Generating nonce URLs in WordPress using wp_nonce_url

The wp_nonce_url function in WordPress is a security feature designed to protect URLs against certain types of misuse, malicious or otherwise. It operates by adding a ‘nonce’, an arbitrary number used only once, to the requested URL.

This nonce acts as a verification token that helps WordPress to verify that the URL request is valid and has originated from the correct place. This function is particularly relevant in scenarios where URLs are prone to potential exploitation, such as when they are used in forms or AJAX calls.

When the wp_nonce_url function is implemented, WordPress is able to determine whether the URL request has been tampered with or not. If it detects that the URL has been altered, WordPress will not process the request. This way, the function provides a layer of security that helps to prevent unauthorized actions and potential security vulnerabilities.

Parameters Accepted by the wp_nonce_url Function

The wp_nonce_url function in WordPress accepts a set of parameters that enable it to perform its task. These parameters are outlined below:

  • $actionurl (string): This is a required parameter. It is the URL where the nonce action will be added.
  • $action (int|string): This is an optional parameter with a default value of -1. It is used to specify the name of the nonce action.
  • $name (string): This is also an optional parameter with a default value of ‘_wpnonce’. It is used to define the name of the nonce. If not specified, it will default to ‘_wpnonce’.

Return Value of the wp_nonce_url Function

The wp_nonce_url function, after processing the above parameters, returns a string. This string is an escaped URL with the nonce action added to it. This means that the function adds a security layer to the URL, making it safer to use in your WordPress application.


How to use wp_nonce_url to secure a URL in WordPress

$my_url = '';
$nonce_url = wp_nonce_url( $my_url, 'my-action_nonce' );
echo '<a href="'. esc_url($nonce_url) .'">Perform an action</a>';

In this example, wp_nonce_url function is used to make a URL secure by appending a nonce to it. This is particularly useful when you want to perform an action that requires verification. The function takes two parameters: the URL that you want to secure and an action name to identify the nonce. The resulting nonce URL is then used in an anchor tag to create a secure link. The esc_url function is used to ensure that the URL is safe to be used in HTML context.

How to use wp_nonce_url with a custom query string

$my_url = '';
$nonce_url = wp_nonce_url( $my_url, 'my-action_nonce' );
echo '<a href="' . esc_url( $nonce_url ) . '">Perform an action</a>';

This example is similar to the previous one, but in this case, the URL that is passed to the wp_nonce_url function includes a custom query string. The function will append the nonce to the end of this query string. This is useful when you want to pass additional data in the URL along with the nonce.

How to use wp_nonce_url in a form action

$my_url = '';
$nonce_url = wp_nonce_url( $my_url, 'my-action_nonce' );
echo '<form action="'. esc_url($nonce_url) .'" method="post">
 <input type="submit" value="Submit">

In this example, the wp_nonce_url function is used to secure a form action. This is useful when you want to ensure that the form is submitted from your site and not from an external source. The nonce is added to the form action URL, and when the form is submitted, WordPress will check the nonce to verify the request.


The wp_nonce_url function in WordPress serves as a security measure aimed at safeguarding URLs and forms against potential abuse or misuse. This function generates a URL with a nonce appended as a query string. The nonce, a “number used once”, is a security token that can be used to validate requests and prevent unauthorized access or attacks. This function is commonly used in WordPress plugin development, theme development, and other areas where security and validation of requests are important.

Related WordPress Functions