Using nonces to improve security when programming a WordPress plugin

Introduction:

In WordPress plugin development, a key security measure to protect your site against malicious attacks, such as Cross-Site Request Forgery (CSRF), is the use of “nonces.” Nonces, an acronym for “Numbers Used Once,” ensure that a specific action originates from an authentic and trusted source, and prevent duplicate or malicious requests. In this tutorial, I will guide you through the process of using nonces in WordPress plugin development.

settings android tab
Photo by Pixabay on Pexels.com

Creating Nonces in WordPress:

  1. Creating a nonce:

To create a nonce in WordPress, the function `wp_create_nonce()` is commonly used. This function requires a string as an argument, which is used to generate the nonce:

`$nonce = wp_create_nonce( 'my_action' );`;

In this example, ‘my_action’ is a unique identifier for the action you are protecting, and the generated nonce is assigned to the variable `$nonce`.

  1. Attaching the nonce to a form:

After generating the nonce, you can attach it to a form using a hidden field. This way, when the form is submitted, the nonce will be sent along with it:

`echo '';`;

In this example, the nonce is inserted into a hidden form field named ‘my_nonce’.

  1. Creating a nonce form field:

Additionally, WordPress provides a function `wp_nonce_field()` to simplify the creation of nonce form fields:

`wp_nonce_field( 'my_action', 'my_nonce', true, true );`;

In this case, ‘my_action’ is the action being protected, and ‘my_nonce’ is the name of the nonce form field. The final two boolean arguments indicate that a referer field should be included and that the form field should be displayed directly.

Verifying Nonces in WordPress:

Once the form has been submitted and the nonce has been received, you must verify it to ensure it is valid.

  1. Retrieving the nonce:

You can retrieve the submitted nonce via the superglobal `$_POST`:

`$nonce = $_POST['my_nonce'];`;

Here, the nonce is retrieved from the ‘my_nonce’ form field.

  1. Verifying the nonce:

To verify the validity of the nonce, you can use the function `wp_verify_nonce()`. This function requires two arguments: the nonce being verified and the unique identifier of the action for which the nonce was created:

`if ( ! wp_verify_nonce( $nonce, 'my_action' ) ) {

If the nonce verification fails, script execution stops and an error message is displayed.

Conclusion:

Proper use of nonces in WordPress is essential for protecting your site against malicious requests. By using nonces in your WordPress plugin, you can ensure that all actions originate from a trusted source and are used only once, thereby reinforcing your site's overall security. Always remember to test your nonces in a development environment before deploying them to your production site.

Do you need help with a web project?

Do you need help with a web project? Don't hesitate to contact me. I develop complete and customized solutions with WordPress and PHP, using modern tools and processes, HTML, CSS, SCSS, PHP, JavaScript, Bootstrap, and more. Ready? Send me a message and let's talk about your web project!