which use AJAX request usually add the nonces to the hidden field and then JavaScript code can be easily fetched. It is to be noted that the each nonces are different for each user, so in case if a user logs in and out asynchronously the existing nonce on the page will not be valid.

 

Adding a nonce to a URL

Nonce can be added to a URL by calling wp_nonce_url() where you should specify the bare URL also specifying the string indicating the action.

$complete_url = wp_nonce_url( $bare_url, ‘trash-post_’.$post->ID );

Protection level can be maximum when we specifically write down the string indicating the action. A default field name wpnonce is added by the wpnonce_url() function. Here we can specify any name in the function call. For example:

$complete_url = wp_nonce_url( $bare_url, ‘trash-post_’.$post->ID, ‘our_nonce’ );

 

Adding a nonce to a form

Adding a nonce to a form is done by calling wp_nonce_field() which specify the string which indicates action. There are two hidden fields generated by wp_nonce_field() and they are:

1) Generated hidden value will be the nonce.

2) Generated hidden value is the present URL (the referrer) and it will display the result. For example:

wp_nonce_field( ‘delete-comment_’.$comment_id );

Which might display like:

<input type=”hidden” id=”_wpnonce” name=”_wpnonce” value=”895b4455q1″ />

<input type=”hidden” name=”_wp_http_referer” value=”/wp-admin/add-comments.php” />

It is to be noted that the string indicating the action must be specific. The user has the following privileges:

1) Can enter a different name for the nonce field.

2) Can set the option that you don’t want a referrer field.

3) Can set the options to return the results and not displayed.

 

Creating a nonce for use in some other way

Another method used to create a nonce is to call wp_create_nonce() providing a string indicating the action. For example:

$nonce = wp_create_nonce( ‘my-action_’.$post->ID );

Which will return the nonce, for example: 387b484257. It is to be noted that string indicating the action must be provided.

 

Verifying a nonce

There is a provision to check a nonce such as:

1) Which was passed in a URL or in a form in an admin screen or

2) In an AJAX request

3) In any other scenario.

 

Verifying a nonce passed from an admin screen

It is possible to check the nonce which was passed in a URL or in a form in an admin screen by calling check_admin_referer() which defines the string indicating the action. For example:

check_admin_referer( ‘add-comment_’.$comment_id );

In this the nonce and referrer are checked and if it fails the normal actions will be proceeded, that is terminating script execution with a “403 Forbidden” response and an error message. You should specify the field name while creating the nonce, for example:

check_admin_referer( ‘add-comment_’.$comment_id, ‘my_nonce’ );

 

Verifying a nonce passed in an AJAX request

Nonce which was passed can be verified in an AJAX request by calling check_ajax_referer() which define the string indicating the action. For example:

check_ajax_referer( ‘run-comment’ );

This will check the nonce (not the referrer) and if any fail occurs then it will terminate execution of the script by default. It is to be noted that while creating the nonce either one of the default field names must be used (_wpnonce or _ajax_nonce) or additional parameters can be used to execute other actions instead of terminating the execution.

 

Verifying a nonce passed in some other scenario

It is possible to verify the nonce which was passed in any other context by calling wp_verify_nonce() defining the nonce and the string indicating the action. For example:

wp_verify_nonce( $_REQUEST[‘my_nonce’], ‘run-comment’.$comment_id );

 

If you need any further assistance please contact our support department.

 

 

Was this article helpful?
Dislike 0
Views: 7