Security around save_post hook

There are a lot of examples using the save_post hook, that include adding and verifying a nonce, and checking the user has appropriate permissions before you continue.

Is this necessary?

When updating/publishing a post, WP verifies the normal nonce, and checks permissions itself, redirecting to a 403 or ‘Are you sure you want to do this?` page if something doesn’t check out. As such, the hook won’t even be called if a bad request was made, so why would I have to double check these things myself?

Solutions Collecting From Web of "Security around save_post hook"

The save_post hook is called every time someone calls the function wp_insert_post(). Plugins do that, unfortunately some themes too, and WordPress itself on several places when …

  • someone uses post per email or XML RPC
  • an auto-draft is created
  • the Quick Draft feature on the dashboard is used
  • a navigation menu item is added
  • a revision is created

You really don’t want to handle all those action without your own verification.

Besides that, nonces should guarantee that an action cannot be repeated by someone who listens to another person’s network traffic. In theory, nonces prevent that. The default WordPress nonces are not very secure in that regard, because they can be reused. But your users might have installed a plugin that creates real nonces. Do you really want to bypass their extra security measures? Probably not.