Guide to Nonces in WordPress

Security is a vital topic for all website owners. While there are many strategies for keeping your website safe, using nonces in WordPress should not be overlooked. This is one of the most widely-used security features, and prevents a range of potential issues. 

A nonce is a ‘number used once’, and it protects forms and URLs from malicious individuals and other misuses. These numbers work as identification values users’ browsers will have to show, in order to get permission to carry out sensitive actions.

In this article, we’ll look at how nonces work in WordPress and how to create them. We’ll then discuss how to verify a nonce. Let’s get started!

How Do Nonces Work in WordPress?

The primary purpose of a nonce is to protect your WordPress website from malicious attacks, such as Cross-Site Request Forgeries (CSRFs). This type of attack tricks users into submitting a form or clicking on a link that is harmful to your website. To protect your site, WordPress checks the nonce value, and only allows the action to complete if that value is correct.

Nonces are already a part of WordPress’ functionality and you don’t need to add them to WordPress-generated elements. This means that key actions such as adding and editing posts are automatically protected.

When a nonce is used, it has a default lifespan of 24 hours. After that time, the nonce can no longer be used to verify the action it has been defined for. However, this lifespan can be adjusted by website administrators. 

One of the most common CSRF attacks that nonces protect against is the malicious deletion of user accounts. After implementing a nonce, your admin screen will generate a URL for the account deletion. WordPress will add a nonce to the end of that URL, which will look something like this:

If an attacker tries to replace the user ID with another value, such as “user=8”, the nonce will be invalid. The deletion of the account will fail, and a 403 Forbidden error page will display. This makes it much harder for malicious individuals to attack your site’s content. 

Knowing that nonces can protect your website is important, but you also need to understand how to implement them. While they’re active for default WordPress features already, you may need to implement them manually for your themes and plugins. 

Creating a Nonce

To create a nonce, you’ll need to add a function to your website’s code. All nonce creation codes are placed in the functions.php file. To open this file, navigate to Appearance > Theme Editor in your WordPress dashboard. To the right, click on functions.php to open the file editor. 

Nonces are implemented separately for URLs, forms, and actions. To create an action nonce, add the following code to this file:

$nonce= wp_create_nonce('$action'); 

The “$action” section of the code should be adjusted to reflect the action you want the nonce to verify. An example would be to use the action “delete-post”, which sets up the nonce to verify users who attempt to delete posts. 

To create a nonce for a URL, you can use the following code:

$nonce= wp_nonce_url();

Within the brackets, you’ll need to state the arguments of the function. This is the bare URL and the string for the user actions. The string should be specific to a single user, in order to improve the security of the nonce.

If you want to create a nonce for deleting a user account, you can use this snippet:

$nonce= wp_nonce_url($bare_url,’delete-user_’.$user->ID);

WordPress will default the name of the nonce to “_wpnonce”, but you can update this by adding your chosen name to the end of the above string. 

To create a nonce for a form, include this code:

$nonce= wp_nonce_field();

In the brackets, you’ll need to add a string for the user actions. Once done, the function creates two hidden fields in the form, with the first holding the nonce hash value. The second field is the current URL. The final function should look something like this:

$nonce= wp_nonce_field(‘remove-comment_’.$comment_id);

This nonce function will also have the default WordPress nonce name. However, this is also something you can modify if you prefer.

Verifying a Nonce

After adding a nonce to your WordPress website, it is important that you verify it. This ensures that the nonce is working correctly and keeping your website secure.

Different methods are used to verify the nonce for URLs and forms. To verify a URL nonce, add the following code to the functions.php file:

wp_verify_nonce($nonce, $action);

In this function, adjust “$nonce” to the name of the nonce you want to verify, such as “delete-user”. Then, change the string “$action” to the specific time the nonce is created. When the function runs, it will return “false” if the nonce is invalid. 

If the nonce is valid, on the other hand, the function will return either a 1 or 2. This tells you the age of the nonce. A value equal to 1 means the nonce was created in the last 12 hours. A value equal to 2 means the nonce was created over 12 hours, but less than 24 hours ago. 

If you have added a nonce to a form, the following code is required to verify it:

check_admin_referer($action, $nonce);

If the nonce value is valid, the form will function as intended. However, if the nonce is invalid, the user’s browser will redirect them to a 403 Forbidden error page. 

Build Secure Digital Experiences on WP Engine

Security is vital to a stable website, and nonces add an extra layer of protection. To implement them, all you need to do is add some code to your functions.php file. The code used varies depending on the type of nonce you want to create and the action you’d like to protect.

While creating and implementing nonces enhances site security, there are other security protocols to consider as well.  Fortunately, WP Engine offers some of the best security resources for users and developers. This leaves you with more time to focus on perfecting your WordPress site!

Get started.

Build faster, protect your brand, and grow your business with a WordPress platform built to power remarkable online experiences.