WordPress Plugin Security: Nonces

Data submission or request in WordPress can be a source of risk. We need to make sure that the data or request is submitted by the correct user with the necessary capabilities.

Nonces are a generated number which only works once, this is used to verify the origin and intent for the requests done by the user. This can help to make sure that data or request submitted already have a pre-approval from our WordPress site. These nonces can be used as a verifier when data or request received in WordPress.

An example risk scenario is when a spammer made a comment then creates a link to approve his spam. A site owner who got this spam has the authority to approve it, the nonce can be used to check if the site owner is really intending to do what he wants to do.

To utilize nonce, first, it needs to be created and embedded into the necessary link or field in WordPress form. This is done through WordPress function wp_create_nonce().

The embedded nonce then can be evaluated when the appropriate user made a request using wp_verify_nonce().


WordPress Plugin Handbook: Nonces