What are WordPress Nonces?

What are WordPress Nonces?

Andy Holland

If you’re not familiar with the word nonces your WordPress site could be vulnerable to external threats. While they’re heaps of ways to protect from hackers and viruses, nonces provide an integral security solution to keep those harmful attacks at bay. Here’s a handy guide on everything you need to know about nonces.

What does it mean?

Nonce is simply an abbreviation of the term ‘number used once’. It’s not technically a number, but actually a collective of both letters and numbers. This unique tag generated by WordPress gives an identification for each person who completes an operation – whether it be updating a post, submitting new media or uploading themes.

What’s the purpose of a nonce?

Due to the unique nature of the nonce, it gives a one in a million identification code for each user of your site. Think of it as a fingerprint or special key which can’t be replicated or imitated. It’s an especially useful tool for combating attacks such as CSRF, or Cross Site Request Forgery. This fools users into clicking links which have catastrophic implications to a site. Thanks to the use of a nonce, hackers no longer have the ability to hide in the shadows.

How it works

As mentioned, the nonce is generated by WordPress and is valid for 24 hours, at which point a new code is generated. Technically speaking, this means that a user cannot copy an old nonce and transplant it into the HTTP request.

You may not have noticed but WordPress use nonces on plenty of daily functions. Take for example if you request to delete a user account. As soon as you click to delete, WordPress automatically generates a nonce and adds it to the URL. This is then valid for 24 hours, allowing only you to make the deletion of the chosen user.

The same rule applies if you choose to delete or edit a post. A nonce will be created which is completely unique to you. If another user attempts to make those same changes, WordPress would find an invalid ‘_wpnonce’ parameter and the request would be denied. That user or possible hacker would go through to an error page which would stop any threats in advance.

Creating nonces

Developers can choose to create their own nonces in order to safeguard their site. This can be applied to several functions to add that extra layer of security. One such example would be adding a nonce to an URL which can be done by inputting ‘wp_create_nonce($action)’ at the end of the URL. This will create a nonce value which defines any action you choose to perform. This can also be applied to plugins and forms. It requires more in-depth training of nonce formulas but it could be worth the added time to familiarise yourself with the process.  For all developers, a nonce could provide the solution to those ever present security threats.