Tests either if the current request carries a valid nonce, or if the current request was referred from an administration screen; depending on whether the $action argument is given (which is prefered), or not, respectively. On failure, the function dies after calling the wp_nonce_ays() function.
Used to avoid CSRF security exploits. Nonces should never be relied on for authentication or authorization, access control. Protect your functions using current_user_can(), always assume Nonces can be compromised.
The now improper name of the function is kept for backward compatibility and has origin in previous WordPress versions where the function only checked the referer. For details, see the Notes section below.
<?php check_admin_referer(); ?>
<?php check_admin_referer( $action, $query_arg ); ?>
To return boolean true, in the case of the obsolete usage, the current request must be referred from an administration screen; in the case of the prefered usage, the nonce must be sent and valid. Otherwise the function dies with an appropriate message ("Are you sure you want to do this?" by default).
Here is an example of how you might use this in a plugin's option page. You add a nonce to a form using the wp_nonce_field() function:
<form method="post"> <!-- some inputs here --> <?php wp_nonce_field( 'name_of_my_action', 'name_of_nonce_field' ); ?> </form>
Then in the page where the form submits to, you can verify whether or not the form was submitted and update values if it was successfully submitted:
<?php check_admin_referer( 'name_of_my_action', 'name_of_nonce_field' ); // process form data, e.g. update fields // you can use it in a IF statement if you want, not mandatory because there is not "false" return, only true or die(). // Display the form
check_admin_referer() is located in