Getting Familiar with Nonces in WordPress

Our pal Josh Pollock has a great little post over on Torque about the what, why, and how of using nonces in WordPress. They’re a pretty developer-specific feature — an average user doesn’t and shouldn’t have to understand — but they’re powerful and important to prevent some of the most basic security vulnerabilities.

I’d known for a while the WordPress’s nonce system wasn’t “pure” but I found this details Josh offers really instructive:

That said, WordPress nonces are not true nonces; they are valid for 12 hours, or the value of the “nonce_life” filter from when they are created. This means they can technically be used more than once, but only in that 12 hour period. This is an important distinction to keep in mind.

He goes onto cover the three core functions you should know in some detail: wp_create_nonce(), wp_verify_nonce(), and wp_nonce_field().

Add a Comment

Your email address will not be published.