What is NONCE in WordPress?

As WordPress offers plenty of options to customize our site, plugin, and theme, it is essential for us to consider security issues when developing a theme or plugin. WordPress Nonce is one kind of security token that is generated by WordPress. It basically helps to enhance the encryption of the information that was stored in the user’s cookies.

Well, in this article, we will walk through this security token named WordPress nonces and how it can help to keep your theme and plugin secure from any third party.

So let’s begin!

What is NONCE in WordPress?

A nonce is a kind of temporary secret key or token that is unique only to you. It is a security mechanism that can put an extra layer of security to your plugins or themes to avoid several types of attacks such as Cross-Site Request Forgery (CSRF) or XSRF attacks. 

The abbreviation of Nonce is a Number used once which means you can only use this key once for a specific task. As a result, it provides protection to the URLs and forms of your site from abuse. 

In addition, WordPress nonces are not digits but are a hash that consists of numbers and letters. They have a finite “lifetime” after which they will expire. It is valid for 24 hours for a specific operation. Within that time, the nonce will be generated for a given user in a given operation. The nonce for that action will remain the same for that user until that nonce life cycle has been completed. 

It means no one can copy the nonce and regenerate it for the same or another operation.

How Does Nonce Work in WordPress?

Now let’s move on to how the Nonce works in WordPress.

Let’s take an example, you are an administrator of a WordPress website and you want to delete a post on your site. When you click on the delete button of that post we will notice a URL like below,

http://yoursitename.com/wp-admin/post.php?post=56&action=trash

It means for this specific action is deleting the post which belongs to post id 56. Now, If you go to that URL, the details about authentication cookies will be checked by WordPress. Then, when you are allowed to delete the post, it will be removed. 

As a hacker, it is quite easy to guess the post ID and hack your all information, post, and content. It means the attacker can access all your information. 

But if you are using a nonce, WordPress will generate the nonce key to that URL which will be like this,

http://yoursitename.com/wp-admin/post.php?post=56&action=trash&_wpnonce=dd5fcbbbea 

Here, if any attacker assumes the post id, it will be impossible for him to guess the nonce key. As a result, when he wants to execute the operation it has to be passed an authentication check. When this check fails, WordPress will send a “403 Forbidden” response and also an error message, ‘Are you sure you want to do this?’.

Conclusion

To wrap up, Implementing nonce in WordPress can protect the functionality of WordPress plugins and themes which will make your site more secure. So, every WordPress developer must have knowledge about the WordPress nonce, how it looks and how it works.

We hope this article will help you to understand the basic introduction of the nonce in WordPress. To learn more about WordPress, you may check our WordPress Tips and How-To’s to know more about WordPress.

If this article will help you, then please subscribe to our YouTube channel to get more tutorials related to WordPress. You may join our Facebook page to update yourself with more tips, solutions, offers, and so on.

You may also ask any questions related to it in the comment or want us to write on some specific topics you have in your mind. We appreciate your further comments, support, or suggestions!