Nonce
Quick Definition
A nonce (number used once) is a unique security token WordPress uses to verify that a form submission, URL action, or AJAX request was intentionally made by the current user — protecting against CSRF (Cross-Site Request Forgery) attacks.
What Is a Nonce?
Security token verifying request authenticity. Prevents CSRF — attackers tricking your browser into performing unauthorized actions on your WordPress site.
How Nonces Work
- WordPress creates hash tied to user + action + time
- Embedded as hidden form field or URL parameter
- Sent with request submission
- WordPress verifies: valid, correct user, not expired
- Valid = action proceeds. Invalid = error.
Key Functions
| Function | Use |
|---|---|
wp_nonce_field() | Hidden input in forms |
wp_nonce_url() | Append to action URLs |
wp_create_nonce() | Generate for AJAX |
wp_verify_nonce() | Check validity |
check_admin_referer() | Verify admin form nonces |
check_ajax_referer() | Verify AJAX nonces |
Not Truly "Once"
WordPress nonces are valid for 24 hours (two 12-hour ticks). Same nonce reusable within that window. "Number used once" in concept, not strict implementation.
Why It Matters
Core security mechanism. CSRF vulnerabilities = missing nonce checks. Keep plugins updated to patch these. You do not implement nonces yourself, but understanding them shows why updates matter for security.
Sources: Developer.WordPress.org, WordPress VIP