Category Archives: Tips and Tricks

WordPress nonce, What is WordPress nonce and how it works

What is WordPress nonce and how it works?

Today, I am going to share with you a tip that how we can make our WordPress plugins are themes more secure. I have seen in my plugins and themes where WordPress developers are not using WordPress nonces even though it is VERY important. If you are working as a WordPress freelancer developer and g custom plugins or themes, I am sure this article is going to be very helpful for you.

What actually WordPress nonce means?

WordPress Nonce basically in short is the term used for number used once. It’s a string value, a temporary unique key that is generated by WordPress automatically and acts as a special security token to check whether you are the same person who’s performing an action or someone else while submitting a form, adding a post, deleting a post, etc.

Why we should use WordPress nonce?

The main purpose of the nonce is to protect your site from malicious hacking attacks such as Cross-Site Request Forgery (CSRF) or sometimes pronounced sea-surf or XSRF, which is used to trick someone to submit a form or click on a link that will cause harm to your site.

How nonce works in WordPress?

It is very simple. As I mentioned earlier that it is generated by WordPress itself and when a form is submitted or a link is clicked, WordPress checks the nonce value and if it matches, you are free to proceed.

A thing to remember, you don’t need to do anything about nonce in those forms or links which are generated by WordPress, like “add post”, “edit post”, but you have to use nonce in your custom build plugins or themes you will create later.

How to use nonce in WordPress?

Before we walk you through a complete example of how to implement a nonce in a form or in a URL, lets us understand how the nonce works in WordPress.

There are three steps that we must follow to implement a nonce in WordPress plugin or a theme:

1. How to create a nonce.
2. How to pass a nonce through a Form or URL.
3. How to verify a nonce before doing a specific action.

1. How to create a nonce?

To create a nonce, there is a function name “wp_create_nonce ($action)”, which generates and returns a unique value based on the current time and the $action.
The “$action” parameter is optional but recommended, $action parameter refers to what will happen.

$nonce= wp_create_nonce('delete-post');

2. How to pass a nonce through a Form or URL?

How to pass a nonce in URLs.

<a href="myplugin.php?_wpnonce=<?php echo $nonce; ?>">

How to pass a nonce in Forms.

<form method="post"><?php wp_nonce_field( 'name_of_my_action', 'name_of_nonce_field' );?>
<!-- some inputs here ... -->   
</form>

We use “wp_nonce_field($action,$name)” to pass a nonce through forms. wp_nonce_field() function will generate a hidden input field which stores a nonce value and can be retrieved later on.

The parameter “name_of_my_action” is the context in which you are using the nonce field and “name_of_nonce_field” is any name you want to specify. Default is “_wpnonce”. It’s better to use $action and $name parameter for better security.

3. How to verify a nonce?

After putting it into the form you can get it like this:

if ( isset( $_POST['name_of_nonce_field'] ) &&
wp_verify_nonce( $_POST[‘name_of_nonce_field’], ‘name_of_my_action’ ) ) {

// process form data

} else {
print ‘Sorry, your nonce did not verify. It is a secure WordPress site. go get a coffee !!';
exit;
}

Example:

In this example, we are creating a form and an embedded nonce field in it. This form can be used for your contact page or anything you like for your site where you are taking inputs from users.

The HTML code for the form is (notice the wp_nonce_field function):

<form id="form">
<?php wp_nonce_field( 'contact_form_submit', 'cform_generate_nonce' );?>
            <label>Name</label> <input type="text" name="name" class="text" id="name"><br>
            <label>Email</label> <input type="email" name="email" class="text" id="email"><br>

            <label>Subject</label> <input type="text" name="subject" class="text" id="subject"><br>
            <label>Message</label><textarea id="message" class="textarea" name="message"></textarea>
            <input name="action" type="hidden" value="simple_contact_form_process" />
            <input type="submit" name="submit_form" class="button" value="send Message" id="sendmessage">
            <div class="formmessage"><p></p></div>
        </form>

So, you have your contact form ready and now want to take the data from form inputs and process it. Form Inputs are the doors where mostly malicious attacks happen and hackers run anything they like. So, you should properly sanitize your inputs which are very important for your website security.

Here is how you will verify nonce in your contact form.

<?php

if(isset($_POST['submit_form'])) {
  if(!wp_verify_nonce('cform_generate_nonce','contact_form_submit')){
      wp_die('Our Site is protected!!');
   }else{
      // process here your contact form with proper sanitize inputs.
  }
}

?>

Conclusion

WordPress nonce is playing a very important role in WordPress security and I recommend it should be implemented in every WordPress plugin and theme, but I see many plugins and themes are not using it. If this article was helpful for you in any way I would love to hear your feedback.

SEO with maxcdn, maxcdn

How to implement SEO with MaxCDN

I have heard of the term CDN or content delivery network for a long time now and have seen many websites using it, however, I thought that it was complicated to set up after reading several articles online. So I didn’t use any CDN solution up until the beginning of last month. Sounds super crazy, isn’t it? I mean you don’t necessarily need CDN to speed up your WordPress or website. As long as its site is running on some of the best hosting company then you’re good. But it wouldn’t hurt to do some optimizations right?

So I finally set up an account at MaxCDN and got it to work with WordPress in just a few minutes. Several days went by and I notice something changed, Google has stopped indexing images on my blog. Did some searching on Google and landed on one of Brian Jackson’s site called OkayMarketing. I got in touch with him on Twitter and find out that we were facing the same issue. Brian was kind enough to walk me through this and I got Google to start indexing my images again.

From this, I also learned that people might not get this error but another one where MaxCDN will cause duplicate content because your files are now being hosted on two different URLs. In this article, I will show you how to resolve these problems in the same way.

Let’s go ahead and login into your MaxCDN control panel. Go to the SEO settings of your pull zone and enable both Canonical Header & Robots.txt. Inside the robot.txt box, you should have something like this. If not, just copy what I have below and paste it into there.

User-agent: *
Allow: /wp-content/uploads/
Disallow: /

maxcdn-seo-settings

The last step would be changing the image path in your Sitemap file. The majority of us now use Yoast SEO plugin so add this code below in your current theme’s functions.php file.

functionwpseo_cdn_filter( $uri) {
returnstr_replace( ‘http://yourdomain.com’, ‘http://cdn.yourdomain.com’, $uri);
}
add_filter( ‘wpseo_xml_sitemap_img_src’, ‘wpseo_cdn_filter’);
Don’t forget to change yourdomain.com to your WordPress address and CDN URL. Do a quick cache in W3 Total Cache or any plugin that you have. Wait for a day or two and everything should go back to its normal mode. Let me know if you have questions.