WordPress Nonce – All You Need To Know About It

Ever clicked a link on a site and gotten a confusing error message instead of the page you expected? Maybe you were trying to submit a form or delete a post, but suddenly you saw: “Are you sure you want to do this?”

You sit there, puzzled, wondering if you’ve done something wrong. Why did it suddenly stop working?

Or perhaps you run a WordPress site yourself. You wonder how to keep your site’s data safe from hack attempts. How can you make sure no one deletes your posts or pages without your permission?

This is where a WordPress nonce comes in. It protects your website by checking requests to make sure they’re safe and real.

In this article, we’ll break down everything you need to know about WordPress nonces—what they are, how they work, the common issues people face, and how to use them safely. Let’s dive in!

TL;DR: WordPress nonces are special tokens used to confirm requests and protect your website from fake actions. But nonces can expire quickly or cause problems, making them tricky to manage. To fully protect your site, go beyond nonces and use trusted WordPress security plugins that guard against malware, hackers, and other threats.

What is a WordPress nonce?

A WordPress nonce is a unique token used to confirm the origin and purpose of a request. It’s like a short-term security pass that lets WordPress know the action you’re trying is safe. Nonces help protect your site from harmful actions like Cross-Site Request Forgery (CSRF).

The word “nonce” comes from the phrase “number used once”. But, WordPress nonces aren’t exactly numbers. Instead, they look like a random mix of letters and numbers, called a hash.

Another interesting thing is that in WordPress, nonces aren’t always used just once. Unlike true one-time tokens, a WordPress nonce can actually be used more than once as long as it hasn’t expired. Nonces only last for a limited time—generally between 12 and 24 hours after being created.

Also, WordPress creates new nonces with each login session. Once you log out or log back in, your previous nonce tokens are no longer valid. This means each login gives your site fresh tokens to protect your actions. This keeps your site safe from attackers.

How does a WordPress nonce protect a site?

Have you noticed that some WordPress actions have special links in the URL? These links help perform tasks, like deleting a post. But this helpful feature can also lead to some security issues.

Hackers sometimes use these special links to perform harmful actions. CSRF is one such common WordPress attack.

In simple terms, a hacker tricks you into visiting a fake website. This bad site secretly sends a request to your WordPress site from your browser.

If you’re already logged into WordPress, your site sees this request and thinks it’s coming from you. Because your browser has your login cookie, WordPress trusts the request and carries it out. Sadly, this could mean deleting important posts or updating site options without your knowledge.

Nonces protect your website from attacks like this. They add an extra step to the process, making sure the request is really yours.

For example, imagine you want to delete a post. Normally, WordPress builds a URL that looks like this:

http://yourwebsite.com/wp-admin/post.php?post=123&action=trash

WordPress trusts this action because you’re signed in. But without extra protection, hackers can copy this link and trick your browser into running it.

To prevent this, when WordPress uses nonces, the URL looks different:

http://yourwebsite.com/wp-admin/post.php?post=123&action=trash&_wpnonce=b192fc4204

Now, WordPress checks the special nonce before allowing the action. If a hacker tries to use the same URL without the correct nonce, WordPress blocks the request. The hacker sees an error message saying “Are you sure you want to do this?” and the harmful action is stopped.

This way, nonces add a simple yet important layer of protection that keeps your website safer.

How to use a WordPress nonce?

Adding nonces to your WordPress site may sound complicated. But don’t worry! It just takes a few simple steps. You just need to access your site through FTP and edit a functions.php file on it.

First, you need to create a nonce. WordPress gives you the wp_create_nonce() function to do this easily. You include a specific action name so WordPress knows exactly what the nonce is for.

Here’s how you do it:

$nonce = wp_create_nonce('my_action');

Next, you add this nonce to your URLs or links. Using the wp_nonce_url() function, you protect any link you want users to safely click.

Your secure URL will look like this:

$url_with_nonce = wp_nonce_url('http://example.com/mypage', 'my_action');

When working with forms, you add nonces using wp_nonce_field(). It automatically creates a hidden nonce inside your HTML form.

Like this:

<form method="post" action="options.php">

<?php wp_nonce_field('my_action'); ?>

<!-- Other form inputs -->

</form>

Now comes the important part: verifying the nonce. Before WordPress runs your action, it needs to check if the nonce is valid and safe. You use wp_verify_nonce() to do this:

if (isset($_POST['_wpnonce']) && wp_verify_nonce($_POST['_wpnonce'], 'my_action')) {

// Valid nonce, proceed with action

} else {

// Invalid nonce, do not proceed

}

Sometimes, nonces expire before the user finishes the task. Decide ahead of time how you’ll handle this. You can show an easy-to-understand error message. Or you can simply generate a new nonce and ask the user to try again.

What are the different types of WordPress nonces?

WordPress nonces aren’t split into different types in the usual sense. Instead, think of them as flexible tools you can use in different ways. The type of nonce depends on what you’re trying to do and how you’re using it.

Still, to keep things simple, we can group nonces as follows, based on how you often use them:

What are some common issues with WordPress nonces?

Nonces are important for WordPress website safety, but they aren’t perfect. Sometimes, you might run into issues when you’re using them. Let’s look at a few common ones.

First, there’s the expiration issue. Nonces usually expire within 24 hours. This can be a problem if a user starts filling out a form but waits too long before submitting it. Their nonce might expire, and the action would fail without a clear reason.

That leads us to user confusion. Users often don’t understand why a request fails. When a nonce expires or becomes invalid, WordPress won’t clearly explain what’s wrong. Users end up feeling confused and frustrated.

Another problem is caching conflicts. Websites often use caching to load faster. But cached pages might have old or outdated nonces. When a user tries submitting a form or clicking a link on a cached page, the action can fail, causing confusion once again.

Nonces are also called “numbers used once,” but that’s not exactly true. In WordPress, you can reuse them within their valid time frame. This can be confusing, as it goes against what many people expect from something called a nonce.

Incorrect implementation is another issue. If developers don’t properly create or verify nonces, the security they provide weakens. This mistake can open security holes rather than closing them.

Credential vulnerability is yet another risk. Developers sometimes expose nonce values by accident in scripts or URLs. Without proper nonce verification, these exposed tokens could give attackers a way into your site.

Finally, development overhead can also be an issue. Setting up and handling nonces correctly takes time and knowledge. It might be hard for beginners to WordPress security to understand exactly how to do this. It can feel complicated or overwhelming, causing people to avoid using them entirely.

Better alternative: MalCare

Nonces are a good way to protect your WordPress site from certain attacks, like CSRF. But as we’ve seen, nonces aren’t perfect. They expire after just 12 to 24 hours, can be used more than once, and WordPress doesn’t track if a nonce has already been used. These issues could open your site to other potential attacks.

This is why it’s important to have extra protection. A strong security plugin made just for WordPress can protect your entire website beyond just nonces. This is why we recommend MalCare as an excellent option. It’s easy to use, and it doesn’t slow down your website.

MalCare includes a smart firewall that automatically blocks bad traffic before it hurts your website. Its powerful malware scanner finds malicious files hidden deep within your site. If anything suspicious is found, MalCare lets you remove it quickly with just one click.

It even checks your site for hidden weaknesses through its vulnerability scanner. This helps you find security issues and fix them before anyone can exploit them. Plus, MalCare includes safe off-site backups, bot protection, and an activity log to keep track of what’s happening on your site.

Together, MalCare provides complete protection, peace of mind, and keeps your website data safe from harm.

FAQs

What is a nonce in WordPress?

A WordPress nonce is a special token that helps keep your website safe. It checks requests to make sure they come from real users. This stops hackers from tricking your site into doing things you don’t want. Nonces protect your website by adding a quick security check to certain actions. It’s one simple way WordPress keeps your data secure.

How long is a nonce in WordPress?

A WordPress nonce usually lasts between 12 to 24 hours. After this short time, it expires and can’t be used anymore. Also, a nonce becomes invalid when you log in or log out of your site. This short life helps keep your website safe from hackers.

How to get WP nonce?

You can get a WordPress nonce by using the wp_create_nonce() function. Simply include a name for the action you’re protecting. For example: wp_create_nonce(‘my_action’). WordPress will then give you a special code you can use to secure links or forms. This helps your site confirm that requests are safe and real.

What is an example of a nonce?

An example of a nonce in WordPress looks like a short code with letters and numbers. It may look something like b192fc4204. WordPress creates this special code and puts it into URLs or forms. This code helps your website confirm that each action or request is safe. Nonces add security by making sure requests come from real users and not hackers.