WordPress.org

Ready to get started?Download WordPress

Codex

WordPress Nonces

A nonce is a "number used once" to protect URLs and forms from being misused.

For example, an admin screen might generate a URL like this that trashes post number 123. You can see that the URL contains a nonce at the end:

http://example.com/wp-admin/post.php?post=123&action=trash&_wpnonce=b192fc4204

If anyone attempts to modify the URL to trash post number 456, the nonce is not valid and the attempt fails:

http://example.com/wp-admin/post.php?post=456&action=trash&_wpnonce=b192fc4204

The invalid nonce causes WordPress to send a "403 Forbidden" response to the browser, with the error message: "Are you sure you want to do this?"

Contents

Creating a nonce

You can create a nonce and add it to the query string in a URL, you can add it in a hidden field in a form, or you can use it some other way.

For nonces that are to be used in AJAX requests, it is common to add the nonce to a hidden field, from where JavaScript code can fetch it.

Adding a nonce to a URL

To add a nonce to a URL, call wp_nonce_url() specifying the bare URL and a string representing the action. For example:

$complete_url = wp_nonce_url( $bare_url, 'trash-post_'.$post->ID );

For maximum protection, ensure that the string representing the action is as specific as possible.

By default, wp_nonce_url() adds a field named _wpnonce. You can specify a different name in the function call. For example:

$complete_url = wp_nonce_url( $bare_url, 'trash-post_'.$post->ID, 'my_nonce' );

Adding a nonce to a form

To add a nonce to a form, call wp_nonce_field() specifying a string representing the action. By default wp_nonce_field() generates two hidden fields, one whose value is the nonce and one whose value is the current URL (the referrer), and it echoes the result. For example, this call:

wp_nonce_field( 'delete-comment_'.$comment_id );

might echo something like:

<input type="hidden" id="_wpnonce" name="_wpnonce" value="796c7766b1" />
<input type="hidden" name="_wp_http_referer" value="/wp-admin/edit-comments.php" />

For maximum protection, ensure that the string representing the action is as specific as possible.

You can specify a different name for the nonce field, you can specify that you do not want a referrer field, and you can specify that you want the result to be returned and not echoed. For details of the syntax, see: wp_nonce_field()

Creating a nonce for use in some other way

To create a nonce for use in some other way, call wp_create_nonce() specifying a string representing the action. For example:

$nonce = wp_create_nonce( 'my-action_'.$post->ID );

This simply returns the nonce itself. For example: 295a686963

For maximum protection, ensure that the string representing the action is as specific as possible.

Verifying a nonce

You can verify a nonce that was passed in a URL, a form in an admin screen, an AJAX request, or in some other context.

Verifying a nonce passed from an admin screen

To verify a nonce that was passed in a URL or a form in an admin screen, call check_admin_referer() specifying the string representing the action. For example:

check_admin_referer( 'delete-comment_'.$comment_id );

This call checks the nonce and the referrer, and if the check fails it takes the normal action (terminating script execution with a "403 Forbidden" response and an error message).

If you did not use the default field name (_wpnonce) when you created the nonce, specify the field name. For example:

check_admin_referer( 'delete-comment_'.$comment_id, 'my_nonce' );

Verifying a nonce passed in an AJAX request

To verify a nonce that was passed in an AJAX request, call check_ajax_referer() specifying the string representing the action. For example:

check_ajax_referer( 'process-comment' );

This call checks the nonce (but not the referrer), and if the check fails then by default it terminates script execution.

If you did not use one of the default field names (_wpnonce or _ajax_nonce) when you created the nonce, or if you want to take some other action instead of terminating execution, you can specify additional parameters. For details, see: check_ajax_referer()

Verifying a nonce passed in some other context

To verify a nonce passed in some other context, call wp_verify_nonce() specifying the nonce and the string representing the action. For example:

wp_verify_nonce( $_REQUEST['my_nonce'], 'process-comment'.$comment_id );

If the result is false, do not continue processing the request. Instead take some appropriate action. The usual action is to call wp_nonce_ays(), which sends a "403 Forbidden" response to the browser with the error message: "Are you sure you want to do this?".

Modifying the nonce system

You can modify the nonce system by adding various actions and filters.

Modifying the nonce lifetime

By default, a nonce has a lifetime of one day. After that, the nonce is no longer valid even if it matches the action string. To change the lifetime, add a nonce_life filter specifying the lifetime in seconds. For example, to change the lifetime to four hours:

add_filter( 'nonce_life', function () { return 4 * HOUR_IN_SECONDS; } );

Performing additional verification

To perform additional verification when check_admin_referrer() has found that the nonce and the referrer are valid, add a check_admin_referer action. For example:

function my_additional_check ( $action, $result ) { ... }
add_action( 'check_admin_referrer', 'my_additional_check', 10, 2 );

For check_ajax_referer() add a check_ajax_referer action in the same way.

Changing the error message

You can change the error message sent when a nonce is not valid, by using the translation system. For example:

function my_nonce_message ($translation) {
  if ($translation == 'Are you sure you want to do this?')
    return 'No! No! No!';
  else
    return $translation;
  }

add_filter('gettext', 'my_nonce_message');

Additional information

This section contains additional information about the nonce system in Wordpress that might occasionally be useful.

Nonce lifetime

The lifetime of a nonce is divided into two ticks. When a nonce is valid, the functions that validate nonces return the current tick number, 1 or 2. You could use this information, for example, to refresh nonces that are in their second tick so that they do not expire.

Nonce security

Nonces are generated using a key and salt that are unique to your site if you have installed WordPress correctly. NONCE_KEY and NONCE_SALT are defined in your wp-config.php file, and the file contains comments that provide more information.

Replacing the nonce system

Some of the functions that make up the nonce system are pluggable, so that you can replace them by supplying your own functions.

To change the way admin requests or AJAX requests are verified, you can replace check_admin_referrer() or check_ajax_referrer(), or both.

To replace the nonce system with some other nonce system, you can replace wp_create_nonce(), wp_verify_nonce() and wp_nonce_tick().

Related

Nonce functions: wp_explain_nonce(), wp_nonce_ays(), wp_nonce_field(), wp_nonce_url(), wp_verify_nonce(), wp_create_nonce(), check_admin_referer(), check_ajax_referer(), wp_referer_field()

Nonce hooks: nonce_life, nonce_user_logged_out, explain_nonce_(verb)-(noun), check_admin_referer

Resources