What is a Nonce?

A nonce (short for "Number used ONCE") is a unique cryptographic token that enhances security by validating user-initiated actions and preventing unauthorized requests. This article explores its role in cybersecurity, WordPress implementation nuances, and best practices for usage.

Why Use a Nonce?

Nonces act as one-time passwords for critical actions like form submissions or data encryption. They mitigate Cross-Site Request Forgery (CSRF) attacks by ensuring requests originate from legitimate users.

Key Benefits:

• Prevents CSRF: Blocks malicious scripts from forging requests.
• Validates Intent: Ensures actions (e.g., form submissions) are intentional.
• One-Time Use: Discarded after validation to prevent replay attacks.

👉 Learn more about advanced security practices

How Nonces Work

1. Generation: Server creates a nonce, stores it, and sends it to the client.
2. Client Inclusion: Client includes the nonce in the request payload.
3. Validation: Server verifies the nonce matches the stored value.
4. Invalidation: Nonce is destroyed post-validation.

Example:

// Server-side nonce generation  
$nonce = wp_create_nonce('delete_post_123');

WordPress Nonces: Limitations

WordPress nonces deviate from true nonces:

• Extended Validity: Remain active for 12–24 hours (not "once").
• Tick-Based System: Expires based on 12-hour UTC cycles (wp_nonce_tick()).

Key Functions:

| Function | Purpose |
|----------|---------|
| wp_create_nonce() | Generates a nonce. |
| wp_verify_nonce() | Validates a nonce. |
| check_admin_referer() | Verifies nonces in admin contexts. |

Implementing Nonces in WordPress

1. URL Nonces

$url = wp_nonce_url('action.php', 'delete_post_123', '_wpnonce');

2. Form Nonces

<form method="post">  
  <?php wp_nonce_field('submit_form', '_wpnonce'); ?>  
  <input type="submit">  
</form>

3. AJAX Nonces

jQuery.ajax({  
  url: ajaxurl,  
  data: {  
    action: 'my_action',  
    nonce: '<?php echo wp_create_nonce("my_action"); ?>'  
  }  
});

👉 Explore WordPress security plugins

Security Best Practices

• Combine with Capabilities: Use current_user_can() alongside nonces.
• Short Lifespans: Avoid nonces for actions spanning >12 hours.
• Unique Actions: Prefix nonces with user-/action-specific IDs.

FAQ

Q: Can nonces prevent duplicate submissions?
A: Only true nonces (invalidated after use) can. WordPress nonces allow repeats within their validity window.

Q: Are WordPress nonces secure?
A: They deter CSRF but shouldn’t replace capability checks for sensitive actions.

Q: How do I invalidate a nonce?
A: WordPress auto-invalidates them after 2 ticks (max 24 hrs) or when a user’s session changes.

Conclusion

Nonces are vital for web security but require mindful implementation—especially in WordPress. Use libraries like WP Simple Nonce for true one-time validation.

Have questions? Drop a comment below!