Introduction:
In WordPress plugin development, a key security measure to protect your site against malicious attacks, such as Cross-Site Request Forgery (CSRF), is the use of “nonces.” Nonces, an acronym for “Numbers Used Once,” ensure that a specific action originates from an authentic and trusted source, and prevent duplicate or malicious requests. In this tutorial, I will guide you through the process of using nonces in WordPress plugin development.

Creating Nonces in WordPress:
- Creating a nonce:
To create a nonce in WordPress, the function `wp_create_nonce()` is commonly used. This function requires a string as an argument, which is used to generate the nonce:
`$nonce = wp_create_nonce( 'my_action' );`;
In this example, ‘my_action’ is a unique identifier for the action you are protecting, and the generated nonce is assigned to the variable `$nonce`.
- Attaching the nonce to a form:
After generating the nonce, you can attach it to a form using a hidden field. This way, when the form is submitted, the nonce will be sent along with it:
`echo '';`;
In this example, the nonce is inserted into a hidden form field named ‘my_nonce’.
- Creating a nonce form field:
Additionally, WordPress provides a function `wp_nonce_field()` to simplify the creation of nonce form fields:
`wp_nonce_field( 'my_action', 'my_nonce', true, true );`;
In this case, ‘my_action’ is the action being protected, and ‘my_nonce’ is the name of the nonce form field. The final two boolean arguments indicate that a referer field should be included and that the form field should be displayed directly.
Verifying Nonces in WordPress:
Once the form has been submitted and the nonce has been received, you must verify it to ensure it is valid.
- Retrieving the nonce:
You can retrieve the submitted nonce via the superglobal `$_POST`:
`$nonce = $_POST['my_nonce'];`;
Here, the nonce is retrieved from the ‘my_nonce’ form field.
- Verifying the nonce:
To verify the validity of the nonce, you can use the function `wp_verify_nonce()`. This function requires two arguments: the nonce being verified and the unique identifier of the action for which the nonce was created:
`if ( ! wp_verify_nonce( $nonce, 'my_action' ) ) {
If the nonce verification fails, script execution stops and an error message is displayed.
Conclusion:
Proper use of nonces in WordPress is essential for protecting your site against malicious requests. By using nonces in your WordPress plugin, you can ensure that all actions originate from a trusted source and are used only once, thereby reinforcing your site's overall security. Always remember to test your nonces in a development environment before deploying them to your production site.
Do you need help with a web project?
Do you need help with a web project? Don't hesitate to contact me. I develop complete and customized solutions with WordPress and PHP, using modern tools and processes, HTML, CSS, SCSS, PHP, JavaScript, Bootstrap, and more. Ready? Send me a message and let's talk about your web project!
