wp_nonce_field Form Security Tutorial

Wordpress Nonce Fields

wp_nonce_field() is a WordPress function that creates a hidden form field to validate requests origin. Simply, anyone can send a http request to your website from outside.

wp_nonce_field is a method to verify requests origin. nonce is an artificial word which is short form of “number used once”.

What is a nonce?

According to definition, nonce is a random number. In WordPress nonces are hash values which is made from combination of letters and numbers.

Difference between common nonces and WordPress nonces is we refer WordPress nonces are security tokens for web forms.

Why Do We Need to Use WordPress Nonces?

Primary reason to use nonces is saving your website against malicious exploits, which are based on Cross Site Request Forgery. This technique of hacking involves making web request from other websites to a website.

Let’s think about a scenario, you are a hacker who wants to populate a WordPress blog’s database malicious data (or useless data). If your target has a contact form on his or her website which isn’t protected with nonce fields, you may make a cross site http request to populate it’s database.

If you are able to add data to database, you might be able to delete data from database. A malicious attacker can write a very simple script to make POST request to victims forms.

WordPress is a most common CMS around the world, that makes WordPress #1 target of hackers and attackers. WordPress nonces are very simple method which can protect you from CRSF attacks. A url with nonce protection would look likes this:


Hence WordPress nonces always will be different, no one can guess and find a nonce to attack your website.

How Nonces Work?

Developers mostly don’t know how nonces (or CSRF tokens) work.

Lifetime of Nonces

Nonces have a lifetime. Nonces are invalidated after they reach their lifetime. Nonces lifetime is 24 hours.

More Security Information

What if attacker opens the source code and identifies nonce value? Yes they can copy it from source code and add it to end of url. WordPress has seperate nonces per session.

Implementing Nonces With WordPress

If you’d like to add some features to WordPress via HTML forms, you need to implement WordPress Nonces in your code.

WordPress has a funciton which creates a nonce URL. Of course, nonce value will be shown at the end of the URL but as i mentioned above, nonces are unique for users and actions.

$complete_url = wp_nonce_url( $bare_url, 'delete-user_'.$user->ID );

The code above creates a url to delete a user.By default WordPress nonce name is _wpnonce. Using custom nonce names adding even more security to WordPress but you need to remember nonce name if you use custom name:

$complete_url = wp_nonce_url( $bare_url, 'delete-user_'.$user->ID, ‘my_nonces’ );

The code above, creates an URL like this:


Adding Nonces to Forms

You can implement nonce fields in your forms. When you call WordPress to create a nonce field, WordPress adds a hidden field to your form.

To reach complete reference you can check out this page.

Mostly i create nonce fields with two parameters:

<?php wp_nonce_field( $action, $name); ?>

First parameter is name of the action and second parameter is the name of the nonce. As i mentioned earlier default nonce name in WordPress is _wpnonce.

Validating Nonce Fields

Adding a hidden field to a form isn’t enough by itself. You should validate nonce field before process data.

You can use this method to validate nonce fields submitted in a from:

wp_verify_nonce($nonce, $action);

$nonce: value of the nonce field, might be represented as $_POST[$name]
$action: name of the action given as parameter in the wp_nonce_field

If validation fails, this function returns false, it returns true if nonce value is validated successfully.

Leave a Reply

Your email address will not be published. Required fields are marked *