WordPress.org

Function Reference/wp nonce field

Contents 1 Description 2 Usage 3 Parameters 4 Return Values 5 Examples 6 Notes 7 Change Log 8 Source File 9 Related

Description

Retrieve or display nonce hidden field for forms.

The nonce field is used to validate that the contents of the form came from the location on the current site and not somewhere else. The nonce does not offer absolute protection, but should protect against most cases. It is very important to use nonce fields in forms.

If you set $echo to false and set $referer to true, then you will need to retrieve the referer field using wp_referer_field(). If you have the $referer set to true and are echoing the nonce field, it will also echo the referer field.

The $action and $name are optional, but if you want to have better security, it is strongly suggested to set those two parameters. It is easier to just call the function without any parameters, because validation of the nonce doesn't require any parameters, but since crackers know what the default is it won't be difficult for them to find a way around your nonce and cause damage.

The input name will be whatever $name value you gave. The input value will be the nonce creation value.

Usage

<?php wp_nonce_field( $action, $name, $referer, $echo ) ?>

Parameters

$action

(string) (optional) Action name. This is the unique identifier for this nonce. Optional but recommended.

Default: -1

$name

(string) (optional) Nonce name. This is the name of the hidden field form variable (once submitted you can access the nonce via $_POST[$name]).

Default: "_wpnonce"

$referer

(boolean) (optional) default true. Whether to set the referer field for validation.

Default: true

$echo

(boolean) (optional) default true. Whether to display or return hidden form field.

Default: true

Return Values

(string) 

Nonce field.

Examples

While less secure than the examples that follow, this is the simplest implementation which omits all arguments. In your form add the following:

   <?php wp_nonce_field(); ?>

It's better to name your action and nonce in your form. Enter values for the first and second arguments to print the necessary hidden field:

<form method="post">
   <!-- some inputs here ... -->
   <?php wp_nonce_field('name_of_my_action','name_of_nonce_field'); ?>
</form>

Then in the page where it is being submitted to, you may verify it using the wp_verify_nonce() function. Notice that you have to manually retrieve the nonce (from the $_POST array in this example), and the name of the action is the 2nd parameter instead of the first:

<?php
if ( empty($_POST) || !wp_verify_nonce($_POST['name_of_nonce_field'],'name_of_my_action') )
{
   print 'Sorry, your nonce did not verify.';
   exit;
}
else
{
   // process form data
}

If you are submitting and processing the form inside the WP administration area, you may verify the nonce using the check_admin_referer() function:

<?php
// if this fails, check_admin_referer() will automatically print a "failed" page and die.
if ( !empty($_POST) && check_admin_referer('name_of_my_action','name_of_nonce_field') )
{
   // process form data
}

Notes

Change Log

• Since: 2.0.4

Source File

wp_nonce_field() is located in wp-includes/functions.php.

Related

• Wordpress Nonce Implementation
• wp_create_nonce
• check_admin_referer
• wp_verify_nonce

• Home Page
• WordPress Lessons
• Getting Started
• Working with WordPress
• Design and Layout
• Advanced Topics
• Troubleshooting
• Developer Docs
• About WordPress

Codex Resources

• Community portal
• Current events
• Recent changes
• Random page
• Help