Verifying AJAX requests in WordPress with check_ajax_referer
The check_ajax_referer function in WordPress is used to verify the nonce (number used once) value passed in an AJAX request. Nonce values are used to prevent unauthorized access to specific actions or URLs within WordPress. By using the check_ajax_referer function, developers can ensure that the AJAX request is coming from a trusted source and has not been tampered with.
This function is useful for maintaining the security of AJAX requests in WordPress, as it helps prevent unauthorized or malicious actions from being performed. It adds an extra layer of protection to AJAX functionality, making it more secure and reliable.
Parameters accepted by the WordPress check_ajax_referer function:
- $action(int|string), optional. Default value: -1. Description: Action nonce.
- $query_arg(false|string), optional. Default value: false. Description: Key to check for the nonce in- $_REQUEST(since 2.5). If false,- $_REQUESTvalues will be evaluated for- '_ajax_nonce', and- '_wpnonce'(in that order).
- $stop(bool), optional. Default value: true. Description: Whether to stop early when the nonce cannot be verified.
Value returned by the WordPress check_ajax_referer function:
The function returns an int or false. It returns 1 if the nonce is valid and generated between 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago. It returns false if the nonce is invalid.
Examples
How to use check_ajax_referer to verify the AJAX request
Below is a code snippet demonstrating how to use the check_ajax_referer function to verify the AJAX request.
if ( check_ajax_referer( 'my_action', 'nonce', false ) ) {
 // Perform the AJAX request
} else {
 // Handle unauthorized request
}
This code snippet checks if the AJAX request is valid by using the check_ajax_referer function. If the request is valid, it performs the AJAX request. Otherwise, it handles the unauthorized request.
How to use check_ajax_referer with custom error message
Here’s an example of using the check_ajax_referer function with a custom error message.
if ( ! check_ajax_referer( 'my_action', 'nonce', false ) ) {
 wp_send_json_error( 'Invalid nonce' );
} else {
 // Perform the AJAX request
}
In this code snippet, the check_ajax_referer function is used to verify the AJAX request. If the request is not valid, it sends a custom error message using the wp_send_json_error function. Otherwise, it performs the AJAX request.
Conclusion
The check_ajax_referer function is an important security measure for WordPress developers to use when working with AJAX requests. By verifying the nonce provided in the request against the nonce stored in the user’s session, this function helps protect against Cross-Site Request Forgery (CSRF) attacks.
Using check_ajax_referer in your AJAX callbacks adds an extra layer of security to your WordPress site, ensuring that the requests are coming from a trusted source. It’s a simple and effective way to prevent unauthorized access to sensitive actions and data.
In conclusion, the check_ajax_referer function is a valuable tool for WordPress developers to enhance the security of their AJAX requests. By incorporating this function into your code, you can help safeguard your site against CSRF attacks and protect your users’ data.
