What Are WordPress Nonces and How to Use Them

WordPress is an open-source content management system. Users and developers are free to view and modify its code. That customizability is one of the main reasons WordPress has become so popular.

Developers can create custom features, often in the form of plugins or themes, but they can also add custom code to WordPress itself. This ability to change the code is hugely useful, but it also carries risks. It’s easy to inadvertently introduce security vulnerabilities.

Fortunately, WordPress also comes with features that combat the security risks that come with hosting content on the modern web. WordPress nonces are one of these features. If you intend to write custom code for WordPress, you need to know about nonces, because they will help keep your users safe.

In this article, we’re going to take a closer look at WordPress nonces, how they help prevent one of the most prevalent attacks against WordPress sites, and how developers can implement nonces on pages and forms.

What Is a CSRF Attack?

Before we look at WordPress nonces, it’s useful to understand the sort of attacks that motivate their use. These are cross-site request forgery (CSRF) attacks. A CSRF attack aims to deceive a logged-in user into sending an authenticated request to a website without the user’s knowledge or consent.

For example, a user might be logged in to a WordPress site, and a CSRF attack would be used to trick their browser into sending a password reset request. Because the site believes the user to be authenticated, it would carry out the requested action.

How Do CSRF Attacks Work?

There are various ways an attacker might launch a CSRF attack, but the process typically goes as follows:

1. A user logs into their WordPress site, and the site sends the browser an authentication cookie. The cookie is sent back when the user carries out an action so that the site can be sure it’s a genuine request from an authenticated user.
2. An attacker creates a malicious web page into which they embed code with a forged request that targets the WordPress site the user is logged into.
3. The user is influenced to visit this malicious web page, often via a phishing attack.
4. When the page loads, the browser sends the forged request to the legitimate website. Because the user is still logged in, the browser includes the authentication cookie along with the forged request.
5. The website receives the request and the valid authentication cookie. It processes the request as if it were a legitimate action.

Cookies are an essential part of WordPress’s authentication and access system. But, as the example above shows, they are not sufficient to keep users safe.

What Is a WordPress Nonce?

A WordPress nonce adds an extra layer of security that makes it harder for bad actors to send forged requests that a WordPress site accepts as genuine. A nonce is a cryptographic hash, a long list of letters and numbers that is, for practical purposes, unique.

WordPress generates a nonce when a user logs in to their account on a WordPress site and carries out an action that requires increased security. It embeds the new nonce in the HTML of the page or as a query parameter in the URL.

Then, when the user’s browser sends a request, the nonce value is included as part of the request data alongside the cookies. WordPress verifies that the user is authenticated with the cookies, but it also checks the validity of the nonce. It makes sure the nonce it receives is the same as the expected nonce for that action and user session.

Now, imagine if a bad actor attempted to forge a request. They might be able to get a user to visit a malicious site and run code. Any request that code makes will appear authentic because of the user’s session cookie. But the forged request could not have access to the genuine nonce, and so it will be rejected.

Nonces ensure that only requests with the correct session-specific and time-sensitive nonce are processed. They make CSFR attacks significantly harder. It’s worth noting that there are various other attacks that nonces don’t defend against, like playback attacks, but they are sufficient to eliminate a widely used attack against WordPress sites.

When Should WordPress Developers Use Nonces?

WordPress uses nonces for many sensitive actions throughout the admin interface. However, WordPress developers, plugin authors, theme builders, and anyone creating custom WordPress functionality must also use WordPress nonces in their own code.

The main use for WordPress nonces is to prevent unauthorized changes. You should use nonces to protect any custom form, link, or JavaScript request that performs an action like updating settings, deleting content, or submitting sensitive data.

From a developer’s perspective, nonces are essential to ensuring data integrity on your site. If you use nonces correctly, you can be confident that data modifications and deletions are initiated by authenticated and authorized users. Without nonces, there is a risk that the site’s content and configuration are modifiable by malicious actors.

Key WordPress Nonce Functions

WordPress includes a number of functions that make it easier for developers to generate and verify nonces. If you’re writing custom code, you should consult the official documentation for the full details of these functions and how to use them. 

Here is a quick overview.

• wp_nonce_url: Used to append a nonce as a query argument to a URL. You should use it when creating links or redirects that lead to sensitive actions, ensuring that the link includes a valid nonce for verification.
• wp_nonce_field: Generates and echoes hidden form fields containing a nonce and, by default, a referrer URL. It should be used within HTML forms to embed a nonce, ensuring that submissions from the form can be verified for authenticity.
• wp_create_nonce: Returns a raw nonce string for a given action without embedding it into a URL or form. Use this when you need a nonce for custom scenarios, such as in AJAX requests where the nonce needs to be passed via JavaScript.
• wp_verify_nonce: Manually verifies a given nonce string against a specified action. It should be used when you receive a nonce from a custom source and need to programmatically check its validity.
• check_admin_referer: Verifies both the nonce and the HTTP referrer. You should use this in your admin-side code to automatically check nonces and referrers for requests originating from the admin interface.

WordPress Security: A Secure CMS Plus Secure Hosting

Nonces are just one of the ways WordPress keeps sites and users safe. Other WordPress security features include automatic updates, user roles, authentication cookies, salts, and security keys. However, WordPress security ultimately depends on a secure hosting environment. Pressable provides enterprise-grade security with every managed WordPress hosting plan.

All of our plans include proactive security monitoring, a web application firewall, automatic malware scanning and removal, and daily backups at no extra cost. Pressable customers also receive a no-cost subscription to Jetpack Security, which provides real-time backups, downtime monitoring, brute-force attack prevention, spam protection, and a 30-day activity log.

If you’d like to learn more about Pressable security features, schedule a demo today.

Obatarhe Otughwor

Obatarhe is a passionate WordPress enthusiast, dedicated community volunteer, and tech advocate with a proven track record of delivering exceptional customer experiences. With a background as a Product Expert at Google, he brings extensive technical expertise across various domains including WordPress support, remote technical assistance, and software development. Known for his empathetic approach and problem-solving mindset, Obatarhe consistently earns 5-star ratings by understanding each customer’s unique needs and providing thoughtful, tailored solutions. In his current role as a Customer Success Engineer, he excels in delivering personalized service that not only resolves issues effectively but also builds lasting customer trust and satisfaction. Beyond customer support, Obatarhe is skilled in Python, JavaScript/Node.js, PHP, Laravel, HTML, CSS, and Git. He has developed and deployed an election campaign tracking API using Node.js, hosted on Heroku and GitHub and also contributing to some WordPress plugin open source projects showcasing his ability to translate ideas into functional solutions. When he's not working, Obatarhe enjoys traveling and capturing breathtaking landscape photography—blending his love for technology and nature into a well-rounded lifestyle.