Today, I am going to share with you a tip that how we can make our WordPress plugins are themes more secure. I have seen in my plugins and themes where WordPress developers are not using WordPress nonces even though it is VERY important. If you are working as a WordPress freelancer developer and g custom plugins or themes, I am sure this article is going to be very helpful for you.
What actually WordPress nonce means?
WordPress Nonce basically in short is the term used for number used once. It’s a string value, a temporary unique key that is generated by WordPress automatically and acts as a special security token to check whether you are the same person who’s performing an action or someone else while submitting a form, adding a post, deleting a post, etc.
Why we should use WordPress nonce?
The main purpose of the nonce is to protect your site from malicious hacking attacks such as Cross-Site Request Forgery (CSRF) or sometimes pronounced sea-surf or XSRF, which is used to trick someone to submit a form or click on a link that will cause harm to your site.
How nonce works in WordPress?
It is very simple. As I mentioned earlier that it is generated by WordPress itself and when a form is submitted or a link is clicked, WordPress checks the nonce value and if it matches, you are free to proceed.
A thing to remember, you don’t need to do anything about nonce in those forms or links which are generated by WordPress, like “add post”, “edit post”, but you have to use nonce in your custom build plugins or themes you will create later.
How to use nonce in WordPress?
Before we walk you through a complete example of how to implement a nonce in a form or in a URL, lets us understand how the nonce works in WordPress.
There are three steps that we must follow to implement a nonce in WordPress plugin or a theme:
1. How to create a nonce.
2. How to pass a nonce through a Form or URL.
3. How to verify a nonce before doing a specific action.
1. How to create a nonce?
To create a nonce, there is a function name “wp_create_nonce ($action)”, which generates and returns a unique value based on the current time and the $action.
The “$action” parameter is optional but recommended, $action parameter refers to what will happen.
$nonce= wp_create_nonce('delete-post');
2. How to pass a nonce through a Form or URL?
How to pass a nonce in URLs.
<a href="myplugin.php?_wpnonce=<?php echo $nonce; ?>">
How to pass a nonce in Forms.
<form method="post"><?php wp_nonce_field( 'name_of_my_action', 'name_of_nonce_field' );?> <!-- some inputs here ... --> </form>
We use “wp_nonce_field($action,$name)” to pass a nonce through forms. wp_nonce_field() function will generate a hidden input field which stores a nonce value and can be retrieved later on.
The parameter “name_of_my_action” is the context in which you are using the nonce field and “name_of_nonce_field” is any name you want to specify. Default is “_wpnonce”. It’s better to use $action and $name parameter for better security.
3. How to verify a nonce?
After putting it into the form you can get it like this:
if ( isset( $_POST['name_of_nonce_field'] ) && wp_verify_nonce( $_POST[‘name_of_nonce_field’], ‘name_of_my_action’ ) ) { // process form data } else { print ‘Sorry, your nonce did not verify. It is a secure WordPress site. go get a coffee !!'; exit; }
Example:
In this example, we are creating a form and an embedded nonce field in it. This form can be used for your contact page or anything you like for your site where you are taking inputs from users.
The HTML code for the form is (notice the wp_nonce_field function):
<form id="form"> <?php wp_nonce_field( 'contact_form_submit', 'cform_generate_nonce' );?> <label>Name</label> <input type="text" name="name" class="text" id="name"><br> <label>Email</label> <input type="email" name="email" class="text" id="email"><br> <label>Subject</label> <input type="text" name="subject" class="text" id="subject"><br> <label>Message</label><textarea id="message" class="textarea" name="message"></textarea> <input name="action" type="hidden" value="simple_contact_form_process" /> <input type="submit" name="submit_form" class="button" value="send Message" id="sendmessage"> <div class="formmessage"><p></p></div> </form>
So, you have your contact form ready and now want to take the data from form inputs and process it. Form Inputs are the doors where mostly malicious attacks happen and hackers run anything they like. So, you should properly sanitize your inputs which are very important for your website security.
Here is how you will verify nonce in your contact form.
<?php if(isset($_POST['submit_form'])) { if(!wp_verify_nonce('cform_generate_nonce','contact_form_submit')){ wp_die('Our Site is protected!!'); }else{ // process here your contact form with proper sanitize inputs. } } ?>
Conclusion
WordPress nonce is playing a very important role in WordPress security and I recommend it should be implemented in every WordPress plugin and theme, but I see many plugins and themes are not using it. If this article was helpful for you in any way I would love to hear your feedback.