Detailed explanation of Nonce in WordPress

Nonce is the abbreviation of number used once. The nonce of WordPress is not a number, but a string of Hash composed of numbers and characters. The value can not only be used once, but also has a lifetime. During the lifetime, the same parameter will generate the same nonce value for each user until the end of the lifetime. In this article, we will introduce how to use Nonce to prevent CSRF attacks.

Create a Nonce

Nonce can be placed in the Url request or in the Hidden element of a Form, and then used through Javascript during the Ajax request Get him it. The life cycle of a Nonce is only in the current Session. If you log out and then log in again, the previous nonce will also be invalid.

Add nonce to URL

You can add a Nonce to Url through wp_nonce_url() method:

wp_nonce_url( $actionurl, $action, $name );
// 例如：
$complete_url = wp_nonce_url( $bare_url, 'trash-post_'.$post->ID );

where $bare_url (required Select) is the URL to which the nonce is to be added, and $action is the action name defined for the nonce, optional, and the default is -1.

By default, the name of the generated nonce in the link is _wpnonce. In order to avoid possible conflicts, after WordPress 3.6 version, wp_nonce_url added an optional $name parameter, which allows users to specify it themselves. The name of the nonce in the link. For example:

$complete_url = wp_nonce_url( $bare_url, 'trash-post_'.$post->ID, 'my_nonce' );

Add nonce to Form

You can add a hidden element to the form through the wp_nonce_field() method:

PHP

wp_nonce_field( $action, $name, $referer, $echo )
//例如 ：
wp_nonce_field( 'delete-comment_'.$comment_id );
wp_nonce_field( $action, $name, $referer, $echo )
//例如 ：
wp_nonce_field( 'delete-comment_'.$comment_id );

Call The above method will generate code similar to the following:

<input type="hidden" id="_wpnonce" name="_wpnonce" value="796c7766b1" />
<input type="hidden" name="_wp_http_referer" value="/wp-admin/edit-comments.php" />

Generate a separate nonce

If you just want to generate an independent nonce, you can pass wp_create_nonce() Method:

wp_create_nonce( $action );
// 例如：
$nonce = wp_create_nonce( 'my-action_'.$post->ID );

Similarly, $action is an optional parameter and the default is -1. The above method will return a result similar to "295a686963".

Verify the validity of the nonce

Verify the nonce in the form

In the Admin management interface, you can use the check_admin_referer method to Verify the validity of the Nonce in the Url:

check_admin_referer( $action, $query_arg );

The following is an example demonstrating how to use check_admin_referer to verify the nonce in the plug-in:

<form method="post">
   <!-- some inputs here -->
   <?php wp_nonce_field( &#39;name_of_my_action&#39;, &#39;name_of_nonce_field&#39; ); ?>
</form>

Verification method:

check_admin_referer( 'name_of_my_action', 'name_of_nonce_field' );

Verification Nonce in Ajax

If you want to check the validity of the nonce in the Ajax request, you can use the check_ajax_referer() method:

check_ajax_referer( $action, $query_arg, $die )

$die specifies whether to end script execution if $nonce is invalid . (Default is True)

A simple example of using check_ajax_referer:

<?php
//Set Your Nonce
$ajax_nonce = wp_create_nonce( "my-special-string" );
?>
 
<script type="text/javascript">
jQuery(document).ready(function($){
    var data = {
        action: 'my_action',
        security: '<?php echo $ajax_nonce; ?>',
        my_string: 'Hello World!'
    };
    $.post(ajaxurl, data, function(response) {
        alert("Response: " + response);
    });
});
</script>

Verify backwards through the following code:

add_action( 'wp_ajax_my_action', 'my_action_function' );
function my_action_function() {
    check_ajax_referer( 'my-special-string', 'security' );
    echo sanitize_text_field( $_POST['my_string'] );
    wp_die();
}

Verify the independently generated nonce

1
wp_verify_nonce( $nonce, $action );