WordPress security is a hotly debated topic and as I mentioned in my WordPress Ain’t Perfect article a while back, it mostly comes down to issues with plugins and themes, not WordPress itself. Nonces are one of the best ways to protect users from possible threats. They are used to secure user actions initiated by the plugin such as the submission of a form, the deletion of post or anything else that could expose the database. In this Weekend WordPress Project I’ll describe the problem nonces are meant to solve and how you can use them to make your products more secure. Why We Need Nonces Let’s say you’re writing a plugin that allows the user to delete a post from the front-end. For the sake of simplicity the mechanism to delete a post is a link that takes you to http://mysite.com/2015/02/12/my-article/?delete=true. In other words, the link to the article with a query string attached. The code you implement on that page checks if the user is an admin and if so, the post is deleted, the user is redirected back to the main page. This seems safe right? After all, you did check if the user was an admin right? Sadly, this isn’t enough. There are two things you need to check before each action
Share This