What are the WordPress nonces and what they are for? • WordPress Help

Do not hesitate, WordPress is an incredibly secure platform . Now, your level of security is directly proportional to the code that includes in your web themes, plugins or your own personalized functions.

Now, it does not matter how careful you are choosing everything you add to your website, either reading reviews, buying only plugins and premium themes, or hiring security and maintenance services, your site is always susceptible to being hacked . In this we always go behind, not in WordPress, on any platform.

But there is a really good, and simple, in fact of the best, way to protect your WordPress site from possible threats: ] the use of nonces .

So let's see what are the nonces of WordPress, how to use them and verify that they work .

I hope that you learn something, even that you are surprised …

What are the nonces of WordPress?

In a few words, a nonce is a number that is used only once to help protect URLs and forms so they can not be used inappropriately or with bad intentions.

WordPress incorporates nonces as random values ​​created from combinations of numbers and letters . To further improve security WordPress assigns to each nonce a duration . Once the expiration time of nonce can no longer be used.

The nonces of WordPress are mainly used to prevent hackers from attacking your website with the vulnerability known as [19659014] Cross-site request forgery . This type of attacks send requests to the servers without your knowledge and you can make the web dust.

 attack-cross-site-request-forgery "width =" 838 "height =" 472 "srcset =" https: // ayudawp.com/wp-content/uploads/2016/10/ataque-cross-site-request-forgery-840x473.jpg 840w, https://ayudawp.com/wp-content/uploads/2016/10/ataque-cross -site-request-forgery-550x310.jpg 550w, https://ayudawp.com/wp-content/uploads/2016/10/ataque-cross-site-request-forgery-768x433.jpg 768w, https: // ayudawp .com / wp-content / uploads / 2016/10 / attack-cross-site-request-forgery.jpg 1363w "sizes =" (max-width: 838px) 100vw, 838px "/> 

<p class= Image: We Live Security

The most common attacks of this type to WordPress sites usually include:

  • Bundle the database with spam
  • Create user accounts without the administrator's knowledge
  • Delete user accounts
  • Delete information on your website
  • Create transactions (yes, purchase) if you have an online store [19659019] Fill out contact and comment forms with false information or spam

The nonces are used by the WordPress kernel by default and have some characteristics that govern their behavior. For example, I have already mentioned that have a duration type, which by default is 24 hours . However, an administrator can change the duration time at will, like this:

Well, now that we have a first fundamental idea of ​​what the nonces are of WordPress and why it is important to use them, let's look at how we can add them to improve the security of our website.

Adding nonces WordPress correctly

Let's see, next, how to use nonces from WordPress on your website for avoid attacks CSRF ( Cross Site Request Forgery [194] 59013]) that we have discussed before.

The process is actually quite simple, we are simply going to see c how to add nonces to both the URLs and the forms and then we will see how to verify if they work.

Once this is done we will have added an extra layer of security to our site being much more protected than before.

How to add a nonce ] to a URL

If you have ever encountered any URL that launches a background process on your WordPress site then adding a nonce to that URL is absolutely necessary to avoid any attack, either accidental or intentional.

What we will do is use the function wp_nonce_url () which requires that we add two arguments: the URL and a string that represents the user's action.

The best thing is that the user action argument that you add to be sem Anthony, that means something. For example, if we add a nonce to delete an entry, it would be named as delete-entry . It would be something like this:

The code creates a URL and stores it in the variable $ la_url_completa :

Yes ! You did it!

How to verify the nonces of a URL

Once we have added the nonce to the URL it is important to verify it by specifying the string applied as an argument. For this we will use the call to the function wp_verify_nonce () like this:

If we want to verify that the nonce was added, we will execute, for the previous example, the following line of code:

If the nonce is invalid the function will return FALSE . If the nonce is valid then it will return either 1 (the nonce was created less than 12 hours ago) or 2 (the nonce was created sometime between the last 12 to 24 hours.)

How to add a nonce to a form

By adding a nonce to a form on your web you create a hidden field. The purpose of this field is to ensure that the contents of the form come from the active site and not from any other part. Do you see the utility?

To add a nonce to a form we will use the function wp_nonce_field () . The arguments of this function are optional (works perfectly without arguments) but it is recommended to use at least the first one to ensure that a hacker does not sneak in using the default arguments:

  • ] user_accion shows the name of the action of the user for whom the nonce
  • name_of_nonce shows the name defined by you for was created nonce . By default it is _wpnonce

For example, if I wanted to add a nonce to a form to delete a comment, it would be something like this:

In this example I have added a nonce to the form to delete a comment (why the that I have called user action delete-comment and I have called nonce_de_mi_formulario al nonce ). Being a call to a PHP function will show something like the following:

How to verify the nonces of a form

To verify nonces of form we will use the function check_admin_referer () :