Verifying nonce in WordPress using wp_verify_nonce

The WordPress wp_verify_nonce function is used to verify the nonce value of a form submission or URL. Nonces are used as a security measure to prevent unauthorized access to certain actions or forms within WordPress. By verifying the nonce, the function helps ensure that the request is legitimate and not a malicious attempt to exploit the system.

Using wp_verify_nonce can be useful in preventing CSRF (Cross-Site Request Forgery) attacks, as it checks whether the nonce value provided in the request matches the one generated when the form or URL was created. This helps to protect sensitive actions or data within WordPress from unauthorized access or manipulation.

Parameters Accepted by wp_verify_nonce Function

• $nonce (string, required): Nonce value that was used for verification, usually via a form field.
• $action (string|int, optional, default value: -1): Should give context to what is taking place and be the same when nonce was created.

Return Value of wp_verify_nonce Function

The function returns an integer or false:

• 1: if the nonce is valid and was generated between 0-12 hours ago.
• 2: if the nonce is valid and was generated between 12-24 hours ago.
• false: if the nonce is invalid.

Examples

How to verify a nonce in a form submission

if ( isset( $_POST['submit_form'] ) && wp_verify_nonce( $_POST['form_nonce'], 'submit_form_action' ) ) {
 // Process form submission
} else {
 // Nonce verification failed
}

This code snippet checks if the form has been submitted and verifies the nonce value using wp_verify_nonce. If the nonce is valid, the form submission is processed. If the nonce verification fails, the form submission is rejected.

How to verify a nonce in an AJAX request

if ( isset( $_POST['action'] ) && $_POST['action'] === 'my_ajax_action' && isset( $_POST['nonce'] ) && wp_verify_nonce( $_POST['nonce'], 'my_ajax_nonce' ) ) {
 // Process AJAX request
} else {
 // Nonce verification failed
}

This code snippet checks if the AJAX action and nonce value are set in the request, and then verifies the nonce using wp_verify_nonce. If the nonce is valid, the AJAX request is processed. If the nonce verification fails, the request is rejected.

How to verify a nonce in a custom admin page

if ( isset( $_POST['save_settings'] ) && wp_verify_nonce( $_POST['settings_nonce'], 'save_settings_action' ) ) {
 // Save admin settings
} else {
 // Nonce verification failed
}

This code snippet checks if the admin settings form has been submitted and verifies the nonce value using wp_verify_nonce. If the nonce is valid, the settings are saved. If the nonce verification fails, the settings are not saved.

Conclusion

In conclusion, the wp_verify_nonce function is a crucial tool for verifying the authenticity of requests in WordPress. By using nonces, developers can protect their websites from unauthorized actions and ensure the security of their users’ data. It is important to understand how to properly implement and utilize this function in order to maintain the integrity of WordPress websites. With its ability to add an extra layer of security, wp_verify_nonce is an essential function for any WordPress developer to have in their toolkit.

Related WordPress Functions

• Generating nonce URLs in WordPress using wp_nonce_url
• Creating a secure nonce in WordPress with wp_create_nonce
• Generating a WordPress nonce field for secure forms with wp_nonce_field