Keeping your WordPress theme or plugin code secure is important to prevent possible attacks from malicious users. We’ve previously covered how to sanitize, escape and validate form data in WordPress, as well as improving your WordPress theme quality with the VIP Scanner. Today we’ll look at how nonces (number used once) can also help keep your WordPress themes and plugins secure. What Are WordPress Nonces? WordPress nonces are defined as: … a “number used once” to help protect URLs and forms from certain types of misuse, malicious or otherwise. https://codex.wordpress.org/WordPress_Nonces Whilst in WordPress a nonce isn’t technically a number (it’s a hash made up of letters and numbers), it does help prevent actions from being run by malicious users. WordPress nonces work in two parts: Creating a nonce (hash), submitting it via a form or action, and Verifying a nonce, before accepting form data or running an action. For example, when you go to delete a post in the WordPress Administration Screen, you’ll notice the URL contains a _wpnonce parameter: http://127.0.0.1/tuts/wp-admin/post.php?post=542&action=trash&_wpnonce=a03ac85772 The routine, which deletes a post, will check that post
Share This