{"id":64954,"date":"2022-09-28T14:05:30","date_gmt":"2022-09-28T14:05:30","guid":{"rendered":"\/tutorials\/?p=64954"},"modified":"2026-03-09T19:18:25","modified_gmt":"2026-03-09T19:18:25","slug":"wordpress-nonce","status":"publish","type":"post","link":"\/ng\/tutorials\/wordpress-nonce\/","title":{"rendered":"WordPress nonce: what it is, how it works and how to create it"},"content":{"rendered":"<?xml encoding=\"utf-8\" ?><p>In cryptography, a nonce refers to a &ldquo;number used once&rdquo; and generated to protect forms and URLs from malicious hacking attacks. It generally consists of random letters and numbers and has a default lifetime of one day, serving as an authentication tool for certain actions and inputs.<\/p><p>WordPress is among many platforms that adopt this security feature, albeit modifying it a bit. Whether you&rsquo;re a site owner looking to improve your platform&rsquo;s security or a WordPress developer wanting to protect your plugins from malicious users, this article will help you to understand a nonce better.<\/p><p>Keep reading as we explore WordPress nonce&rsquo;s advantages and how to create and verify nonces on WordPress sites.<\/p><p class=\"has-text-align-center\"><a href=\"https:\/\/assets.hostinger.com\/content\/tutorials\/pdf\/Mega-WordPress-Cheat-EN.pdf\">Download all-in-one WordPress cheat sheet<\/a><\/p><p>\n\n\n\n<div class=\"protip\"><div class=\"protip__heading\">\n                <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                    <path d=\"M1.49234 23.5024C1.23229 23.5024 0.972242 23.4024 0.782206 23.2123C0.562165 22.9923 0.452144 22.6822 0.502153 22.3722C0.562165 21.9221 1.14227 17.9113 3.00262 16.351C3.63274 15.8209 4.43289 15.5509 5.26305 15.5609C6.09321 15.5909 6.87335 15.9109 7.47347 16.4911C8.6937 17.6913 8.76371 19.6717 7.6435 20.9919C6.0832 22.8523 2.08245 23.4324 1.63237 23.4924C1.59236 23.4924 1.54235 23.4924 1.50234 23.4924L1.49234 23.5024ZM5.16303 17.5613C4.84297 17.5613 4.53291 17.6713 4.29287 17.8813C3.60274 18.4614 3.07264 19.9317 2.75258 21.242C4.06282 20.9219 5.5331 20.3918 6.11321 19.7017C6.55329 19.1716 6.54329 18.3814 6.0832 17.9213C5.85316 17.7013 5.5431 17.5713 5.20304 17.5613C5.19304 17.5613 5.17303 17.5613 5.16303 17.5613ZM11.7243 21.8821C11.4942 21.8821 11.2642 21.8021 11.0841 21.652C10.8541 21.462 10.7241 21.1819 10.7241 20.8819V15.9109L8.08358 13.2705H3.11264C2.81259 13.2705 2.53254 13.1404 2.3425 12.9104C2.15246 12.6803 2.07245 12.3803 2.12246 12.0902C2.19247 11.7102 2.84259 8.36953 4.70294 7.12929C6.33325 6.04909 8.96375 6.49918 10.244 6.80923C11.5442 4.96889 13.2546 3.4286 15.2349 2.33839C17.4553 1.11816 19.9858 0.518051 22.4963 0.498047C23.0464 0.498047 23.4865 0.948132 23.4865 1.49824C23.4865 5.0389 22.3763 9.97983 17.1753 13.7605C17.4853 15.0408 17.9354 17.6613 16.8552 19.2816C15.615 21.1419 12.2744 21.7921 11.8943 21.8621C11.8343 21.8721 11.7743 21.8821 11.7143 21.8821H11.7243ZM12.7245 16.181V19.6016C13.7146 19.2916 14.7948 18.7915 15.2049 18.1814C15.675 17.4812 15.605 16.091 15.385 14.9008C14.5248 15.3808 13.6346 15.8109 12.7245 16.181ZM9.66388 12.0302L11.9643 14.3307C13.1845 13.8306 14.3648 13.2204 15.485 12.5103C19.9358 9.51974 21.2361 5.60901 21.4561 2.53843C19.6157 2.67846 17.8254 3.20856 16.2051 4.09872C14.2847 5.14892 12.6544 6.68921 11.4942 8.54956C10.7841 9.65977 10.174 10.82 9.66388 12.0302ZM4.39289 11.2701H7.81353C8.1936 10.3599 8.63368 9.46974 9.11377 8.60957C7.92355 8.38953 6.51329 8.31952 5.81315 8.78961C5.19304 9.19968 4.70294 10.3099 4.39289 11.2701Z\" fill=\"#673DE6\"\/>\n                <\/svg>\n                <p class=\"protip__title\">\n                   What Is a Nonce in WordPress?\n                <\/p>\n            <\/div>\n            <p class=\"protip__content\">A WordPress nonce is a &ldquo;number used once&rdquo; security token to protect URLs and forms from malicious attacks. It helps WordPress to determine whether a request is valid, preventing unauthorized actions and inputs. <\/p><\/div>\n\n\n\n<\/p><h2 class=\"wp-block-heading\" id=\"h-why-use-wordpress-nonces\">Why Use WordPress Nonces<\/h2><p>WordPress nonces protect the platform against various malicious attacks, particularly cross-site request forgery (CSRF). This cyber attack exploits WordPress security vulnerabilities to trick users into submitting unwanted requests, from changing users&rsquo; login details to deleting user accounts.<\/p><p>Here&rsquo;s an example of a URL generated by WordPress when a user wants to delete posts.<\/p><pre class=\"wp-block-preformatted\">http:\/\/yourwebsite.com\/wp-admin\/post.php?post=123&amp;action=trash<\/pre><p>If you execute this URL, WordPress will check its authentication cookie to verify the deletion request for the &ldquo;123&rdquo; post.<\/p><p>The problem is that a CSRF attack can easily disguise this request link as something else. When a user clicks on it, the browser will attach the authentication cookie and make it look like a valid request. As a result, the WordPress site will execute the rogue HTTP request, jeopardizing the site&rsquo;s content.<\/p><p>Nonces prevent CSRF attacks by adding an extra layer of protection to the URL. Here&rsquo;s an example of a URL generated by a WordPress website with a nonce verification.<\/p><pre class=\"wp-block-preformatted\">http:\/\/yourwebsite.com\/wp-admin\/post.php?post=123&amp;action=trash&amp;_wpnonce=b192fc4204<\/pre><p>If you try to go to that URL without having the correct nonce generated by WordPress, you will see a <a href=\"\/ng\/tutorials\/what-is-403-forbidden-error-and-how-to-fix-it\/\">403 Forbidden<\/a> accompanied with the &ldquo;Are you sure you want to do this?&rdquo; error message.<\/p><p>Keep in mind that WordPress nonces, unlike true nonces, can be used more than once as long as they&rsquo;re still valid. WordPress nonces are also specifically generated for every session, meaning their value will no longer be valid once a user logs in or out of the page.<\/p><figure class=\"wp-block-image size-large\"><a class=\"hgr-tutorials-cta hgr-tutorials-cta-wordpress-hosting\" href=\"\/ng\/wordpress-hosting\" target=\"_blank\" rel=\"noreferrer noopener\"><img loading=\"lazy\" decoding=\"async\" width=\"2048\" height=\"600\" src=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/06\/New-WP_in-text-banner.png\/w=1024,h=1024,fit=scale-down\" alt=\"\" class=\"wp-image-111781\" srcset=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/06\/New-WP_in-text-banner.png\/w=2048,fit=scale-down 2048w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/06\/New-WP_in-text-banner.png\/w=300,fit=scale-down 300w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/06\/New-WP_in-text-banner.png\/w=1024,fit=scale-down 1024w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/06\/New-WP_in-text-banner.png\/w=150,fit=scale-down 150w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/06\/New-WP_in-text-banner.png\/w=768,fit=scale-down 768w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/06\/New-WP_in-text-banner.png\/w=1536,fit=scale-down 1536w\" sizes=\"auto, (max-width: 2048px) 100vw, 2048px\" \/><\/a><\/figure><h2 class=\"wp-block-heading\" id=\"h-how-to-create-a-nonce-in-wordpress\">How to Create a Nonce in WordPress<\/h2><p>Creating nonces in WordPress requires adding the code to the <strong>functions.php<\/strong> file. You can edit the file using your hosting provider&rsquo;s File Manager. Alternatively, use an <a href=\"\/ng\/tutorials\/ftp\/filezilla-ftp-configuration\/\">FTP client<\/a> like FileZilla to make the modifications.<\/p><p>To create a nonce for an URL, call the <strong>wp_nonce_url()<\/strong> function. Specify the bare URL and the string representing a nonce action inside the brackets. Here&rsquo;s an example of a nonce for deleting a user account.<\/p><pre class=\"wp-block-preformatted\">$nonce = wp_nonce_url( $bare_url, &rsquo;delete-user_&rsquo;.$user-&gt;ID );<\/pre><p>You can add a nonce to a form by calling the <strong>wp_nonce_field()<\/strong> function while specifying the string for its user action. The function creates two hidden fields by default &#8210; the first hidden field contains the nonce value while the second holds the current URL. Here&rsquo;s an example of a nonce for deleting a comment.<\/p><pre class=\"wp-block-preformatted\">$nonce= wp_nonce_field( 'delete-comment_'.$comment_id );<\/pre><p>To add nonces in other contexts, use the <strong>wp_create_nonce()<\/strong> function. Like with the previous functions, don&rsquo;t forget to specify the string representing a particular action.<\/p><pre class=\"wp-block-preformatted\">$nonce = wp_create_nonce( 'my-action_'.$post-&gt;ID );<\/pre><p>The default lifespan of a nonce is 24 hours. Use the <strong>nonce_life<\/strong> filter to modify the nonce lifetime in seconds.<\/p><pre class=\"wp-block-preformatted\">$nonce_life = apply_filters( 'nonce_life', DAY_IN_SECONDS );<\/pre><h2 class=\"wp-block-heading\" id=\"h-how-to-verify-a-nonce-in-wordpress\">How to Verify a Nonce in WordPress<\/h2><p>You can call for WordPress checks on nonces embedded in URLs, forms, AJAX requests, or other contexts. WordPress will terminate the script execution and send back the 403 Forbidden response if the check fails.<\/p><p>Use the <strong>check_admin_referer()<\/strong> function for verifying nonces passed from a form in an admin screen. Specify the nonce field name for maximum protection, particularly if you don&rsquo;t use the default <strong>_wpnonce<\/strong> field name.<\/p><p>Here&rsquo;s a quick example of a nonce verifying a request to delete a comment.<\/p><pre class=\"wp-block-preformatted\">check_admin_referer( 'delete-comment_'.$comment_id );<\/pre><p>To verify a nonce passed in an AJAX request, call the <strong>check_ajax_referer() <\/strong>function and specify the string representing the action.<\/p><pre class=\"wp-block-preformatted\">check_ajax_referer( 'process-comment' );<\/pre><p>To call for nonce checks in another context, use the <strong>wp_verify_nonce() <\/strong>function and specify the string for a user action.<\/p><pre class=\"wp-block-preformatted\">wp_verify_nonce( $_REQUEST['my_nonce'], 'process-comment'.$comment_id );<\/pre><p><div class=\"announcement-block announcement-block--important\">\n            <span class=\"announcement-block__heading\">\n                <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                    <path fill-rule=\"evenodd\" clip-rule=\"evenodd\"\n                          d=\"M12 22.5C17.799 22.5 22.5 17.799 22.5 12C22.5 6.20101 17.799 1.5 12 1.5C6.20101 1.5 1.5 6.20101 1.5 12C1.5 17.799 6.20101 22.5 12 22.5ZM13.637 7.65198C13.637 6.74791 12.9041 6.01501 12 6.01501C11.0959 6.01501 10.363 6.74791 10.363 7.65198C10.5335 9.53749 10.875 13.383 10.875 13.383C10.875 14.0043 11.3787 14.508 12 14.508C12.6213 14.508 13.125 14.0043 13.125 13.383V13.38L13.637 7.65198ZM11.9927 15.714C11.3714 15.714 10.8677 16.2177 10.8677 16.839C10.8677 17.4603 11.3714 17.964 11.9927 17.964H12.0073C12.6286 17.964 13.1323 17.4603 13.1323 16.839C13.1323 16.2177 12.6286 15.714 12.0073 15.714H11.9927Z\"\n                          fill=\"#FEA419\"\/>\n                <\/svg>\n                Important\n            <\/span>\n            <p class=\"announcement-block__content\">\n                <strong>Important!<\/strong> Never share a nonce with other users for security reasons. Remember that WordPress nonces can be used multiple times for authentication and authorization as long as they&rsquo;re still valid.\n            <\/p><\/div>\n\n\n\n<\/p><h2 class=\"wp-block-heading\" id=\"h-conclusion\">Conclusion<\/h2><p>WordPress nonces protect sites from malicious users seeking to execute unauthorized user actions. In short, nonces work by embedding a query string to URLs and forms in admin screens, ensuring that the requests are valid and come from a legitimate user.<\/p><p>Nonces may help protect WordPress sites from CSRF attacks. However, other types of attacks require different security measures. We recommend implementing the <a href=\"\/ng\/tutorials\/how-to-secure-wordpress\/\">best WordPress security practices<\/a> into your site for maximum protection.<\/p><p>We hope this article answers your questions about WordPress nonces. Good luck!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In cryptography, a nonce refers to a &ldquo;number used once&rdquo; and generated to protect forms and URLs from malicious hacking attacks. It generally consists of random letters and numbers and has a default lifetime of one day, serving as an authentication tool for certain actions and inputs. WordPress is among many platforms that adopt this [&#8230;]<\/p>\n<p><a class=\"btn btn-secondary understrap-read-more-link\" href=\"\/ng\/tutorials\/wordpress-nonce\/\">Read More&#8230;<\/a><\/p>\n","protected":false},"author":115,"featured_media":144331,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"rank_math_title":"Understanding WordPress Nonce and How to Create It","rank_math_description":"WordPress nonce is a security system that protects WordPress functions and features. Learn what nonces are and how to make them in this article.","rank_math_focus_keyword":"wordpress nonce","footnotes":""},"categories":[22637],"tags":[],"class_list":["post-64954","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-wordpress"],"hreflangs":[{"locale":"en-US","link":"https:\/\/www.hostinger.com\/tutorials\/wordpress-nonce\/","default":1},{"locale":"en-PH","link":"https:\/\/www.hostinger.com\/ph\/tutorials\/wordpress-nonce\/","default":0},{"locale":"en-MY","link":"https:\/\/www.hostinger.com\/my\/tutorials\/wordpress-nonce\/","default":0},{"locale":"en-GB","link":"https:\/\/www.hostinger.com\/uk\/tutorials\/wordpress-nonce\/","default":0},{"locale":"en-IN","link":"https:\/\/www.hostinger.com\/in\/tutorials\/wordpress-nonce\/","default":0},{"locale":"en-CA","link":"https:\/\/www.hostinger.com\/ca\/tutorials\/wordpress-nonce\/","default":0},{"locale":"en-AU","link":"https:\/\/www.hostinger.com\/au\/tutorials\/wordpress-nonce\/","default":0},{"locale":"en-NG","link":"https:\/\/www.hostinger.com\/ng\/tutorials\/wordpress-nonce\/","default":0}],"_links":{"self":[{"href":"https:\/\/www.hostinger.com\/ng\/tutorials\/wp-json\/wp\/v2\/posts\/64954","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.hostinger.com\/ng\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hostinger.com\/ng\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hostinger.com\/ng\/tutorials\/wp-json\/wp\/v2\/users\/115"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hostinger.com\/ng\/tutorials\/wp-json\/wp\/v2\/comments?post=64954"}],"version-history":[{"count":7,"href":"https:\/\/www.hostinger.com\/ng\/tutorials\/wp-json\/wp\/v2\/posts\/64954\/revisions"}],"predecessor-version":[{"id":144330,"href":"https:\/\/www.hostinger.com\/ng\/tutorials\/wp-json\/wp\/v2\/posts\/64954\/revisions\/144330"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.hostinger.com\/ng\/tutorials\/wp-json\/wp\/v2\/media\/144331"}],"wp:attachment":[{"href":"https:\/\/www.hostinger.com\/ng\/tutorials\/wp-json\/wp\/v2\/media?parent=64954"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hostinger.com\/ng\/tutorials\/wp-json\/wp\/v2\/categories?post=64954"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hostinger.com\/ng\/tutorials\/wp-json\/wp\/v2\/tags?post=64954"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}