As a content management system, WordPress is an incredibly secure platform.

That said, its level of security is directly proportional to that of the themes, plugins, and custom code you supercharge it with.

No matter how careful you are in choosing everything you add to your site – examining reviews, purchasing only premium plugins, or signing up with a maintenance and security service – your site can still be hacked.

One of the best (and easiest) ways to actively prevent your WordPress site from probable threats is through the use of nonces.

In this article, we’ll cover everything you need to know about WordPress nonces and walk you through a tutorial on how to implement and verify them.

You’re probably wondering…

What are WordPress nonces?

In a nutshell, a nonce is a number used once that helps protect URLs and forms from being misused in any way.

WordPress implements nonces as hash values that are made up of a combination of numbers and letters. To boost their security even further, WordPress gives each nonce a lifetime. Once their lifetime expires, they cannot be used any longer.

WordPress nonces are primarily used to prevent hackers from attacking your website with Cross-Site Request Forgery. These types of malicious attacks send user-generated requests to servers without the user’s knowledge or consent and are meant to cause harm.

For WordPress websites, these attacks most commonly include:

  • Populating the database with spam
  • Creating user accounts without the administrator’s knowledge
  • Removing user accounts
  • Deleting information from your website
  • Initiating transactions (in the case of an e-commerce site)
  • Filling WordPress forms with false/spam information

Nonces are used in the WordPress core by default and have some characteristics that govern their behavior. We briefly mentioned that WordPress nonces have a lifetime. The default lifetime of a nonce is 24 hours, however, the administrator can modify the lifetime if they’d like:

add_filter( 'nonce_life', function () { return 4 * HOUR_IN_SECONDS; } ); 

Now that we have a fair idea of what WordPress nonces are and why it’s important to implement them, let’s take a look at how you can add them to enhance your site’s security.

Implementing WordPress nonces – the right way

In this section, we’ll help you get started with implementing WordPress nonces on your website to prevent CSRF attacks.

The entire process is quite simple – we’ll look at how to add nonces to both URLs and forms and then show you how you can verify them. Once you’ve got that down your website will have an additional layer of security protecting it.

How to add a nonce to a URL

If you’ve ever found yourself sending URLs that trigger a back-end process on your WordPress website then adding a nonce to them is absolutely necessary to prevent any malicious attacks – accidental or intentional.

We’ll use the wp_nonce_url() function which requires us to pass in two arguments – the bare URL and a string that represents the user action.

Best practices suggest that the user action argument you pass in should be meaningful. For instance, if you were adding a nonce for deleting a post you could name it delete-post. It might look something like this:

$the_complete_url = wp_nonce_url( $bare_url, 'delete-post_'.$post->ID ); 

The code given above creates a URL and stores it in the $the_complete_url variable:

http://www.your-website.com/wp-admin/posts.php?post=7&action=delete-post& _wpnonce=ab823c48ff79

And voilà! You’re done.

How to verify URL nonces

Once you’ve added a nonce to a URL it’s important to verify it by specifying the string that was initially passed as an argument. We’ll use the wp_verify_nonce() function call to do so:

wp_verify_nonce($nonce, $action); 

If we wanted to verify the nonce that was added in the example above, we would execute the following line of code:

wp_verify_nonce(‘_wpnonce’, 'delete-post_'.$post->ID); 

If the nonce is invalid, the function returns FALSE. A valid nonce can return either 1 (the nonce was created less than 12 hours ago) or 2 (the nonce was created sometime between the last 12 to 24 hours).

How to add a nonce to a form

Adding a nonce to a form on your website creates a hidden field. The purpose of this field is to ensure that the contents of the form came from the currently active website and not somewhere else.

For adding a nonce to a form, we’ll use the wp_nonce_field() function. The arguments you pass in this function are optional (it’ll work just fine even if you don’t pass any!) but it’s recommended that you at least pass the first two to ensure a hacker won’t tamper with it using the default arguments:

wp_nonce_field( $useraction, $noncename); 
  • useraction shows the name of the user action the nonce is for
  • noncename shows the user-defined name of the nonce. By default, it is _wpnonce

For instance, if I wanted to add a nonce to a form for deleting a comment, it might look like this:

wp_nonce_field( 'delete-comment_'.$comment_id , ‘my_form_nonce’); 

In this example, I’ve added a nonce to the form to delete a comment (therefore I’ve called the user action delete-comment and named the nonce my_form_nonce). Since it’s a PHP function call, it will echo something like the following:

<input type="hidden" id=" my_form_nonce " name=" my_form_nonce " value="685b6655a0" />
<input type="hidden" name="_wp_http_referer" value="/wp-admin/edit-comments.php" >

How to verify form nonces

To verify form nonces, we’ll use the check_admin_referer() function call:

check_admin_referer($action, $nonce); 

The code for verifying the form nonce that was added in the example above would be:

check_admin_referer( 'delete-comment_'.$comment_id, ' my_form_nonce’); 

If the form nonce is invalid, a 403 Forbidden response will be generated along with an error message. However, if the nonce is valid then the user will be able to continue uninterrupted.

Important note: In order to take your website’s security further, we recommend using Sucuri for malware scanning. They offer a firewall service that will improve security and site speed. What we particularly love is their malware clean up service – if the worst happens, they’ll clean up malware to get you back up and running fast. Click here to learn more.

Over to you

WordPress nonces are a great way to significantly minimize the risk of a Cross-Site Request Forgery (CSRF) attack on your website.

By now, hopefully, you have a better understanding of what WordPress nonces are and how you can harness their power to boost your site’s security.

Posted by Rafay Saeed Ansari

Rafay is an entrepreneur, computer scientist, and professional ghost-writer for several high-traffic websites. He is also the Founder of BloggInc. He provides byline and ghost-writing services for digital and brick-and-mortar businesses with a focus on web development, WordPress, and entrepreneurship.