{"id":107625,"date":"2020-06-30T12:58:33","date_gmt":"2020-06-30T17:58:33","guid":{"rendered":"https:\/\/wpengine.com\/?post_type=resource&p=107625"},"modified":"2023-10-31T14:39:49","modified_gmt":"2023-10-31T19:39:49","slug":"using-nonces-in-wordpress","status":"publish","type":"resource","link":"https:\/\/wpengine.com\/case-studies\/resources\/using-nonces-in-wordpress\/","title":{"rendered":"Guide to Nonces in WordPress"},"content":{"rendered":"\n

Security<\/a> is a vital topic for all website owners. While there are many strategies for keeping your website safe, using nonces in WordPress should not be overlooked. This is one of the most widely-used security features, and prevents a range of potential issues. <\/p>\n\n\n\n

A nonce is a “number used once,” and it protects forms and URLs from malicious individuals and other misuses. These numbers work as identification values users\u2019 browsers will have to show, in order to get permission to carry out sensitive actions.<\/p>\n\n\n\n

In this article, we\u2019ll look at how nonces work in WordPress<\/a> and how to create them. We\u2019ll then discuss how to verify a nonce in WordPress. Let\u2019s get started!<\/p>\n\n\n\n\n\n

How Do Nonces Work in WordPress?<\/h2>\n\n\n\n

The primary purpose of a nonce is to protect your WordPress website from malicious attacks, such as Cross-Site Request Forgeries (CSRFs)<\/a>. This type of attack tricks users into submitting a form or clicking on a link that is harmful to your website. To protect your site, WordPress checks the nonce value, and only allows the action to complete if that value is correct.<\/p>\n\n\n\n

Nonces are already a part of WordPress\u2019 functionality and you don\u2019t need to add them to WordPress-generated elements. This means that key actions such as adding and editing posts are automatically protected.<\/p>\n\n\n\n

When a nonce is used, it has a default lifespan of 24 hours. After that time, the nonce can no longer be used to verify the action it has been defined for. However, this lifespan can be adjusted by website administrators. <\/p>\n\n\n\n

One of the most common CSRF attacks that nonces protect against is the malicious deletion of user accounts. After implementing a nonce, your admin screen will generate a URL for the account deletion. WordPress will add a nonce to the end of that URL, which will look something like this:<\/p>\n\n\n\n

http:\/\/yourdomain.com\/wp-admin\/users.php?user=7&action=delete&_wpnonce=c214gd5315<\/em><\/a><\/p>\n\n\n\n

If an attacker tries to replace the user ID with another value, such as \u201cuser=8,\u201d the nonce will be invalid. The deletion of the account will fail, and a 403 Forbidden<\/a> error page will display. This makes it much harder for malicious individuals to attack your site\u2019s content.\u00a0<\/p>\n\n\n\n

Knowing that nonces can protect your website is important, but you also need to understand how to implement them. While they\u2019re active for default WordPress features already, you may need to implement them manually for your themes and plugins. <\/p>\n\n\n\n

Creating a Nonce in WordPress<\/h2>\n\n\n\n

To create a nonce, you\u2019ll need to add a function to your website\u2019s code. All nonce creation codes are placed in the functions.php<\/em> file<\/a>. To open this file, navigate to Appearance<\/em> > Theme Editor<\/em> in your WordPress dashboard. To the right, click on functions.php<\/em> to open the file editor. <\/p>\n\n\n\n

Nonces are implemented separately for URLs, forms, and actions. To create an action nonce, add the following code<\/a> to this file:<\/p>\n\n\n\n

$nonce= wp_create_nonce('$action'); <\/code><\/pre>\n\n\n\n
The \u201c$action\u201d section of the code should be adjusted to reflect the action you want the nonce to verify. An example would be to use the action \u201cdelete-post,\u201d which sets up the nonce to verify users who attempt to delete posts.\u00a0<\/p>\n\n\n\n
To create a nonce for a URL, you can use the following code<\/a>:<\/p>\n\n\n\n
$nonce= wp_nonce_url();<\/code><\/pre>\n\n\n\n
Within the brackets, you\u2019ll need to state the arguments of the function<\/a>. This is the bare URL and the string for the user actions. The string should be specific to a single user, in order to improve the security of the nonce.<\/p>\n\n\n\n
If you want to create a nonce for deleting a user account, you can use this snippet<\/a>:<\/p>\n\n\n\n
$nonce= wp_nonce_url($bare_url,\u2019delete-user_\u2019.$user->ID);<\/code><\/pre>\n\n\n\n
WordPress will default the name of the nonce to \u201c_wpnonce\u201d but you can update this by adding your chosen name to the end of the above string.\u00a0<\/p>\n\n\n\n
To create a WordPress nonce for a form, include this code<\/a>:<\/p>\n\n\n\n
$nonce= wp_nonce_field();<\/code><\/pre>\n\n\n\n
In the brackets, you\u2019ll need to add a string for the user actions. Once done, the function creates two hidden fields in the form, with the first holding the nonce hash value. The second field is the current URL. The final function should look something like this:<\/p>\n\n\n\n
$nonce= wp_nonce_field(\u2018remove-comment_\u2019.$comment_id);<\/code><\/pre>\n\n\n\n
This nonce function will also have the default WordPress nonce name. However, this is also something you can modify if you prefer.<\/p>\n\n\n\n
Verifying a Nonce in WordPress <\/h2>\n\n\n\n
After adding a nonce to your WordPress website, it is important that you verify it. This ensures that the nonce is working correctly and keeping your website secure.<\/p>\n\n\n\n
Different methods are used to verify the nonce for URLs and forms. To verify a URL nonce, add the following code<\/a> to the functions.php<\/em> file:<\/p>\n\n\n\n
wp_verify_nonce($nonce, $action);<\/code><\/pre>\n\n\n\n
In this function, adjust \u201c$nonce\u201d to the name of the nonce you want to verify, such as \u201cdelete-user.\u201d Then, change the string \u201c$action\u201d to the specific time the nonce is created. When the function runs, it will return \u201cfalse\u201d if the nonce is invalid.\u00a0<\/p>\n\n\n\n
If the nonce is valid, on the other hand, the function will return either a 1 or 2. This tells you the age of the nonce. A value equal to 1 means the nonce was created in the last 12 hours. A value equal to 2 means the nonce was created over 12 hours, but less than 24 hours ago. <\/p>\n\n\n\n
If you have added a nonce to a form, the following code<\/a> is required to verify it:<\/p>\n\n\n\n
check_admin_referer($action, $nonce);<\/code><\/pre>\n\n\n\n
If the nonce value is valid, the form will function as intended. However, if the nonce is invalid, the user\u2019s browser will redirect them to a 403 Forbidden error page. <\/p>\n\n\n\n
Build Secure Digital Experiences on WP Engine<\/h2>\n\n\n\n
Security is vital to a stable website, and WordPress nonces add an extra layer of protection. To implement them, all you need to do is add some code to your functions.php<\/em> file. The code used varies depending on the type of nonce you want to create and the action you\u2019d like to protect.<\/p>\n\n\n\n
While creating and implementing nonces enhances site security, there are other security protocols<\/a> to consider as well.  Fortunately, WP Engine’s secure WordPress hosting<\/a> platform offers some of the best security resources for users and developers. This leaves you with more time to focus on perfecting your WordPress site<\/a>!<\/p>\n","protected":false},"excerpt":{"rendered":"
Security is a vital topic for all website owners. While there are many strategies for keeping your website safe, using nonces in WordPress should not be overlooked. This is one of the most widely-used security features, and prevents a range of potential issues.  A nonce is a “number used once,” and it protects forms and…<\/span><\/span><\/p>\n","protected":false},"author":1,"featured_media":107626,"template":"","resource-topic":[912,909],"resource-role":[896],"resource-type":[916],"class_list":["post-107625","resource","type-resource","status-publish","has-post-thumbnail","hentry"],"yoast_head":"\nGuide to Nonces in WordPress<\/title>\n<meta name=\"description\" content=\"A WordPress nonce is used to protect your site from hacking attacks. Learn what a nonce does and how to create one on your WordPress site.\" \/>\n<meta name=\"robots\" content=\"noindex, follow\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Guide to Nonces in WordPress\" \/>\n<meta property=\"og:description\" content=\"A WordPress nonce is used to protect your site from hacking attacks. Learn what a nonce does and how to create one on your WordPress site.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/wpengine.com\/case-studies\/resources\/using-nonces-in-wordpress\/\" \/>\n<meta property=\"og:site_name\" content=\"WP Engine\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/wpengine\" \/>\n<meta property=\"article:modified_time\" content=\"2023-10-31T19:39:49+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/wpengine.com\/case-studies\/wp-content\/uploads\/2020\/06\/dev-featured.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1100\" \/>\n\t<meta property=\"og:image:height\" content=\"500\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Guide to Nonces in WordPress\" \/>\n<meta name=\"twitter:description\" content=\"A WordPress nonce is used to protect your site from hacking attacks. Learn what a nonce does and how to create one on your WordPress site.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/wpengine.com\/case-studies\/wp-content\/uploads\/2020\/06\/dev-featured.jpg\" \/>\n<meta name=\"twitter:site\" content=\"@wpengine\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/wpengine.com\/case-studies\/resources\/using-nonces-in-wordpress\/\",\"url\":\"https:\/\/wpengine.com\/case-studies\/resources\/using-nonces-in-wordpress\/\",\"name\":\"Guide to Nonces in WordPress\",\"isPartOf\":{\"@id\":\"https:\/\/wpengine.com\/case-studies\/#website\"},\"datePublished\":\"2020-06-30T17:58:33+00:00\",\"dateModified\":\"2023-10-31T19:39:49+00:00\",\"description\":\"A WordPress nonce is used to protect your site from hacking attacks. Learn what a nonce does and how to create one on your WordPress site.\",\"breadcrumb\":{\"@id\":\"https:\/\/wpengine.com\/case-studies\/resources\/using-nonces-in-wordpress\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/wpengine.com\/case-studies\/resources\/using-nonces-in-wordpress\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/wpengine.com\/case-studies\/resources\/using-nonces-in-wordpress\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/wpengine.com\/case-studies\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Resources\",\"item\":\"https:\/\/wpengine.com\/case-studies\/resources\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Guide to Nonces in WordPress\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/wpengine.com\/case-studies\/#website\",\"url\":\"https:\/\/wpengine.com\/case-studies\/\",\"name\":\"WP Engine\",\"description\":\"Managed Hosting for WordPress\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/wpengine.com\/case-studies\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/wpengine.com\/case-studies\/#\/schema\/person\/f5301455463371a10d1fc290e9ad0085\",\"name\":\"WP Engine\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/wpengine.com\/case-studies\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d8770fe9625ca7c4601f13d9d0ab86565a6dac8cd6a77bfe2ada6d83c6837870?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d8770fe9625ca7c4601f13d9d0ab86565a6dac8cd6a77bfe2ada6d83c6837870?s=96&d=mm&r=g\",\"caption\":\"WP Engine\"},\"sameAs\":[\"https:\/\/wpengine.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Guide to Nonces in WordPress","description":"A WordPress nonce is used to protect your site from hacking attacks. Learn what a nonce does and how to create one on your WordPress site.","robots":{"index":"noindex","follow":"follow"},"og_locale":"en_US","og_type":"article","og_title":"Guide to Nonces in WordPress","og_description":"A WordPress nonce is used to protect your site from hacking attacks. Learn what a nonce does and how to create one on your WordPress site.","og_url":"https:\/\/wpengine.com\/case-studies\/resources\/using-nonces-in-wordpress\/","og_site_name":"WP Engine","article_publisher":"https:\/\/www.facebook.com\/wpengine","article_modified_time":"2023-10-31T19:39:49+00:00","og_image":[{"width":1100,"height":500,"url":"https:\/\/wpengine.com\/case-studies\/wp-content\/uploads\/2020\/06\/dev-featured.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_title":"Guide to Nonces in WordPress","twitter_description":"A WordPress nonce is used to protect your site from hacking attacks. Learn what a nonce does and how to create one on your WordPress site.","twitter_image":"https:\/\/wpengine.com\/case-studies\/wp-content\/uploads\/2020\/06\/dev-featured.jpg","twitter_site":"@wpengine","twitter_misc":{"Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/wpengine.com\/case-studies\/resources\/using-nonces-in-wordpress\/","url":"https:\/\/wpengine.com\/case-studies\/resources\/using-nonces-in-wordpress\/","name":"Guide to Nonces in WordPress","isPartOf":{"@id":"https:\/\/wpengine.com\/case-studies\/#website"},"datePublished":"2020-06-30T17:58:33+00:00","dateModified":"2023-10-31T19:39:49+00:00","description":"A WordPress nonce is used to protect your site from hacking attacks. Learn what a nonce does and how to create one on your WordPress site.","breadcrumb":{"@id":"https:\/\/wpengine.com\/case-studies\/resources\/using-nonces-in-wordpress\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/wpengine.com\/case-studies\/resources\/using-nonces-in-wordpress\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/wpengine.com\/case-studies\/resources\/using-nonces-in-wordpress\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/wpengine.com\/case-studies\/"},{"@type":"ListItem","position":2,"name":"Resources","item":"https:\/\/wpengine.com\/case-studies\/resources\/"},{"@type":"ListItem","position":3,"name":"Guide to Nonces in WordPress"}]},{"@type":"WebSite","@id":"https:\/\/wpengine.com\/case-studies\/#website","url":"https:\/\/wpengine.com\/case-studies\/","name":"WP Engine","description":"Managed Hosting for WordPress","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/wpengine.com\/case-studies\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/wpengine.com\/case-studies\/#\/schema\/person\/f5301455463371a10d1fc290e9ad0085","name":"WP Engine","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/wpengine.com\/case-studies\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d8770fe9625ca7c4601f13d9d0ab86565a6dac8cd6a77bfe2ada6d83c6837870?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d8770fe9625ca7c4601f13d9d0ab86565a6dac8cd6a77bfe2ada6d83c6837870?s=96&d=mm&r=g","caption":"WP Engine"},"sameAs":["https:\/\/wpengine.com"]}]}},"acf":[],"grid_image_url":"https:\/\/wpengine.com\/case-studies\/wp-content\/uploads\/2020\/06\/dev-grid.jpg","media-type":{"term_id":916,"name":"Article","slug":"article"},"role":"<strong>Roles:<\/strong> Developer","topic":"<strong>Topics:<\/strong> Performance, Security","_links":{"self":[{"href":"https:\/\/wpengine.com\/case-studies\/wp-json\/wp\/v2\/resource\/107625","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpengine.com\/case-studies\/wp-json\/wp\/v2\/resource"}],"about":[{"href":"https:\/\/wpengine.com\/case-studies\/wp-json\/wp\/v2\/types\/resource"}],"author":[{"embeddable":true,"href":"https:\/\/wpengine.com\/case-studies\/wp-json\/wp\/v2\/users\/1"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/wpengine.com\/case-studies\/wp-json\/wp\/v2\/media\/107626"}],"wp:attachment":[{"href":"https:\/\/wpengine.com\/case-studies\/wp-json\/wp\/v2\/media?parent=107625"}],"wp:term":[{"taxonomy":"resource-topic","embeddable":true,"href":"https:\/\/wpengine.com\/case-studies\/wp-json\/wp\/v2\/resource-topic?post=107625"},{"taxonomy":"resource-role","embeddable":true,"href":"https:\/\/wpengine.com\/case-studies\/wp-json\/wp\/v2\/resource-role?post=107625"},{"taxonomy":"resource-type","embeddable":true,"href":"https:\/\/wpengine.com\/case-studies\/wp-json\/wp\/v2\/resource-type?post=107625"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}